1. INTRODUCTION

There is currently no accurate way to determine the number of individuals who are using child pornography (Wortley & Smallbone, 2012). According to the FBI, the United States has seen a 2500% increase in the last ten years in the number of child pornography arrests (2012). In addition, the United Kingdom's Internet Watch Foundation's Hotline (IWF, 2011) reported 12,966 webpages contained child sex abuse images, and 49% of those websites were hosted in North America. As of August 2009, the CyberTipline of the United States' National Center for Missing and Exploited Children (NCMEC) reported receiving over 85,000 tips related to child pornography in 2008 for a total of 625,271 child pornography tips since its establishment in March 1998 (Wolak, Finkelhor, & Mitchell, 2009). Finally, when comparing the National Juvenile Online Victimization (N-JOV) study in 2000 to 2006, the number of offenders arrested solely for child pornography possession or distribution more than doubled from 935 to 2,417 arrests, respectively (Wolak et al., 2009).

Individuals who engage in child pornography do so at varying degrees, with some engaging in more offenses than others. According to Wortley and Smallbone (2012), child pornography offenses may be categorized as production, distribution, or possession. Production refers to the creation of child sex abuse images, and more often than not, these images are the direct result of individuals recording their direct contact offenses with a child (i.e., handson child sex abuse). Distribution or trafficking is the dissemination of sexual child abuse images, and in the United States, this offense is often referred to as receipt, transportation, and distribution or "R/T/D" (see USSC, 2012). Finally, downloading refers to the possession of sexual child abuse images, even though "possession" may occur even if the individual did not actively download the image (e.g., individual viewed an image which was cached by the web browser; USSC, 2012).

According to the Federal Child Pornography Offenses report (USSC, 2012), the number of child pornography cases has steadily increased for all child pornography related offenses, with the largest increase seen for possession and distribution (R/T/D). There is no doubt that technological advances, such as the Internet and digital devices, have contributed to the significant growth in child pornography cases. For example, only 90 child pornography offenders were sentenced federally for possession or R/T/D offenses in 1994 and 1995; however, this number has increased dramatically to 1,649 federal offenders in 2011 (USSC, 2012). The number of individuals convicted of producing child pornography has also steadily increased. According to the USSC (2012), there were only 10 child pornography production cases in 1992, compared to 207 production cases for 2010. These figures indicate that in 2010, 10.8% of all federal child pornography cases involved the production of Internet child pornography (USSC, 2012). Finally, the United States Department of Justice's (USDOJ) National Strategy for Child Exploitation Prevention and Interdiction report found that of the 8,352 child pornography cases prosecuted by U.S. Attorneys between 2005 and 2009, the majority involved the Internet (USDOJ, 2010).

Despite this data, there is still no way to determine the number of individuals who are engaging in child pornography offenses. First, child pornography users will vary in their level of involvement and networking with other child pornography users (Krone, 2005). For example, browsers are individuals who unintentionally view child pornography but end up deciding to save the images. In addition, browsers do not trade the images or network with other child pornography users. Trawlers, on the other hand, are similar to the browsers except they actively seek child pornography by searching the Internet, and they engage in some limited networking with other child pornography users. Non-secure collectors search for child pornography in non-secure websites, such as chat rooms, whereas secure collectors are members of a closed networking group, who obsessively collect a large number of images. Groomers are individuals who use child pornography images to establish a sexual relationship with a minor in either the physical or virtual world. Finally, physical abusers and producers are both involved in the sexual abuse of children, but only the producer intentionally distributes the personal sex abuse images (Krone, 2005).

Similar to Krone's typology, non-contact child pornography users have been described as either closet collectors or traders (O'leary & D'Ovidio, 2007). A closet collector denies any sexual involvement with children and conceals any child pornographic materials. There is no acknowledged communication with other collectors, and the material is usually purchased discreetly through commercial channels. On the other hand, traders are child pornography users who communicate with other collectors in order to exchange child pornography (2007). Again, there is no evidence that closet collectors or traders are hands-on or contact child sex offenders; these individuals are engaging in non-contact child pornography behaviors, such as viewing, downloading, and exchanging/sharing sexual images of children.

As heightened efforts by law enforcement continue to increase, Wolak, Finkelhor, and Mitchell (2011) believe a better understanding of the offender population is needed in order to differentiate between those offenders who only engage in child pornography verses those who are also hands-on contact offenders. Relatively new research suggests there are differentiating characteristics between contact and non-contact offenders. McCarthy (2010) compared two groups of child pornography offenders; 51 were contact offenders and 56 were non-contact offenders. Results indicated a significant difference in how the two groups used Internet child pornography; contact offenders were significantly more likely to masturbate to Internet child pornography and download the images onto another external device (other than a computer hard drive) (McCarthy, 2010). In addition, the child pornography users who were involved in a higher number of child pornography behaviors (exchanging, paying for images, concealing and organizing collection) were more likely to be in the contact offender group (McCarthy, 2010). Finally, McCarthy (2010) suggested the ratio of adult pornography to child pornography was significantly different between groups in that the contact offenders were more likely to possess a higher ratio of child to adult pornographic images compared to the non-contact group.

Overall, individuals who engage in child pornography do so at varying degrees, with some offenders engaging in more offenses than others. Child pornography offenses may be categorized as production, distribution, or possession, and individuals may be involved in some or all of these offenses (Wortley & Smallbone, 2012). The overabundance of child pornography cases surpasses law enforcement's ability to effectively investigate cases (Eke, Seto, & Williams, 2011). If a suspect is involved in some or all of these child pornography offenses, then law enforcement must be able to determine which crime(s) have been committed. In other words, is the suspect a closet child pornography collector (i.e., possession only) or a hands-on contact offender (i.e., possession and producer)? Therefore, the problem for law enforcement is determining which offenders, who are initially suspected of child pornography possession or distribution charges, may also be hands-on contact offenders.

However, research suggests there are significant differences between contact and non-contact child pornography offenders. The one thing these different child pornography offenses have in common is the use of technology-specifically the Internet and digital devices. Technology may assist child pornography users in the possession, distribution, and production of Internet child pornography, but these same technologies are capable of providing incriminating computer forensic evidence (Rogers & Seigfried-Spellar, 2011). It is these differences that the current study seeks to identify using the actual computer forensic evidence collected from contact and non-contact child pornography cases. By behaviorally analyzing the computer forensic evidence of suspected offenders, law enforcement may be able to better prioritize between crimes by quickly identifying which offenders are more likely to be contact versus non-contact offenders (Rogers & Seigfried-Spellar, 2009; Rogers & SeigfriedSpellar, 2012).

The following case study illustrates the ability to conduct a behavioral analysis based on Internet artifacts of a suspected child pornography user to determine whether the individual is likely to also be a hands-on contact offender. The authors assessed a suspect's Internet Browsing History (specifically Internet Explorer Bookmarks, Mozilla Bookmarks, and Mozilla History) to identity any trends in pornography use. Finally, the authors discuss the feasibility in conducting a behavioral analysis of Internet artifacts (URLs) to differentiate between Internet child pornography users and child sex offenders.

2. CASE STUDY

The authors were asked by Law Enforcement to examine Internet Artifacts belonging to a computer seized from a suspect who was arrested and indicted for the possession of child pornography. The accused was a former deputy sheriff who claimed he came across the pictures while conducting his own examination of sites that hosted potential child pornography. To back up this claim, the accused indicated he had submitted two police reports to his department and five reports to the National Center for Missing and Exploited Children (NCMEC). These reports were time and date stamped and provided to the authors. The authors were asked to examine the Internet artifacts on the suspect's computer and determine if the evidence indicated behavior that was consistent with someone merely carrying out an investigation or not.

2.1 Tools

The Internet history files were analyzed using TimeFlow Analytical Timeline. TimeFlow is a data analysis tool, which allows researchers to assess trends in data over a period of time (Cohen, 2010). Specifically, events may be analyzed by day, month, or year. In this case study, the events analyzed were URLs visited by the suspect, so TimeFlow allowed the authors to determine any behavioral trends in pornography use by calendar month/year. All data was analyzed using IBM's Statistical Package for the Social Sciences (SPSS).

2.2 Design & Procedure

2.2.1 Phase 1

The first phase consisted of positively identifying artifacts that belonged to the user profile of the accused. The investigators determined that this user profile and account was not shared with any other persons. The Internet artifacts were filtered to remove any entry that was not linked to the accused's user-id. After the filtering process, the Internet Explorer History file contained the most entries, and this file was used as the primary basis for the analysis and conclusions. The other Internet artifacts (listed above) were examined and analyzed as supplemental data in order to confirm or refute findings drawn from the Internet Explorer History (IE History File).

2.2.2 Phase 2

The IE History file was converted to a comma separate values (CSV) format to facilitate the analysis and examination. Once converted, the IE History file was sorted by the Uniform Resource Locator (URL) name in order to facilitate proper classification. The file contained 5841 entries or events that were used for data analysis. Each entry was classified by both authors based on the URL visited or activity logged. The classifications were then compared and a consensus was reached concerning the appropriate categorization, or else the URL was flagged as unknown. After an initial examination, it was determined that the entries (data) could be classified using a system made up of 9 categories: 0 = Neutral; 1 = Adult Pom; 2 = Child Pom; 3 = Adult Dating; 4 = Pictures/Profiles; 5 = Chat Sessions; 6 = Bestiality, 7 = Data Cleaning; and 8 = Gay Pom (see Table 1).

If the URL name was not recognized as belonging to any of the categories listed from 0-8, it was assigned as "neutral" (0). Given the nature of the analysis, it was deemed appropriate to err on the side of inflating the false negatives (e.g., tme child pom or adult pom URLs being classified as neutral). When the URL name was not recognizable and/or no consensus could be reached on the appropriate category, and the nature of site could not be confirmed by any information in the entry (e.g., name of file downloaded or viewed), this entry was flagged as unknown. After classifying the known URLs, any unknown URLs were sent to the Indiana State Police Department's Internet Crimes against Children taskforce who verified whether the URL should be classified as Child Pom or some other category.

2.2.3 Phase 3

The IE History File was additionally sorted by visit count. The visit count field is a rough estimate of the number of times a particular URL was visited. IE, however, does not update this count consistently, and therefore, this number is only used as an estimate.

2.2.4 Phase 4

Phase focused on mapping the category of sites visited (URLs) on a timeline in order to determine if any patterns were present. For this process, the authors used the last-visited meta-data as the time stamp of the URL entry (need a reference here to justify this date).

2.2.5 Phase 5

The content of the seven reports that the accused submitted were studied, and the indicated URLs in the report, along with the dates recorded, were compared to the IE History file entries and the derived timeline.

3. CONCLUSION OF BEHAVIORAL ANALYSIS

After the URLs were classified, the Internet history files were statistically analyzed to determine prevalence and trends in Internet browsing. First, a frequency analysis was used to determine a baseline of online behavior. As shown in Table 2, 54% (n = 3205) of the URLs were classified as "neutral" and 38.8% (n = 2265) of the URLs were classified as a pom website (see Figure 1). When only considering the frequency of URLs, there were more adult pornography URLs (17.5%) compared to child pornography (10.8%), gay pornography (10.5%), and bestiality (.2%).

Next, the Internet history files were analyzed using TimeFlow analysis tool. As shown in Figure 2, TimeFlow displays "hot spots" for Internet browser activity based on URL category type. For example, child pom is represented by the neon green "hot spot." Lastly, the IE history file was analyzed by visit, or "hit," count,

As shown in Figure 3, the Pictures/Profiles (31.5%) category had the highest visit count followed by Neutral (19.3%), Gay Pom (17%), and Child Pom (16.6%). When comparing the Frequency Graph (Figure 1) to the Hit Count Graph (Figure 3), it was noted that the accused was accessing gay pom, child pom, chat rooms, and picture profiles (i.e., from Facebook) more often than adult pom and neutral websites.

The behavioral patterns obtained from the analysis of the IE History file were consistent with someone that was personally interested in the content of the sites visited, as opposed to fitting the pattem expected from a police investigation, whether formal or not. Based on the frequency analysis and the type of the sites visited, it was concluded that the suspect had preference for same-sex pornography and adolescent male child pornography. The vast majority of the same-sex pornography sites (Gay Pom) contained references to teen boys. This preference was consistent with the classification of a sexual deviance with online paraphilia centered on adolescent males1. In addition, the percentage of websites visited that were classified as Child Pom (10.8%), Gay Pom (10.5%) and Picture/Profile (3.4%) provided support that this behavior was preferential.

Furthermore, the time analysis indicated that the majority of the visited Child Pom sites occurred in 2005-2008, with early spring (March-April) and summer (July-August) accounting for the highest number. If the motivation for this behavior were investigative, then one would expect to see reports being filed at the end of these viewing cycles. However, no reports were submitted during these periods. Furthermore, the fact that the suspect was also visiting adult pom and bestiality sites fits the pattern of a consumer of child pornography, since previous research indicates consumers of child pornography engage in a similar pattem of nondeviant and deviant pornography use, specifically viewing Adult Pom, Bestiality, and Child Pom (see Seigfried-Spellar, 2013; Seigfried-Spellar & Rogers, 2011; Seigfried-Spellar & Rogers, 2013). In addition, the percentage of websites visited for Picture/Profile and Chat Rooms suggest the suspect was moving from fantasy-driven (online cybersex only) to contact-driven (intentions to meet offline) behavior (Briggs, Simon, & Simonsen, 2011).

The findings from the behavioral analysis were admitted as evidence in the sentencing hearing for this case. The federal prosecutor's office successfully argued that the findings painted a much different picture of the suspect and his activities than was proposed by the defense, who argued that the suspect/defendant had been conducting an ad hoc law enforcement investigation. The analysis clearly indicated the behavior was consistent with someone personally interested in sexual pictures of adolescent males. The judge in this case mied that the defendant had falsely denied conduct (sexual interest in adolescent boys) that was relevant to the sentencing guideline calculation (U.S.S.G. § 3E1.1).

More work is required to further validate the behavioral analysis process described, but the ability to infer the predilection for being a consumer of child pornography based on Internet artifacts may prove to be a powerful tool for investigators.