Trojan horse defense

The Trojan horse defense is a technologically based take on the classic SODDI defense, believed to have surfaced in the UK in 2003. The defense typically involves defendant denial of responsibility for (i) the presence of cyber contraband on the defendant's computer system; or (ii) commission of a cybercrime via the defendant's computer, on the basis that a malware (such as a Trojan horse, virus, worm, Internet bot or other program) or on some other perpetrator using such malware, was responsible for the commission of the offence in question.

A modified use of the defense involves a defendant charged with a non-cyber crime admitting that whilst technically speaking the defendant may be responsible for the commission of the offence, he or she lacked the necessary criminal intent or knowledge on account of malware involvement.

The phrase itself is not an established legal term, originating from early texts by digital evidence specialists referring specifically to trojans because many early successful Trojan horse defenses were based on the operation of alleged Trojan horses. Due to the increasing use of Trojan programs by hackers, and increased publicity regarding the defense, its use is likely to become more widespread.

Legal basis of the defense
Excluding offences of strict liability, criminal law generally requires the prosecution to establish every element of the actus reus and the mens rea of an offence together with the "absence of a valid defence". Guilt must be proved, and any defense disproved, beyond a reasonable doubt.

In a trojan horse defense the defendant claims he did not commit the actus reus. In addition (or, where the defendant cannot deny that they committed the actus reus of the offence, then in the alternative) the defendant contends lack of the requisite mens rea as he "did not even know about the crime being committed".

With notable exception, the defendant should typically introduce some credible evidence that (a) malware was installed on the defendant's computer; (b) by someone other than the defendant; (c) without the defendant's knowledge. Unlike the real-world SODDI defense, the apparent anonymity of the perpetrator works to the advantage of the defendant.

Prosecution rebuttal of the defense
Where a defense has been put forward as discussed above, the prosecution are essentially in the position of having to "disprove a negative" by showing that malware was not responsible. This has proved controversial, with suggestions that "should a defendant choose to rely on this defense, the burden of proof (should) be on that defendant". If evidence suggest that malware was present and responsible, then the prosecution need to seek to rebut the claim of absence of defendant requisite mens rea.

Much will depend on the outcome of the forensic investigative process, together with expert witness evidence relating to the facts. Digital evidence such as the following may assist the prosecution in potentially negating the legal or factual foundation of the defense by casting doubt on the contended absence of actus reus and/or mens rea: - Such properly obtained, processed and handled digital evidence may prove more effective when also combined with corroborating non-digital evidence for example (i) that the defendant has enough knowledge about computers to protect them; and (ii) relevant physical evidence from the crime scene that is related to the crime.
 * Absence of evidence of malware or backdoors on the defendant's computer.
 * Where malware absence is attributed by the defense to a self wiping trojan, evidence of anti-virus/firewall software on the computer helps cast doubt on the defense (such software can result in trojan detection rates of up to 98% ) as does evidence of the absence of wiping tools, as "it is practically impossible that there would be no digital traces of [...] the use of wiping tools".
 * Evidence showing that any located malware was not responsible, or was installed after the date/s of the offences.
 * Incriminating activity logs obtained from a network packet capture.
 * In cyber-contraband cases, the absence of evidence of automation - e.g. of close proximity of load times, and contraband time/date stamps showing regularity. Volume of contraband is also relevant.
 * Corroborating digital-evidence showing defendant intent/knowledge (e.g. chat logs ).

The role of computer forensics
Whilst there is currently "no established standard method for conducting a computer forensic examination", the employment of digital forensics good practice and methodologies in the investigation by computer forensics experts can be crucial in establishing defendant innocence or guilt. This should include implementation of the key principles for handling and obtaining computer based electronic evidence - see for example the (ACPO) Good Practice Guide for Computer-Based Electronic Evidence. Some practical steps should potentially include the following:-
 * Making a copy of the computer system in question as early as possible to prevent contamination (unlike in the case of Julie Amero where the investigator worked directly off Amero's hard drive rather than creating a forensic image of the drive.
 * Mounting as a second disk onto another machine for experts to run a standard anti-virus program.
 * Correct handling of volatile data to ensure evidence is acquired without altering the original.
 * If a Trojan is found, it is necessary to examine the totality of the circumstances and the quantity of incriminating materials.
 * Including a "network forensic approach" e.g. by way of legally obtained packet capture information.

Cases involving the Trojan Horse Defense
There are different cases where the Trojan horse defense has been used, sometimes successfully. Some key cases include the following:-

Regina v Aaron Caffrey (2003) :

The first heavily publicised case involving the successful use of the defense, Caffrey was arrested on suspicion of having launched a Denial of Service attack against the computer systems of the Port of Houston, causing the Port's webserver to freeze and resulting in huge damage being suffered on account of the Port's network connections being rendered unavailable thereby preventing the provision of information to "ship masters, mooring companies, and support companies responsible for the support of ships saling and leaving the port". Caffrey was charged with an unauthorised modification offence under section 3 of the Computer Misuse Act 1990 (section 3 has since been amended by the Police and Justice Act 2006 creating an offence of temporary impairment.

The prosecution and defense agreed that the attack originated from Caffrey's computer. Whilst Caffrey admitted to being a "member of a hacker group", Caffrey's defense claimed that, without Caffrey's knowledge, attackers breached his system and installed "an unspecified Trojan...to gain control of his PC and launch the assault" and which also enabled the attackers to plant evidence on Caffrey's computer.

No evidence of any trojan, backdoor services or log alterations were found on Caffrey's computer. However evidence of the Denial of Service script itself was found with logs showing the attack program has been run. Incriminating chat logs were also recovered. Caffrey himself testified that a Trojan horse "armed with a wiping tool" could have deleted all traces of itself after the attack. Despite expert testimony that no such trojans existed, the jury acquitted Caffrey.

The case also raises issues regarding digital forensics best practice as evidence may have been destroyed when the power to Caffrey's computer was terminated by investigators.

Julian Green (2003):  A United Kingdom-based case, Julian Green was arrested after 172 indecent pictures of children were found on Green's hard drive. The defense argued that Green had no knowledge of the images on his computer and that someone else could have planted the pictures. Green's computer forensics consultant identified 11 Trojan horses on Green's computer, which in the consultant's expert witness testimony, were capable of putting the pornography on Green's computer without Green's knowledge or permission. The jury acquitted Green of all charges after the prosecution offered no evidence at Exeter Crown Court, due to their failure to prove that Green downloaded the images onto the computer.

The case also raises issues related to the evidential chain of custody, as the possibility of evidence having been planted on Green's computer could not be excluded.

Karl Schofield (2003) :

Karl Schofield was also acquitted by using the Trojan horse defense. He was accused of creating 14 indecent images of children on his computer but forensic testimony was given by a defense expert witness that a Trojan horse had been found on Schofield's computer and that the program was responsible for the images found on the computer Prosecutors accepted the expert witness testimony and dismissed the charges, concluding they could not establish beyond a reasonable doubt that Schofield was responsible for downloading the images.

Eugene Pitts (2003):

A US-based case involving an Alabama accountant who was found innocent of nine counts of tax evasion and filing fraudulent personal and business state income tax returns with the Alabama state revenue department. The prosecution claimed he knowingly underreported more than $630,000 in income over a three-year period and was facing a fine of $900,000 and up to 33 years in prison. Pitts apparently had previously been accused in preceding years of under reporting taxes. Pitts argued that a computer virus was responsible for modifying his electronic files resulting in the under-reporting the income of his firm, and that the virus was unbeknown to him until investigators alerted him. State prosecutors noted that the alleged virus did not affect the tax returns of customers, which were prepared on the same machine. The jury acquitted Pitts of all charges.

The future of the defense
Increased publicity, increased use

As the defense gains more publicity, its use by defendants may increase. This may lead to criminals potentially planting Trojans on their own computers and later seeking to rely on the defense. Equally, innocent defendants incriminated by malware need to be protected. Cyberextortionists are already exploiting the public's fears by "shaking down" victims, extorting payment from them failing which the cyber-criminals will plant cyber-contraband on their computers.

As with many criminal offences, it is difficult to prevent the problematic matters that arise during the term of the investigation. For example, in the case of Julian Green, before his acquittal, he spent one night in the cells, nine days in prison, three months in a bail hostel and lost custody of his daughter and possession of his house. In the following case of Karl Schofield, he was attacked by vigilantes following reports of his arrest, lost his employment and the case took two years to come to trial.

Appropriate digital forensic techniques and methodologies must be developed and employed which can put the "forensic analyst is in a much stronger position to be able to prove or disprove a backdoor claim". Where applied early on in the investigation process, this could potentially avoid a reputationally damaging trial for an innocent defendant.

Juries

For a layman juror, the sheer volume and complexity of expert testimonies relating to computer technology, such as Trojan horse, could make it difficult for them to separate facts from fallacy. It is possible that some cases are being acquitted since juror are not technologically knowledgeable. One possible suggested method to address this would involve be to educate juries and prosecutors in the intricacies of information security

Mobile Technology

The increasing dominance of Smart Device technology (combined with consumer's typically lax habits regarding smart device security ) may lead to future cases where the defense is invoked in the context of such devices

Government Trojans

Where the use of Government Trojans results in contraband on, or commission of a cybercrime via, a defendant's computer, there is a risk that through a gag order (for example a US National security letter) the defendant could be prevented from disclosing his defense, on national security grounds. The balancing of such apparent national security interests against principles of civil liberties, is a nettle which, should the use of government trojans continue, may need to be grasped by Legislatures in the near future.