Who's At The Keyboard? Authorship Attribution in Digital Evidence Investigations

In some investigations of digital crime, the question of who was at the keyboard when incriminating documents were produced can be legitimately raised. Authorship attribution can then contribute to the investigation. Authorship methods which focus on linguistic characteristics currently have accuracy rates ranging from 72% to 89%, within the computational paradigm. This article presents a computational, stylometric method which has obtained 95% accuracy and has been successfully used in investigating and adjudicating several crimes involving digital evidence. The article concludes with a brief review of the current admissibility status of authorship identification techniques. Section 1: The Need and Available Methods In the investigation of certain crimes involving digital evidence, when a specific machine is identified as the source of documents, a legitimate question is, “Who was at the keyboard when the relevant documents were produced?” For example, consider the following scenarios, drawn from actual cases. 1. A government employee wrote e-mails to his supervisor in which he disparaged her racial heritage. After he was terminated for cause, he sued the federal government, claiming that his workspace cubicle had been open, allowing any of his co-workers to author the e-mails on his computer and send them from his computer without his knowledge. 2. A young, healthy man was found dead in his own bed by his roommate who notified the police. When the autopsy results showed that he died by injection, his death was investigated as a potential homicide. During the investigation, the roommate gave the police suicide notes which he found on the home computer. These had never been printed or discovered before the death. 3. A civilian intern with a military research laboratory kept an electronic journal of her relationship with her supervisor. As her internship came to a close, she claimed that her relationship with her supervisor was not mutually consenting and that he had raped her. When the intern’s work computer was searched, the journal was discovered. The intern claimed that during the time she had not had access to the work computer or the journal, her supervisor had edited the journal to agree with his version of the events.