When a person is suspected of using a computer in the course of committing an illegal activity, such as downloading indecent images of children, computer forensic experts can analyse the contents of the suspect’s hard drive for digital evidence. In the last ten years, however, a new defence has arisen which clouds the issue as to who is responsible for any activity proven to have taken place on a user’s computer. That defence relates to a piece of malware (malicious software) known as a Trojan horse.
A Trojan horse is typically installed without permission on a person’s machine when an apparently innocent file or piece of software is opened or installed. Once installed, a Trojan has the ability to perform actions automatically, such as accessing particular websites, and can give hackers control of that machine. Once hackers have access to your machine they can perform a range of activities, including downloading further files to the computer or monitoring user actions for the purposes of stealing sensitive data.
In legal cases, this has led to the ‘Trojan horse defence’ where an accused person claims that a Trojan was responsible for the illegal activity that has been proven to have taken place on their computer. This defence has proved successful in a number of cases. In 2003, Julian Green was cleared of a charge of possession of indecent images of children after a computer forensics expert found evidence that his computer was infected with eleven Trojans, all capable of causing the computer to access inappropriate sites. Similarly, hacker Aaron Caffrey was cleared of an attack on the port of Houston’s IT systems by claiming a Trojan was responsible, even though forensic analysts were unable to find any evidence of Trojans on his computer. His argument was supported by the fact that some Trojans are designed to self-delete after performing their function.
As such, it has become necessary for computer forensic experts to prove intention to download in order to help secure a conviction. To do this, analysts might look for information such as:
Whether the images were downloaded but not viewed;
Whether a thumbnail file was created, as this would only occur if the user had viewed the contents of the folder;
If viewed, how promptly the material was deleted;
How many images appear in the ‘recently viewed’ records;
The dates the images were viewed;
Whether any images were deliberately saved to the hard drive;
Whether any images were saved to an external storage device, even if the device is no longer present;
The time that each file was created, as this might be at a time when the user was not physically present.
It seems that while the growing presence of Trojan horses may present a risk of an innocent person being convicted of a crime, the development of the Trojan horse defence could equally lead to a guilty person being acquitted. In order to ensure that this defence does not become open to abuse, computer forensic analysts will no doubt continue to develop ever more innovative methods for proving or disproving intention or the presence of Trojans.