±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36775
New Yesterday: 0 Visitors: 105

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Disproving the Trojan Defense

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

keydet89
Senior Member
 

Disproving the Trojan Defense

Post Posted: Nov 22, 05 21:00

Recently, I've read a couple of news items and articles that mention the successful use of "Trojan Defense" in child pornography cases. I've also read an academic paper that addresses the use of statistical analysis of file access times to prove/disprove this claim.

Is this an area that would benefit from further investigation and discussion? In the past couple of years, I've done some research into Windows Registry analysis, and I'm curious if this particular topic would benefit from data collection and analysis techniques that could be used to prove/disprove this claim.

Thoughts?

Thanks,

Harlan  
 
  

hogfly
Senior Member
 

Re: Disproving the Trojan Defense

Post Posted: Nov 22, 05 21:21

My estimation is that the trojan defense works because the lawyer is untrained in prosecuting digital crimes and doesn't know the right questions to ask, the evidence isn't there, or the 'expert' botched the investigation because they don't know enough about the malware, how it spreads, and how it works.

Would this area benefit from investigation? yes. Would this area benefit if the AV/Anti trojan manufacturers helped out by providing more information? yes.

I think the most important aspect of something like this would be the analysis aspect. Proving the negative(that it was the user and not the malware) is the tough part.

Can you provide links to the papers?  
 
  

keydet89
Senior Member
 

Re: Disproving the Trojan Defense

Post Posted: Nov 22, 05 21:45

> My estimation is that the trojan defense works because the lawyer is
> untrained in prosecuting digital crimes and doesn't know the right
> questions to ask, the evidence isn't there, or the 'expert' botched the
> investigation because they don't know enough about the malware, how
> it spreads, and how it works.

From what I've read, as well as from discussions with LEOs and folks who actually go to court, none of these is really the case. What it comes down to is the presentation by the expert witness, and how much the defense attorney can confuse the issue in the minds of the jury.

> Would this area benefit if the AV/Anti trojan manufacturers helped out
> by providing more information? yes.

I'm not sure that I see how. In the Caffrey case, the suspect was found not guilty after claiming that a Trojan was responsible for the DoS attacks eminating from his system, even though A/V scans showed no signs of malware.

What information would you like to see? What's missing? What are the A/V companies failing to provide, in your view?

> Can you provide links to the papers?

The academic paper I mentioned can be found (via Google) here:
www.idje.org (look under the vol 2, issue 4, spring 2002, for "The Trojan made me do it")

One reference to the Caffrey case I mentioned above is found (via Google) here:
www.collisiondetection...00557.html

Others:
news.com.com/2100-7349...92781.html
www.techdirt.com/artic...5248.shtml

The FedLawyerGuy.org blog has a post here:
www.fedlawyerguy.org/a...00342.html
Note: the link to the Reuter's article seems to be down

With regards to child pornography in particular, I think it should be fairly easy to prove, through additional means, whether or not the pictures were placed their unbeknownst to the suspect via a Trojan.

Harlan  
 
  

hogfly
Senior Member
 

Re: Disproving the Trojan Defense

Post Posted: Nov 22, 05 22:20

So, legal junk science attacks at work eh?

In the Caffrey Case, suppose an AV vendor provided an analysis of how the malware on the system worked. It didn't mention it, but I wonder if the ISP provided flow logs on the case. Simply explained if someone else 'did it' you'd see an incoming connection to Caffrey's box on a backdoor port that was opened by the trojan. No connection, no outside source involved. Explaining that trojans aren't autonomous is up to the "expert".

I think a detailed malware analysis provided by AV vendors would be beneficial in cases where malware being the cause of an action is in question. If someone claims that a trojan was the cause, and the trojan's only purpose is to track someone's actions then it *could* help a case.  
 
  

jlloyd
Member
 

Re: Disproving the Trojan Defense

Post Posted: Nov 22, 05 23:26

As previously reported, there were no viruses present on Aaron Caffrey's machine.
Contrary to the impression given by the Google report linked to by Harlan I do not believe that it was ever Caffrey's intention to compromise the Port of Houston server. The server was simply vulnerable to a well known IIS exploit (and had been previously compromised by the same exploit) which was utilised as part of an IRC script in order to launch a DDOS attack on IRC chat room users.
A large number of log files were presented and examined relating to IP traffic and chat logs recovered from IRC sessions. The scripts allegedly used to conduct the DDOS attack were also examined.

That Aaron Caffrey's Trojan defence succeeded is both a testament to his defence barrister's abilities and an indictment of the failure of the prosecution to pursue a variety of issues such as the social engineering aspects of the case.

The prosecution's expert evidence went right over the heads of the jury and they ended up accepting a ludicrious story as a defence simply because it was presented in a much more accessible fashion.

Win some, Lose some.  
 
  

keydet89
Senior Member
 

Re: Disproving the Trojan Defense

Post Posted: Nov 22, 05 23:49

> So, legal junk science attacks at work eh?

Not at all. From what I've read, it seems to be a matter of playing on the public's misconceptions. All the defense has to ask is if it's *possible* that the malware could have escaped detection by the A/V scanners, or whatever other method was used.


> I think a detailed malware analysis provided by AV vendors...

Why shouldn't that analysis be provided by forensic analysts? Why wait for an A/V vendor to provide the analysis, or say that it's not detailed enough, when an analyst can do that analysis themselves? Is it a matter of time? What if someone were able to provide the necessary training to analysts, or provide the analysis as a service? Wouldn't it behoove an analyst to be able to study a bit of malware from their own perspective, rather than the perspective of an A/V vendor?

More to the point of the original topic, though...in cases involving CP, there are other methods of determining the validity of such defenses. In my own research into the topic, I haven't come across any publicly available information regarding Registry analysis in general, nor specifically for such cases.

Is this because no one's doing it, or the fact that analysts aren't interested in it?

Harlan  
 
  

hogfly
Senior Member
 

Re: Disproving the Trojan Defense

Post Posted: Nov 23, 05 00:13

Harlan,
I never said it shouldn't be up to the forensic analyst. Why the AV vendor and not the analyst? Why a commercial tool and not a homegrown one? Based on answers I've received..a vendor would hold more clout just like a commercial tool would. In the US, symantec is approved by NIST, so by rights(making an assumption here) wouldn't an analysis by an experienced symantec malware analyst hold more weight?
If someone provided the training...SANS already does (malware analysis 2 day hands on course). Not sure if there are others though. I haven't seen a malware analysis service, but I wouldn't see it hurting a case if one were used.

Yes, it certainly would behoove the analyst if they studied the malware. How many analysts unpack PE's, set breakpoints in IDA (or other tools), recover what's in the registers and translate that to english? I'd guess not many and the reason I would guess is due to limited time.

Could you share some of the methods used for determining the validity of the defenses in CP cases? I haven't seen the registry mentioned or used in any of the affadavits or testimonies I've read yet either.  
 

Page 1 of 2
Page 1, 2  Next