IP addresses, Peer-to-peer, and Probable Cause

Introduction to Internet-based Networking

Please see moodle for a PDF that presents reading/notes on networking.

Peer to peer

Peer-to-peer notes based on this article are not available. But keep in mind that for that article, you need to read only:

• Section 2.1.2
• all of Section 3
• the four-paragraph intro of Section 4
• and all of Section 4.2.

The Trojan Horse Defense

A technological variant of the so-called some other dude did it (SODDI) defense, where the defendant in a computer crime case claims that their computer was under the control of malware when “it” committed a crime.

Notable case occurred on September 20, 2001 (near a significant date in US history) when allegedly Aaron Caffrey engaged in a DoS on a webserver in Port of Houston. He claimed the evidence

was planted on his machine by attackers who used an unspecified Trojan [horse program] to gain control of his PC and launch the assault.

A forensic examination of Caffrey’s PC found attack tools but no trace of Trojan infection.

He was acquitted after only a few hours deliberation (after essentially acting as his own expert witness), after the jury was convinced that

a [T]rojan horse armed with a ‘wiping tool’ was responsible, enabling the computer to launch the DoS attack, edit the system’s log files, and then delete all traces of the trojan — despite prosecution claims that no such technology existed.

Several other cases:

• UK defendant Julian Green acquitted in CSAM case, based upon expert testimony that 11 trojans were on his computer. (2003)
• UK prosecutors dismissed charges against Karl Schofield after finding a trojan on his computer. (2003)
• In the US, Eugene Green (accountant) successfully claimed that a virus caused the $630k underreporting of his own income that prosecutors charged him with. Acquitted (despite the fact the virus apparently never modified returns he prepared for others).

Trojans present a unique challenge to prosecution in the US, as the “beyond a reasonable doubt” standard can be difficult to meet, especially if the defense can raise the possiblity of a computer being remote-controlled by SOD.

SODDI is often rebutted by motive and lack of alternative suspects, but sometimes this can be difficult when the crime is less personalized.

Legal issues for the THD

First, note it’s potentially a real thing: as evidence, look at botnets and extortionware (“your files are encrypted, send BTC to this address to get the decryption key”).

The THD can work as follows:

• The defendant can claim no knowledge of the crime. Reasonable doubt is raised because SODDI.
• The defendant can claim he may have committed the actions (actus reus) of the crime, but done so unknowingly (mens rea). To convict for many crimes, prosecution must show both. (Green the accountant used this version of the THD).
• In either case, the defense usually also claims technological naivete, so that the traces of trojans, etc., found by expert witnesses support their claims.

The prosecution’s response will generally be as follows:

First, if possible, establish the defendant’s technological expertise, to cast doubt on possibility of infection. The effectiveness of this approach varies. More sophistication (+ more evidence of a secure computer) along with less evidence of malware (“wiped all the logs”) makes the THD less reasonable.

Second, negate the factual basis of the defense. Thoroughly examine the drives, looking for malware. If found, determine if its capabilities permit the alleged crime. If not, look for evidence of wiping or wiping tools.

Finally, seek confessions in interrogation or before. As noted by Brenner et al., suspects often confess, and these confessions are binding (assuming the suspect has been Mirandized appropriately). Some questions can be asked that rule out (or make more difficult) the THD or SODDI: “Who else has access to this computer?” “Do you use antivirus programs?” Etc.

Forensic examinations also help in other ways. If the main activity (by log exam, etc.) the computer was used for was, say, CSAM collection, it becomes harder for the defendant to claim THD – why was the computer in your house and turned on if you never used it? Similarly the case for well-organized collections of CSAM.