Tuesday, July 22, 2008

The Trojan Horse Defense

Is the trojan horse defense a viable approach when dealing with accusations of posession of child pornography on a computer? This is a question I get asked every now and then when talking to an attorney about a possible case. So I thought I would talk about this type of defense a bit here and outline the challenges of trying to use the trojan horse defense.

When considering this as a possibility, the first step is to see if there is something in the computer evidence that will prevent this from being viable. Particularly, are the contraband pictures stored anywhere else other than in the internet cache? If they are, then you probably can't use the trojan horse defense, unless you strongly suspect that the folders and or files were put in a location by a trojan horse program. While this is possible, it is not very common. People who truly are after child pornography tend to be collectors and will save all the pictures they download. Even if they are attempting to hide this activity, it is fairly simple to determine if the pictures were saved by the actions of the user rather than a rogue program.

For the purposes of this discussion, I am going to contend that the pictures are only in the internet cache and some are saved in a hidden folder on the hard drive that could have been created by a rogue program. This gives me the basis to look at vetting the trojan horse defense.

Even in this circumstance, there is a great deal of difference between arguing for a trojan horse defense and proving one.

The trojan horse defense presents some serious and diffcult technical challenges that must be resolved if you are going to argue this as the cause for the existence of contraband on a computer.

While it may seem that finding an active trojan horse program on the person's computer would be strong evidence, upon closer examination, it is not. In order to prove that the contraband was a direct result of virus or trojan horse activity you must be able to closely tie the two together, much in the same way you would need to link a handgun to a shooter.

To do this, you have to have proof of virus or trojan activity at the time the pictures were downloaded, not just at the time the computer was siezed. This is important since anti-virus programs and anti-spyware programs may have removed the offending program at some point in the past, long before the computer was taken into custody for examination.

The examiner should begin by locating all the contraband pictures, and getting all of the available date and time information each of the pictures.

Note: In child porn cases here in North Carolina, all work by the defense expert must be done under the supervision of law enforcement. It is illegal to make copies of computer evidence containing contraband pcitures. While it is possible to get a protective order to get such a copy, I would not be willing to work on a case where I had to have this in my possession.

You are looking for a couple of things by doing this:

What was the total span of time during which the pictures were downloaded to the computer? This will give you the period of time that you must prove that an active trojan or virus was resident and operating on the computer.

What were the last accessed and or last viewed dates on the pictures?

You are looking for dates and times that are within seconds of each other for the last modified and last accessed date and times. If you see evidence that the pictures were viewed at a later date, then you have to go back to square one and assume that the person was aware of the pictures and viewed them after the fact of downloading and attempt to disprove that scenario.

Now that you have established that the pictures appear to have been downloaded, but not viewed, you can proceed with the rest of the examination.

The next step is to determine if any viruses or trojan horse programs were active during the time span, and what were they?

To do this, you have to go and find all of the log files from any anti-virus and anti-spyware programs that have been running on the computer. This is assuming that the currently active virus or trojan horse program is not a suspect and even if it is, good practice dictates that you be thorough.

Assuming that you can locate the log files and that you do find some viruses and trojan horse programs that were active during the time span in which the pictures were downloaded, you have to be able to prove that these particular programs could have actually done the downloading.

By researching each of the suspected programs using the virus databases available at Symantec, McAfee, Avast and other companies, you may be able to find evidence of one that could have downloaded the pictures.

WARNING ON: About to get technical for a minute.

Even if you do find a good technical description that implies that one of the programs you located could be the culprit, you are not done yet. Now you need to go back and locate anything that might further support your case. You may be able to locate additional information in the Windows hosts file, by doing link file analysis and by examining the Windows registry database. You can also examine the internet history to pin down additional date and time information and other activity trends that may support the case. I am not going to cover all the possiblities here, but suffice it to say, you are in for a significant amount of manual work at this point to track down any remnants of information that may have been left behind by these programs.


The bottom line is that while this can be a viable defense, it is difficult to prove on its own as the perpetrator in these types of cases and can be even more difficult to prove to a jury. Also, from my experience, it is a very rare occurance and there are better forensic alternatives in these cases if the pictures in question are only residing in the internet cache or in unallocated space.


Friday, July 11, 2008

Cell Phones Anyone?

Now that cell phone forensics is becoming more accessible, I thought I would talk a little about it, both from a technical standpoint and regarding the unique issues these devices present from a discovery and privacy standpoint.

A quick overview:

Cell phone forensics is in its infancy and is becoming a popular topic, especially among private investigators and divorce attorneys.

Considering the size of the potential market for cell phone forensics, I can see why it is generating a lot of interest among those who want to get in the business.

CITA, a wireless association, reported that that as of Dec, 2007, there were 255.4 million cell phone subscribers in the US, or 84% of households.

Cell phones present some hairy issues when it comes to privacy and consent to search. I am sure that these issues will be addressed in the courts as time goes on. But, currently, let me outline some of the things that are, in my mind, issues that should be considered before you attempt to get information from a cell phone:

1. Who owns it?

This can be a little difficult to figure out because of the nature of these little beasties. Does the community property law apply for consent issues?

How do you establish ownership?

Probably the only why to really establish ownership of the phone is to see a recent phone bill with the phone's activity for that cell phone number.

Why is this such an issue. Suppose that a spouse brings you a cell phone to examine. How do you know it is a personal cell phone or one supplied by the subject's company? Can the spouse give permission to search a company owned cell phone? I wouldn't do it.

If the cell phone bill only has the subject's name on the account, even though it is paid from a joint account, does that establish a right to give consent from the spouse who's name is not on the cell phone bill?

Sticky, sticky issues.

2. Technical stuff you should be aware of.

You can't get a forensically sound copy of a cell phone, if you think of such from a computer forensics standpoint. The reason is that you have to talk to the phone to get the data from it. Even though you are not technically modifying the phone in any way, it is not like making a forensically sound copy of a hard drive where you never talk to the computer.

A big deal in computer forensics is something called an MD5 Hash. This is a long alphanumeric string that is calculated from the contents of a hard drive or other media to create a fingerprint for the copy.

This makes it possible to prove at a later date that the copy is exactly the same as the original.

Cell phones don't work like that. While you can, and some cell phone forensics software create such a fingerprint when data from the phone is copied, it is not reproducible. Cell phones have an internal clock that changes the data slightly that cannot be turned off.

So if you re-acquire a cell phone, the hash value will be different.

3. What can you get from a cell phone?

The exact answer is, it depends. Every cell phone model is different. Also, every piece of software available to get information from cell phones varies widely in their ability to get information.

So while one piece of software may be able to only get the recent call list from a phone, another package may be able to get the text messages and contact list as well.

In some cases, no software can get anything from a particular phone.

As of this writing, to get information from a Nextel phone, you have to use the phone tools provided by Nextel. None of the forensic software suites I am aware of can talk to a Nextel.

For all us super-geeks, this just makes it a more interesting challenge.

There is no doubt that cell phone forensics will continue to play an increasingly vital role in criminal and civil cases.

At this point there is no where to go but up.


Defendant as Expert?

I was talking to an attorney the other day about a Internet predator case where the defendant testified about the chat logs, etc. in opposition to the prosecution expert.

To me, that is like having a defendant testify as a ballistics expert about the gun he used in a crime.

Independent of the person's level of expertise, I am trying to figure out how a jury would see this as anything other than highly biased, and probably suspect, testimony.

Especially in a case where the issue at hand is protecting children from Internet predators.

Who has more credibility in this instance: The law enforcement officer who is working to protect the children in the community, or the person accused of attempting to violate that very safety by allegedly soliciting a minor over the Internet in a chat room?

These cases are very difficult, even if you use an independent expert.

The odd thing about computer experts versus, say, a ballistics expert is that computers are available to everyone, so a great many people are exposed to computers and develop various levels of expertise, from "I just get my email on the thing", to the self-appointed guru.

And there are a lot of self-appointed gurus out there.

Of course, what that means is debatable, since who gets to measure the true level of expertise of the self-appointed guru?

These days it seems that all a person has to do to qualify as a self-appointed guru is to know enough geek-speak to confound the listener.

Computer users asks the Guru, "My computer is running slow and I keep getting booted off the Internet. Any idea what is wrong with it?"

Guru responds, "That could be anything from the vundo trojan to a problem with your TCP/IP socket layer. Or maybe your hosts file has been compromised. It could even be a chattering NIC, or your computer may be botted by an attacker to be used in a DOS attack."

Computer user replies, "Huh? Can you explain any of that in English please?"

Guru responds, "Here, let me just fix it." While thinking, "Even if I did explain it, you wouldn't understand it."

This becomes even more problematic when it comes to court testimony and you have to explain to a jury exactly what happened and how it happened in plain everyday terms.

Sadly, this is even the case in my field where people are buying a forensics suite of software and putting themselves out there as self-appointed computer forensics experts.

And this is compounded by the fact that commercial computer forensics suites can make finding some types of information relatively simple. So simple, almost anyone with a middling level of computer expertise can do it.

What these suites cannot do is locate information about things that are not pre-programmed into the scripts used by the software.

Case in point: Evidence erasers.

I testified in a court case earlier this year where an Internet privacy program was installed on the defendant's computer.

This fact that this program was found on the defendant's computer was emphasized early on and through out the case by the prosecuting attorney, to cast doubt on the intentions of the defendant in wanting to cover his tracks and erase evidence from the computer.

In order to clarify the facts about the privacy program, I located the registry entries for the program. (The Windows registry is a database that Windows uses to keep track of things like program settings, user names, etc.)

I then located and installed an exact version copy of the privacy software on a clean computer in my lab and read the registry entries based on a default installation.

Then I went and located the documentation for the privacy program to determine the correct translations of the registry entries.

Many programs store information in the registry in unusual ways. In this case, the automatic wiping schedule for the program was stored as a single digit integer. i.e. 4

Based on the documentation I located, that meant the program would automatically run once every 12 hours.

Comparing the registry entries from the defendant's computer with the registry entries from the control computer, I was able to determine that all of the entries were set upon installation as default settings.

The program was also set by default to run every time the computer started up.

I also located the log files for the privacy program that showed what was erased and when it was erased.

Taking all of this to court allowed me to show exactly was what going on with this particular program and that the defendant did not set it up to erase his tracks. In fact, it was installed by his computer support person over a year earlier and had never been adjusted and had not been manually run by the defendant at any point during the time in question.

I think something a lot of people don't realize about court cases, is that it is really about each side telling a story based on the facts and circumstances of the case to a jury of twelve people.

Then it is up to the jury to decide who told the story that provides the least amount of reasonable doubt. Or in other words, who was more believable.

How does forensics analysis like the above effect the stories?

On the prosecution side, all they have to do is say that the defendant had a program installed on his computer to wipe out evidence of his actions on the computer. That is enough to establish some doubt about the intentions of the defendant.

On the defense side, telling "The rest of the story." as Paul Harvey would say, sheds light on the actual use of the program and the intentions of the defendant.

The purpose of going through that example is to show that owning some computer forensics software and even attending training is not always enough to provide expert forensics services.

Experts come in all levels of expertise. The better ones will have not only the right tools and know how to use them, they will also have a significant depth of knowledge about software, hardware, programming, databases, email, the Internet, social networking, file sharing programs, evidence handling, search and seizure laws and court presentation.

The problem for defense attorneys and public defenders is that very few computer forensics experts will do defense work and especially sex crimes defense work.

In my opinion, that is where the expertise of an experienced forensics examiner is most needed. Law enforcement will always have an expert on their side of the table. The defense should as well to balance the scales.


Scope of Search Warrants in Computer Investigations

This is an excellent article on recent decisions and issues regarding computer evidence and the 4th amendment search restrictions.

The Scope of Search Warrants With ESI
By Ken StrutinNew York Law JournalJuly 9, 2008


Thursday, July 10, 2008

Thinking about doing your own forensics work?

Here is a link to an excellent article regarding DIY computer forensics by law firms and corporations. I have seen this happen in several instances and it invariably makes what I do cost more and yield less usable results.

The Dangers of Do-It-Yourself Computer Forensics
By Eric Shirk


Wednesday, July 9, 2008

For the Defense

Interesting comment stemming from the Neil Entwistle case.


Will wonders never cease?

This has nothing to do with Digital Forensics, but I thought I would share it anyway since it is amusing.

"Woman Shoots Self While Trying To Kill Mice"

Saturday, July 5, 2008

What you should know about P2P file sharing programs.

P2P or peer to peer file sharing programs are software programs that people use to share files with others on the Internet. The more popular ones are Limewire, Kazaa and Bittorrent, however there are dozens of them in various flavors available for free on the Internet.

What these programs do is give the user access to millions of files shared by people from their computers via the Internet. Many people use these programs to download music, movies and software programs. However, there is also a wide variety of porn available via these networks, including child porn.

Since the purpose of these programs is file sharing, they can open the user's computer up to the Internet for that purpose.

According to the Electronic Communications Act:

(g) It shall not be unlawful under this chapter or chapter 121of this title for any person - (i) to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public;

Sounds like your computer meets this requirement if you are sharing files with other people on the Internet doesn't it?

The reason I mention this, other than the obvious, is that I worked on a child porn case a couple of years ago where law enforcement, while watching the files pass over the Gnutella network, (Gnutella is the network that many of these programs use for transmitting files.) spotted some CP files. Since the IP address and location of the receiving computer is shown to them, they were able to identify a computer in the local jurisdiction.

They then confirmed that the computer was open for sharing, so they connected to the computer and looked at the hard drive. (See the ECA excerpt above.)

They were able to confirm that CP files resided on the computer hard drive, so they then issued a subpoena to the Internet service provider (ISP) for the computer and obtained the subscriber's name and address.

They obtained a search warrant for the premises and computer and subsequently arrested two people.

Unsophisticated users of these sharing programs rarely realize that any file listed can actually be contraband. Just because it says it is one thing in the description, you have no idea what you are really downloading until it is flowing to your computer.

And that can get you in some serious trouble.

Especially if law enforcement happens to be monitoring traffic at that time and decides to pursue a case against you.

Also, you don't have to be sharing these files to get into trouble with the law since possession alone is enough to be arrested and possibly convicted.

However, if your computer is open to sharing, then the charges can escalate beyond possession to purveying and that is serious business.

Defending these cases can be complex and requires a broad knowledge of file sharing software and other software that I won't mention here since I don't want to give away any secrets.

My advice to people who ask me: Don't use these programs at all.


Friday, July 4, 2008

MMORPG. What the heck is that and why do I care?

MMORPG stands for Massively Multiplayer Online Role Playing Game. Which is why everyone uses the acronym because who would want to have to say that mouthful.

There are millions of people playing on-line games from the "Sims Online" to World of Warcraft and dozens of others.

The majority, if not all, of these games have a logging feature that can be turned on by the user. In-game logging is saved to the hard drive of the computer and records every message to and from the player, both in public chats and in private tells.

The logs also record all of the dates and times that the user is on-line.

Also, if you know how to get the information, most games record some information about play sessions, even if logging is not turned on.

How can any of this be of use in a case?

You can establish when a person was at their computer playing the game, to perhaps bolster or discount an alibi.

If you suspect that one partner is having an on-line affair, the logs could be a good source of private chat information.

Do you need to know how much time someone was spending on-line playing a game instead of caring for a child or working? Game logs could be a good source of information there as well.

In the connected world we live in today, pieces of information are available in so many places if you just know where and how to look for them.


Wednesday, July 2, 2008

PI Licensing for Forensics Examiners

There is a flurry of licensing activity going on around the country for computer forensics. The current trend appears to be that states are requiring computer forensics professionals to obtain Private Investigator Licenses. This is just dumb. In Texas, computer even repair shops must now have a PI License and a hapless consumer in that state that takes his computer to an unlicensed repair shop can be fined as well.

Texas Requires PI License for Computer Repair

The purpose for licensing computer forensics professionals should be to protect the public interest by requiring that practitioners meet minimum requirement and have oversight by a governing body. That makes perfect sense.

But to say that Private Investigators can practice computer forensics with no specific skill in the area while preventing professionals in the field from practicing is, in my mind, a violation of the public trust and is little more than a ham-handed form of unfair trade practice.

What's next? Will auto mechanics have to have a PI license to work on cars?

Here is a link to a position paper I wrote on this subject. If you are in a state that is currently working on establishing laws for licensing, feel free to download and use whatever parts of it you want. I only ask that you leave my name as co-author since I wrote it.

Position Paper on PI Licensing of Computer Forensics Professionals

Good luck.


Who's looking at you, kid?

Social networking is all the rage these days. Myspace, Facebook, Bebo and other social networking sites are booming with new pages going up all the time.

What does that mean in the world of litigation?

It means, be careful, since you never know who is looking at your Myspace page. In a recent Personal Injury lawsuit, the plaintiff's Myspace page was used to prove that the claimed injuries suffered did not prevent the person from partying, applying for jobs and other activities that contradicted the plaintiff's story about the extent of injuries.

Here is a blurb from the story in NC Lawyers Weekly:

"MySpace photos used against injury plaintiff

The plaintiff's story was the kind that demanded sympathy: A 21-year-old college student whose dream of becoming a teacher vanished after she collided with the defendant's dump truck and suffered a traumatic brain injury. Pictures from parties on her MySpace page told a different story to the defense: The plaintiff's life wasn't as hard-hit by the May 2005 accident as she claimed."

You can view the whole story here if you are a subscriber or want to do the trial thing.

I recently worked on a case where MySpace was a big factor.

More and more, what you are doing on the Internet is opening doors for savvy attorneys and forensic examiners to add to the evidence in cases to see if your story lines up with what you are telling the world about yourself.

In cases where a person locks their on line profile by making it private does not necessarily protect a person if their computer is examined by a computer forensics expert. Many of the activities a person does to edit and maintain their MySpace or other profile is all cached on the user's computer and can be recovered and reconstructed.

This includes MySpace chat, profile edits, gallery photos and other artifacts.

The next time you get a case, checking out a person's MySpace or other social networking site can be a gold mine, even if you have to get the computer to get to the information.


A Little TV Time.

A few months ago I was interviewed by WRAL-TV about computer forensics. While the interview went well, understand that over an hour of interview was condensed down to about 15 seconds.

Although it sounds like I mean that nothing can ever be deleted from a computer, etc, the fact is that some things are not recoverable. While deleted items are not lost from computers and other types of storage media normally, deleted items can be overwritten rendering them unretrievable. Also, it is possible to permanently erase something if you know how and have the right tools.

Having added all those clarifications, here is a link to the video if you are interested...

WRAL-TV Interview - Deleted Data Can Be Used Against You.


Tuesday, July 1, 2008


I guess I had comments turned off. Anyway, I am still working on this blog. :)