LECTURE 19 Trojan Horse Defence Notes

Trojan Horse Defence

Lecture Objectives

  • Examine the first ten years of the Trojan Horse defense including notable cases and miscarriages of justice.
  • Discuss the present and future implications of the Trojan Horse Defence (THD).

Trojan Horse

  • Malware disguised as or packaged with useful software.
  • Once activated, it releases a payload, such as capturing keystrokes or allowing remote access.

Trojan Horse Defence (THD)

  • A type of SODDI (Some Other Dude Did It) defence where the blame is shifted to a piece of software (a trojan).
  • First used in 2003 in the Karl Schofield case.

Terminology

  • Acquitted: Cleared of charges.
  • Convicted: Judged guilty of a crime.
  • Guilty plea: Admission of a crime, leading to conviction if accepted by the court.
  • Plea bargain: Agreement for a guilty plea with a more lenient sentence.

Key Cases & Timeline

  • Timeline of cases where a trojan defense (or similar) was used or mentioned from 2003 to 2012.
  • Includes cases such as Karl Schofield, Aaron Caffrey, and Julie Amero.

Key Cases

  • Karl Schofield (2003): Acquitted after claiming a Trojan was responsible for indecent images on his computer.
  • Aaron Caffrey (2003): Acquitted despite being a hacker and having hacking tools; claimed a Trojan framed him.
  • Eugene Pitts (2003): Acquitted of income tax evasion, claiming a virus modified his files.
  • Michael Aaron O’Keefe (2004): Convicted despite claiming a virus put child pornography on websites he created to catch paedophiles.
  • Matthew Bandy (2006): Plea-bargain due to a compromised system with disabled anti-virus and multiple malware infections.
  • Julie Amero (2007): Case of serious miscarriage of justice; system not properly scanned for malware.
  • Craig Geddes (2007): Convicted, with dubious claims made by law enforcement about viruses not being able to place child porn on a system.
  • Michael Fiola (2008): Acquitted after forensic investigation found his government-issued laptop was infected with malware before he received it, which was visiting child porn websites.
  • Nathaniel Solon (2008): Convicted despite evidence of a virus and no evidence of him viewing illegal material; judge seemingly disregarded investigator’s findings.

Digital Investigation

  • Scanning the image file of a device to detect malware should be part of all investigations using external or built-in digital forensic tools.
  • Cyber Triage Malware Scanning module uses 40+ malware scanning engines.
  • The presence of malware alone isn't enough - the prosecution must prove the malware is related to the crime.

Fileless Malware

  • Uses legitimate programs to infect a computer without relying on files.
  • Challenging to detect and remove, often undetectable by traditional endpoint security solutions.
  • Fileless attacks are more likely to succeed and evade detection, going straight into memory.

Future

  • When a defendant uses a Trojan Horse Defence, the burden of the proof falls on the prosecution.
  • Deepfakes may be the next generation of THD.

Conclusion

  • THD is more successful if used early in the defence strategy.
  • Malpractice and miscarriages of justice have occurred in THD cases.
  • Practices and workings need to adapt to cast doubt on THD.