The first 10 years of the Trojan Horse defence

doi:10.1016/S1361-3723(15)70005-9

Computer Fraud & Security

Volume 2015, Issue 1, January 2015, Pages 5-13

https://doi.org/10.1016/S1361-3723(15)70005-9 Get rights and content

Apprehended criminals throughout history have always attempted to put the blame on someone else, a strategy popularly known as a SODDI defence (Some Other Dude Did It). When this defence is used, the act of the crime (actus reus) and the guilty mind (mens rea) is blamed on another party. A Trojan Horse Defence (THD) is a type of modern SODDI defence, where the mens rea and actus reus are blamed on a piece of software, known as a trojan.¹

It has now become common for people accused of some computer-related crime to claim that the responsibility lies with malware placed on their machine without their knowledge.

This so-called Trojan Horse Defence (THD) was first used a decade ago. In this article, Stephen Bowles and Julio Hernandez-Castro of the University of Kent undertake a timely retrospective with an in-depth and critical literature review plus a detailed look at the peculiarities of many court cases from around the world.

Section snippets

The prosecutor's view

In 2004 Susan Brenner and her colleagues wrote a paper that primarily concentrates on the view of the prosecutor. As it was major news at the time, the paper focuses on the Caffrey case, regularly linking points to it. The paper reservedly states that the defence could be “empirically valid”. However, especially with recent advancements in malware, it should be stressed that it is entirely possible for a trojan to be the cause of a crime. The paper provides an introduction to four 2003 court

The forensics and technical side

A 2003 paper added a thorough discussion about digital forensic techniques and provides intricate details on how a forensic investigation should take place on a Windows- or Linux-based system.⁵ Although perhaps dated, many of the techniques and tools mentioned are still valid and used today. The paper primarily focuses on data recovery; however it also discusses viewing logs and tracking the activities of a hacker. The paper makes a significant point that, in some cases (which we report on

Statistics

A 2004 paper (Carney and Rogers) details an attempted stepwise discriminant analysis of four scenarios, all which resulted in five illicit images of children being created on the system.⁸ The goal was to see, “whether an investigator could determine if images were downloaded intentionally or without the owner's knowledge based on characteristics located in the operating and file system”. The paper lists seven characteristics of an operating and file system, which it proposes an investigator

Defending against a trojan

The usual defence against a trojan includes anti-malware, anti-virus and firewalls. However, some authors have recently suggested other measures to improve defences against a trojan.

A 2010 paper suggests that an ‘Education, Enforcement and Engineering’ or ‘Triple-E’ approach could be taken.¹² For education, the paper suggests changing the perception of people towards hackers, teaching how to use a computer appropriately, and teaching the public safe habits when using a computer system and the

Mobile

When considering the THD, it is too easy to think only of the classical scenario – a home, possibly family-shared, desktop PC. However, it is important to note that, as mobile technology is becoming dominant, the next THD case could involve a smartphone. Although some papers have started to discuss the mobile malware topic, awareness needs to be raised regarding smartphone security.¹⁵

Court cases

Table 1, along with the timeline shown in Figure 1, provides what we believe to be the currently most detailed and comprehensive list of court cases where the THD (by this or a similar name) has been used. The date within the table corresponds to the conviction or acquittal date. Where it was difficult to accurately gather the date, an educated guess is used, based on time of articles published, news stories or the appeals documents. This section will discuss some of the most notable cases

Aaron Caffrey

The first heavily publicised THD case was the 2003 Aaron Caffrey case. The Port of Houston, in the US, suffered a denial of service (DoS) attack, which was traced back to Caffrey's machine. This case is interesting because no evidence of a trojan was found.¹⁶ Furthermore, Caffrey was a member of a hacking group and tools that could have carried out the attack were found on Caffrey's system.¹⁷ During the case, Caffrey made false claims that were not disputed, such as an anti-virus cannot scan

Eugene Pitts

The 2003 Eugene Pitts case is different from any others, as the type of crime was very different. Pitts was accused of income tax evasion in the US and even though he had a history of troubles, where he was accused in previous years of under reporting income, he was acquitted under the claim that a virus was responsible for modifying his files.19, 20 It was noted, however, that his customers' tax returns, which were on the same system, were surprisingly not affected by the virus at all.

Michael Aaron O'Keefe

This case involves a defendant who apparently created two websites, modelquest and hctweens, to catch paedophiles.²¹ Michael Aaron O'Keefe was arrested and accused of advertising, receiving, and possessing indecent images of children.²² The websites that O'Keefe had apparently created to catch paedophiles were hosting child pornography images, something that O'Keefe said a virus must have done.

Logs were also found that show O'Keefe was posing as a young girl, apparently in an attempt to lure

Julie Amero

Julie Amero's case is an example of the serious miscarriages of justice that have occurred in some THD cases. Here, the simplest forensic techniques were not used, the computer experts used had questionable knowledge and made false claims, and events were blown out of proportion by parents and prosecutors, as it is highly questionable if any damage was done to the pupils who saw the pornographic pop-ups.24, 25

During the case, Amero's system was not scanned for viruses or malware, and for what

Matthew Bandy

The 2006 Matthew Bandy case is another clear miscarriage of justice. Detectives in Bandy's case did not seem aware of the steps that should be taken, which included requesting a digital forensic analysis, and as a result multiple mistakes were made.²⁸ After being named a paedophile, a digital forensic investigation found that the anti-virus software was disabled, there was no firewall, and there were a myriad of infections and running malware, some of which had the capabilities to place

Craig Geddes

Craig Geddes' 2007 case is very similar to other THD cases where the defendant was acquitted, although in this particular case Geddes was convicted. Geddes asked, “Can a virus do that?”, the answer to which is yes. But during the case the opposite was stated.³⁰ Detective Constable June McKay, of Strathclyde Police computer crime unit, said that they had never heard of a virus that could place child porn on someone's system.³¹ This is a worrying claim by a computer crime detective, especially

Mark Rawlinson

Although information on Mark Rawlinson's case is scarce, it is worth mentioning as it is believed to be the first use of the THD in South Africa.³² Cases outside of the UK and US are not as well documented, but the THD can happen and does get used in other countries, of which Rawlinson's case is an example. Rawlinson's THD claim failed and he was convicted of possessing over a thousand illicit images of children on his system.

Michael Fiola

Michael Fiola's 2008 case stands out by its remarkable conclusion. Fiola was arrested and lost his job, as indecent images of children were found on his laptop. Unlike other cases, such as Amero's, a digital forensic investigation was conducted by a qualified forensic examiner. The other major difference with other cases is that the laptop in question was a government issued computer, from the Department of Industrial Accidents in Massachusetts, US, where Fiola was working at the time.

The

Nathaniel Solon

Nathaniel Solon's 2008 case seems to be another miscarriage of justice example.³⁶ Solon's case initially followed a path similar to other cases, which led to acquittals. The same digital forensic investigator from Amero's case was involved in Solon's, where some evidence of a virus that could have downloaded the pornography was found but no evidence of the material being viewed by Solon was found.37, 38 The findings were seemingly ignored and as a result Solon was convicted only because of the

Recent developments

With the huge increase in cyber-criminals using ransomware, the future looks grim.⁴⁰ Ransomware is a type of malware, often the payload to a trojan, that is used by cyber-criminals to hold a user to ransom.

In 2013, Jay Riley's system was infected with ransomware that pretended to be from the FBI and asked Riley to pay a fine. After Riley asked the police if there was any warrants out for him and volunteered for a search, he was arrested, because indecent images of children were found on his

Conclusions

This article has discussed the THD, the cases where it has been used, and related published material over the past decade, since its first use in 2003. By compiling an exhaustive list of cases, this work has shown that there are many occasions where serious miscarriages of justice have occurred. There have also been cases where clear and obvious mistakes have been made, either in the forensic investigation (or lack thereof) or from incorrect evidence given by incompetent experts.

As with many

Future work

Forensic techniques: It is possible that a criminal might successfully use the THD in their favour. To help combat this, forensic techniques need to improve and evolve. Not only this, but investigators need to know how they can investigate such a case. As a future work, a list of techniques and methods could be compiled, which can be followed by an investigator in a THD case. This work may help highlight additional steps, methods or techniques that could be used, that have not been considered

Resources

•
‘Brian Alan Bass registered sex offender’. Homefacts. Accessed 22-March 2014. www.homefacts.com/offender-detail/OKA540C480C3A6546C397294F3F7393C50/Brian-Alan-Bass.html.
•
D Chaikin. ‘Network investigations of cyber at-tacks: the limits of digital evidence’. 2007.
•
‘Child porn pervert's court u-turn’. Croydon Guardian, 21 Sep 2006. Accessed Dec 2013. www.croydonguardian.co.uk/news/931208.childpornpervertscourtuturn/.
•
‘Computer virus causing some to be framed for child porn’. Naples News.
•
J Welham.

About the authors

Stephen Bowles is a recent graduate of the University of Kent with a first class honours BSc. He is keen to progress in the computer security field, either in industry as a practitioner or in research to pursue a PhD.

References (45)

SW Brenner et al.
‘The Trojan Horse Defense in Cybercrime Cases’
(2004)
E George
‘UK Computer Misuse Act – the trojan virus defence: Regina v Aaron Caffrey, Southwark Crown Court, 17 October 2003’. Science Direct
D Haagman et al.
‘Trojan defence: a forensic view’
(2005)
M Sepec
‘The trojan horse defence-a modern problem of digital evidence’
(2012)
S Bui et al.
‘Issues in computer forensics’
(2003)
V Schmitt et al.
‘Establishing the validity of MD5 and SHA-1 hashing in digital forensic practice in light of recent research demonstrating cryptographic weaknesses in these’
(2013)
F Daryabar et al.
‘Investigation of malware defence and detection techniques’
(2012)
M Carney et al.
‘The trojan made me do it: a first step in statistical based computer forensics event reconstruction’
(2004)
R Overill et al.
‘A complexity based forensic analysis of the trojan horse defence’
(2011)
R Overill et al.
‘Quantitative plausibility of the trojan horse defence against possession of child pornography’
(2011)

Personal communication from Richard E Overill, 29 Oct...

D-Y Kao et al.

‘Sote: strategy of triple-e on solving trojan defense in cybercrime cases’

(2010)

M Moffie et al.

‘Hunting trojan horses’

(2006)

W Sun et al.

‘Practical proactive integrity preservation: a basis for malware defense’

(2008)

R Di Pietro; F Lombardi; S Rossicone. ‘Modelling mobile resource...

J Leyden

‘Caffrey acquittal a setback for cybercrime prosecutions’

The Register

(17 Oct 2003)

Y Danidou et al.

‘Trusted computing and the digital crime scene’

(2011)

‘The trojan made me do it’. About.com. Accessed Apr 2014....

S Brenner

‘Trojan horse defense’

Cyb3rcrim3

(17 Jun 2006)

‘Computer virus blamed as man cleared of tax evasion and fraudulent returns’

Sophos

(Aug 2003)

D McCullagh

‘Police blotter: child porn blamed on computer virus’

CNET

(3 Nov 2006)

‘Former Atlanta teacher sentenced to 17 years prison following a child pornography conviction’

(2005)

Cited by (7)

Characterizing Linux-based malware: Findings and recent trends
2020, Future Generation Computer Systems
Citation Excerpt :
Advances in digital forensics require automated processes to aid malware analysts in the process of understanding: (i) whether a binary seen in an investigation is malware or not (malware detection), and (ii) which type of malware it is and what its expected behavior (malware characterization) might be. Furthermore, machine learning can be used to measure the trustworthiness of files collected during an investigation, but also to tackle challenges posed by tech-savvy criminals, such as the Trojan Horse Defense [7]. Contributions.
Malware targeting interconnected infrastructures has surged in recent years. A major factor driving this phenomenon is the proliferation of large networks of poorly secured IoT devices. This is exacerbated by the commoditization of the malware development industry, in which tools can be readily obtained in specialized hacking forums or underground markets. However, despite the great interest in targeting this infrastructure, there is little understanding of what the main features of this type of malware are, or the motives of the criminals behind it, apart from the classic denial of service attacks. This is vital to modern malware forensics, where analyses are required to measure the trustworthiness of files collected at large during an investigation, but also to confront challenges posed by tech-savvy criminals (e.g., Trojan Horse Defense). In this paper, we present a comprehensive characterization of Linux-based malware. Our study is tailored to IoT malware and it leverages automated techniques using both static and dynamic analysis to classify malware into related threats. By looking at the most representative dataset of Linux-based malware collected by the community to date, we are able to show that our system can accurately characterize known threats. As a key novelty, we use our system to investigate a number of threats unknown to the community. We do this in two steps. First, we identify known patterns within an unlabeled dataset using a classifier trained with the labeled dataset. Second, we combine our features with a custom distance function to discover new threats by clustering together similar samples. We further study each of the unknown clusters by using state-of-the-art reverse engineering and forensic techniques and our expertise as malware analysts. We provide an in-depth analysis of what the most recent unknown trends are through a number of case studies. Among other findings, we observe that: i) crypto-mining malware is permeating the IoT infrastructure, ii) the level of sophistication is increasing, and iii) there is a rapid proliferation of new variants with minimal investment in infrastructure.
Have You Been Framed and Can You Prove It?
2021, 2021 44th International Convention on Information, Communication and Electronic Technology, MIPRO 2021 - Proceedings
Quantitative evaluation of the results of digital forensic investigations: a review of progress
2021, Forensic Sciences Research
Towards increasing trust in expert evidence derived from malware forensic tools
2020, arXiv
Cosmic rays: A neglected potential threat to evidential integrity in digital forensic investigations?
2020, ACM International Conference Proceeding Series
Ransomware in windows and android platforms
2020, arXiv

View all citing articles on Scopus