Cyber Profiling: Using Instant Messaging Author Writeprints for Cybercrime Investigations
Image Credit: NIH

Posted: February 9, 2016 | By: Dr. Angela Orebaugh, Dr. Jason Kinser, Dr. Jeremy Allnutt

Cybercrime Investigations and IM

Many disciplines including psychology, philosophy, sociology, criminology, law, knowledge management, and computer science have studied the criminal investigation process. Although cybercrime is a relatively new form of crime that has rapidly evolved over the last few decades, cybercrime investigations and traditional criminal investigations share the same goal – to gather information. Figure 3 illustrates the traditional criminal investigation process as presented in Scene of the Cybercrime (Cross, 2008).

The investigator first determines if an act has violated the law and warrants an investigation. Next, evidence is collected and analyzed, including tangible evidence such as hard drives and electronic devices, and the digital evidence they contain. Cybercrime investigations for IM rely on instant messaging exchanges, or conversations, as digital evidence. The sources for IM digital evidence include both data and meta-data. The data includes the IM text and the meta-data includes other related evidence such as the IM client version, timestamps, the length of time the user has been logged on, etc. The next step involves seeking expert advice if necessary. Often times in cybercrime cases the investigator needs to seek expert advice on the technical aspects of the crime. Experts may be on staff, or may be located from professional organizations, consultants, or the academic community. For IM related cybercrimes expert witnesses may include linguists, communication experts, or social psychologists. The next step of interviewing witnesses and interrogating suspects is an ongoing process throughout the investigation as new witnesses and suspects are discovered. Throughout this stage suspects are eliminated and the most plausible suspect is identified. Next, the investigator begins preparing the case file to include the initial incident report, evidence, other reports such as lab reports, written statements, and other relevant information. Once the case file is constructed it is analyzed to determine weaknesses and to identify additional information needed for prosecution. This analysis leads to any follow-up investigations that need to occur including collecting additional evidence and interviewing witnesses again. Once the case is considered complete the prosecutor will decide whether to bring the case to trial and how to proceed. There is no standard accuracy measure or probability threshold for authorship attribution evidence; the investigator only needs probable cause to initiate a warrant or arrest. In addition, evidence admissibility varies by jurisdiction. In cases where digital evidence is not admissible, expert witnesses are often called upon to provide their expertise and interpretation. In the court of law, the jury only needs reasonable doubt to determine a defendant’s guilt or innocence. Some relevant criminal cases were investigated and prosecuted based on text message abbreviations, sentence length, and punctuation (Leafe, 2009).


Criminal Profiling and IM

Criminal profiling is an investigative method that has been used in traditional criminal investigations that can also be applied to cybercrime investigations, known as cyberprofiling. Cross defines traditional criminal profiling is the “art and science of developing a description of a criminal’s characteristics (physical, intellectual, and emotional) based on information collected at the scene of the crime” (Cross, 2008). Criminal profiling often uses patterns and correlations among criminal activity and different crimes to construct a profile. Criminal profiling is used to assist with the investigative process, reduce the potential suspect space to a certain subset of suspects, link related crimes, and develop an interview and interrogation strategy (Casey, 1999). It is important to note that a criminal profile will only provide generalities about the type of person who committed a crime, it will not identify a specific individual. Criminal profiling is one method among many for assisting with criminal investigations and building a case file. The profile cannot exist as evidence, rather it provides information to allow investigators to focus on the right suspects and begin to gather additional evidence (Cross, 2008). A criminal profile can be used in court in conjunction with expert witness testimony. “An expert witness can reference a criminal profile as the basis of an opinion that there is a high probability of a link between a particular suspect and a particular crime” (Cross, 2008). An IM author writeprint may be used as input to a criminal profile.

The FBI is credited with formalizing the criminal profiling process. The FBI’s Behavioral Science Unit (BSU) “focuses on developing new and innovative investigative approaches and techniques to solve crimes by studying offenders and their behaviors and motivations” (FBI, 2014). The BSU has been assisting local, state, and federal agencies in narrowing investigations by providing criminal profiles since the 1970s (Doublas et al., 2014). The FBI BSU has created the six-step criminal profile generating process shown in Table 1.


The FBI criminal profile generating process may be easily applied in a cybercrime investigation to perform cyberprofiling. Various types of digital and non-digital evidence may be combined as profile inputs, including, email, IM conversations, network packet captures, account activity information, and physical evidence. A cybercriminal’s profile may include a number of traits such as time and location of computer access, types of computer attacks launched by the attacker, programs and attack tools used, writeprints, and targets of the cybercrime whether they be human or electronic (networks, satellites, phones, computer systems, etc.).

In the context of IM-assisted cybercrime, cyberprofiling uses IM data such as the conversation logs, IM client version, timestamps, the length of time the user has been logged on, etc. IM writeprints may be used in conjunction with other evidence and investigative techniques to build or validate a criminal profile; reduce the potential suspect space to a certain subset of suspects; link related crimes; develop an interview and interrogation strategy; and gather convincing digital evidence to justify search and seizure and provide probable cause.


As cybercrimes continue to increase, new cyber forensics techniques are needed to combat the constant challenge of Internet anonymity. The IM writeprint technique may be used to assist cybercrime decision support tools in collecting and analyzing digital evidence, discovering characteristics about the cyber criminal, and assisting in identifying cyber criminal suspects. Future areas of research include implementing the IM writeprint taxonomy on past and/or ongoing investigation data for further analysis and modification. Additionally, this research would benefit from a feasibility analysis of various sociolinguistic writeprint categories (such as gender and age). Lastly, the IM writeprint taxonomy may be modified and applied to other communication mediums such as text, Twitter, and Facebook.



1. Cross, Michael. Scene of the Cybercrime. Syngress Publishing, (2008): 679-690

2. Moores, Trevor, and Gurpreet Dhillon. “Software piracy: a view from Hong Kong.” Communications of the ACM 43.12 (2000): 88-93.

3. Abbasi, Ahmed, and Hsinchun Chen. “Applying authorship analysis to extremist-group web forum messages.” Intelligent Systems, IEEE 20.5 (2005): 67-75.

4. Bassett, Richard, Linda Bass, and Paul O’Brien. “Computer forensics: An essential ingredient for cyber security.” Journal of Information Science and Technology 3.1 (2006): 22-32.

5. Revett, Kenneth. Behavioral biometrics: a remote access approach. Wiley Publishing, (2008): 1-2.

6. De Vel, Olivier, Alison Anderson, Malcolm Corney, and George Mohay. “Mining e-mail content for author identification forensics.” ACM Sigmod Record 30.4 (2001): 55-64.

7. Zheng, Rong, Jiexun Li, Hsinchun Chen, and Zan Huang. “A framework for authorship identification of online messages: Writing‐style features and classification techniques.” Journal of the American Society for Information Science and Technology 57.3 (2006): 378-393.

8. Kucukyilmaz, Tayfun, B. Cambazoglu, Cevdet Aykanat, and Fazli Can. “Chat mining: Predicting user and message attributes in computer-mediated communication.” Information Processing & Management 44.4 (2008): 1448-1466.

9. Leafe, David. “Dear Garry. I’ve decided to end it all: The full stop that trapped a killer.” Daily Mail (2009).

10. Casey, E. “Cyberpatterns: criminal behavior on the Internet.” Criminal profiling: An introduction to behavioral evidence analysis (1999): 361-378.

11. Federal Bureau of Investigation, Behavioral Science Unit website. (accessed March 4, 2014)

12. Doublas, John E., Robert K. Ressler, Ann W. Burgess, and Carol R. Hartman. “Criminal profiling from crime scene analysis.” Behavioral Sciences & the Law 4.4 (1986): 401-421.

13. Li, Jiexun, Rong Sheng, and Hsinchun Chen. “From Fingerprint to Writeprint.” Communications of the ACM 49.4 (2006): 76-82

14. Orebaugh, Angela, Jason Kinser, and Jeremy Allnutt. “Visualizing Instant Messaging Author Writeprints for Forensic Analysis,” In Proceedings of Conference on Digital Forensics, Security and Law, Richmond VA (2014): 191-213


Want to find out more about this topic?

Request a FREE Technical Inquiry!