Tuesday, July 22, 2008

The Trojan Horse Defense

Is the trojan horse defense a viable approach when dealing with accusations of posession of child pornography on a computer? This is a question I get asked every now and then when talking to an attorney about a possible case. So I thought I would talk about this type of defense a bit here and outline the challenges of trying to use the trojan horse defense.

When considering this as a possibility, the first step is to see if there is something in the computer evidence that will prevent this from being viable. Particularly, are the contraband pictures stored anywhere else other than in the internet cache? If they are, then you probably can't use the trojan horse defense, unless you strongly suspect that the folders and or files were put in a location by a trojan horse program. While this is possible, it is not very common. People who truly are after child pornography tend to be collectors and will save all the pictures they download. Even if they are attempting to hide this activity, it is fairly simple to determine if the pictures were saved by the actions of the user rather than a rogue program.

For the purposes of this discussion, I am going to contend that the pictures are only in the internet cache and some are saved in a hidden folder on the hard drive that could have been created by a rogue program. This gives me the basis to look at vetting the trojan horse defense.

Even in this circumstance, there is a great deal of difference between arguing for a trojan horse defense and proving one.

The trojan horse defense presents some serious and diffcult technical challenges that must be resolved if you are going to argue this as the cause for the existence of contraband on a computer.

While it may seem that finding an active trojan horse program on the person's computer would be strong evidence, upon closer examination, it is not. In order to prove that the contraband was a direct result of virus or trojan horse activity you must be able to closely tie the two together, much in the same way you would need to link a handgun to a shooter.

To do this, you have to have proof of virus or trojan activity at the time the pictures were downloaded, not just at the time the computer was siezed. This is important since anti-virus programs and anti-spyware programs may have removed the offending program at some point in the past, long before the computer was taken into custody for examination.

The examiner should begin by locating all the contraband pictures, and getting all of the available date and time information each of the pictures.

Note: In child porn cases here in North Carolina, all work by the defense expert must be done under the supervision of law enforcement. It is illegal to make copies of computer evidence containing contraband pcitures. While it is possible to get a protective order to get such a copy, I would not be willing to work on a case where I had to have this in my possession.

You are looking for a couple of things by doing this:

What was the total span of time during which the pictures were downloaded to the computer? This will give you the period of time that you must prove that an active trojan or virus was resident and operating on the computer.

What were the last accessed and or last viewed dates on the pictures?

You are looking for dates and times that are within seconds of each other for the last modified and last accessed date and times. If you see evidence that the pictures were viewed at a later date, then you have to go back to square one and assume that the person was aware of the pictures and viewed them after the fact of downloading and attempt to disprove that scenario.

Now that you have established that the pictures appear to have been downloaded, but not viewed, you can proceed with the rest of the examination.

The next step is to determine if any viruses or trojan horse programs were active during the time span, and what were they?

To do this, you have to go and find all of the log files from any anti-virus and anti-spyware programs that have been running on the computer. This is assuming that the currently active virus or trojan horse program is not a suspect and even if it is, good practice dictates that you be thorough.

Assuming that you can locate the log files and that you do find some viruses and trojan horse programs that were active during the time span in which the pictures were downloaded, you have to be able to prove that these particular programs could have actually done the downloading.

By researching each of the suspected programs using the virus databases available at Symantec, McAfee, Avast and other companies, you may be able to find evidence of one that could have downloaded the pictures.

WARNING ON: About to get technical for a minute.

Even if you do find a good technical description that implies that one of the programs you located could be the culprit, you are not done yet. Now you need to go back and locate anything that might further support your case. You may be able to locate additional information in the Windows hosts file, by doing link file analysis and by examining the Windows registry database. You can also examine the internet history to pin down additional date and time information and other activity trends that may support the case. I am not going to cover all the possiblities here, but suffice it to say, you are in for a significant amount of manual work at this point to track down any remnants of information that may have been left behind by these programs.

WARNING OFF:

The bottom line is that while this can be a viable defense, it is difficult to prove on its own as the perpetrator in these types of cases and can be even more difficult to prove to a jury. Also, from my experience, it is a very rare occurance and there are better forensic alternatives in these cases if the pictures in question are only residing in the internet cache or in unallocated space.

...

1 comment:

  1. This is an extremely interesting issue, one that is not met completely in terms of the technical challenges. I have used Registry analysis to great effect, in some cases showing conclusively that a particular user account was used to access image or file viewing software, which was then used to access certain images/files. In some cases, I have been able to show access to files that were no longer on the system (Windows has its own "anti-forensics" techniques) or were located on file servers when they were accessed.

    ReplyDelete

I have moderated my comments due to spam.