We attended a seminar on the origins of serial killers by professor Micki Pistorius, Dphil., who was a criminal profiler in South Africa with the SAPS unit. In a nutshell, her theory is that serial killer’s behaviour originates in a fixation on one of Freud’s psychosexual developmental phases. By observing the victim at the crime scene, the evidence can point to an interrogation approach (for example, to parents and family) for psychological clues and narrow down on the identity of the suspect.
While Freud’s psychosexual phases are not scientifically validated predictors of violent behaviour, the logic behind this theory tickled our interest. Can this help cyber-investigators in incorporating digital profiling in their work?
Purpose of digital behavioural profiling
- Understanding motivation
- Predicting escalation
- Linking cases
- Narrowing suspects
- Guiding OSINT and technical inquiry
The aim is not to psychoanalyse the offender but to interpret digital behaviour as evidence of cognitive and emotional routines.
Core principles of behavioural analysis in cyber investigations
1 – Behaviour is more reliable than stated intent
Offenders often lie about who they are, but their repetition patterns, timing habits, escalation cycles, and communication style are far harder to mask.
2 – Fixation drives predictability
Compulsive offenders, whether serial killers, stalkers, or digital harassers, repeat their patterns. Fixations can be detected through:
3 – The digital environment reveals more than the physical one
Most offenders create years of digital traces. These early behaviours act as developmental indicators that resemble the “parent interviews” of classical profiling.
Digital indicators of behavioural fixation
The signature
This is the emotional or psychological need expressed through digital behaviour. Examples are stylized threat messages, symbolic usernames, specific ways of taunting victims, favourite communication channels, or repeated phrases that appear across accounts. The signature tends to stay stable even if technical skills evolve.
Rituals
These are repeated sequences that the offender performs before or after action. For example, repeated late night stalking sessions, using the same search terms before contacting victims, preparing folders to store digital trophies, encrypting files in a specific pattern, or checking the victim’s profile immediately after an interaction. Rituals are important because they reveal compulsion, not necessity.
Behavioural leakage
This refers to unintentional behaviours that reveal a mindset. For example, venting anonymously on forums, cryptic social media posts hinting at grievances, sudden deletion sprees, inconsistent persona management, or emotional tone spikes before attacks. Leakage is valuable when there are no direct identifiers.
Escalation patterns
Offenders often escalate gradually:
Plotting escalation chronologically makes prediction possible.
Sources of behavioural data
- Social media histories: old posts show long-term grievances, emotional instability, or compulsions.
- Forum and chat logs: the conversation style reveals dominance, deception habits, narcissistic traits, and compulsive repetition.
- Deleted content: recovered posts often contain early signatures that were later sanmitized.
- Metadata: logins, timestamps, and device switches can tell you about routines, stress periods, attempts to hide activity, and geographic patterns. These offer behavioural insights rather than only technical ones.
- Storage devices: cloud or local drives reveal trophy taking, voyeuristic interests, curated fantasy scripts, and digital hoarding behaviours. This material becomes central in cases with compulsion.
Applying behavioural analysis during an investigation
Case linkage
Use behaviour to determine if two incidents came from the same actor. Look for signature phrases, repeated victim types, identical pre-attack routines, and mirrored ways of sanitizing traces. This helps avoid assuming multiple offenders when only one is involved.
Suspect prioritization
When you have multiple candidates, behavioural indicators help you filter who matches the escalation pattern, whose digital history contains compatible grievances, who exhibits compulsive online habits and who shows interest in the victim type. Profiling reduces the noise for forensic teams.
Predictive forecasting
Interrogation strategy
Behavioural analysis helps tailor interview tactics. For example, narcissistic offenders respond to flattery; grievance driven offenders respond to challenges of their narrative; compulsive offenders are vulnerable to confronting contradictions. Digital traces help determine the right approach.
Integrating behavioural profiling with technical forensics
Combine signature behaviour with OSINT
Cross check language patterns, username fragments, timestamps, and emotional tone across platforms to identify linked accounts.
Use machine learning cautiously
Language clustering and anomaly detection can surface patterns, but human interpretation must validate them. Machines detect repetition, not motivation.
Offender categories where behavioural profiling is most effective
- Serial or pattern driven violent offenders who use digital platforms
- Serial lurers or predators on dating apps
- Child exploitation offenders
- Online stalkers
- Harassers or extortionists with distinct messaging styles
- Ideologically driven lone actors
- Hackers or digital intruders with ritualistic operations
These groups exhibit high fixation and consistent routines.
Limitations and ethical boundaries
While all of this can be very helpful in digital investigations, behavioural profiling cannot replace evidence. Over-reliance on psychodynamic theories can mislead. Most of all, online privacy principles and legal thresholds must always be respected during the investigation. All in all, behavioural insight should inform OSINT and forensic targeting, not override them.
Behavioural analysis is a powerful technique when integrated with technical forensics and classical investigative methods.
A digital behavioural analysis workflow for cyber investigators
Below is structured workflow diagram showing the behavioural analysis process from intake to case resolution. You can use it as a roadmap to integrate with your investigative routine.
+-------------------------------------------------------------+
| 1. Case Intake & Scoping |
+-------------------------------------------------------------+
| - Identify incident type |
| - Determine behavioural relevance |
| - Define key questions (motivation, linkage, prediction) |
+-------------------------------------------------------------+
|
v
+-------------------------------------------------------------+
| 2. Digital Evidence Collection |
+-------------------------------------------------------------+
| - Social media histories |
| - Messaging logs (clear, encrypted, deleted) |
| - Metadata (timestamps, devices, <a href="https://negativepid.blog/how-to-regain-access-to-your-website-with-wp-cli/">IP</a> patterns) |
| - Cloud and local storage |
| - Platform interactions and OSINT <a href="https://negativepid.blog/how-to-fix-common-kali-upgrade-errors/">sources</a> |
+-------------------------------------------------------------+
|
v
+-------------------------------------------------------------+
| 3. Behavioural Feature Extraction |
+-------------------------------------------------------------+
| - Communication style and emotional tone |
| - Rituals and repetitive sequences |
| - Signature elements (phrases, symbols, methods) |
| - Victim targeting preferences |
| - Escalation indicators |
| - Behavioural leakage |
+-------------------------------------------------------------+
|
v
+-------------------------------------------------------------+
| 4. Behavioural Interpretation |
+-------------------------------------------------------------+
| - Identify compulsions and fixations |
| - Analyse emotional drivers |
| - Identify escalation cycles |
| - Compare current behaviour to historical traces |
| - Distinguish M.O. from signature |
+-------------------------------------------------------------+
|
v
+-------------------------------------------------------------+
| 5. Case Linkage Analysis |
+-------------------------------------------------------------+
| - Cross-platform signature comparison |
| - Language clustering and <a href="https://negativepid.blog/the-identity-of-satoshi-nakamoto/">stylometry</a> |
| - Matching rituals, lures, and victim patterns |
| - Identify cross-incident behavioural consistency |
+-------------------------------------------------------------+
|
v
+-------------------------------------------------------------+
| 6. Suspect Prioritisation |
+-------------------------------------------------------------+
| - Behaviour match scoring |
| - Timeline alignment |
| - Cross referencing grievances and interests |
| - Compatibility with known routines and <a href="https://negativepid.blog/automating-identity-governance/">access</a> |
+-------------------------------------------------------------+
|
v
+-------------------------------------------------------------+
| 7. Predictive and Preventive Modelling |
+-------------------------------------------------------------+
| - Estimate next contact or escalation period |
| - Predict preferred platforms or victim types |
| - Deploy targeted <a href="https://negativepid.blog/a-global-map-of-mass-surveillance-programs/">monitoring</a> or undercover engagement |
+-------------------------------------------------------------+
|
v
+-------------------------------------------------------------+
| 8. Operational Response and Interviewing |
+-------------------------------------------------------------+
| - Tailor interview strategy <a href="https://negativepid.blog/from-fringe-to-frontline-the-internet-as-an-ideological-battleground/">based</a> on behavioural profile |
| - Prepare risk-aware arrest strategies |
| - Present contradictions tied to compulsive behaviour |
+-------------------------------------------------------------+
|
v
+-------------------------------------------------------------+
| 9. Reporting and Feedback |
+-------------------------------------------------------------+
| - Document behavioural findings |
| - Identify gaps for future detection |
| - <a href="https://negativepid.blog/the-solarwinds-supply-chain-attack/">Update</a> threat <a href="https://negativepid.blog/how-eia-stopped-endangered-species-trafficking-with-osint/">intelligence</a> profiles |
+-------------------------------------------------------------+