Can a virus d/l CP ...
 
Notifications
Clear all

Can a virus d/l CP to my computer

13 Posts
7 Users
0 Likes
816 Views
mrpumba
(@mrpumba)
Posts: 116
Estimable Member
Topic starter
 

I am currently working a case where the suspect claims he views a lot of adult porn and while doing so he sustained a virus. He is claiming the virus downloaded child porn to his computer, which I was able to recover. He stated, as a result of the virus, he did a factory install of his OS in order to get rid of the virus, days before my interview. Without getting into further details, does anyone have any US Supreme court decisions or white papers negating this claim?

 
Posted : 29/01/2014 8:57 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Note exactly what you are asking, but related
http//www.forensicfocus.com/Forums/viewtopic/t=6279/
http//www.forensicfocus.com/Forums/viewtopic/t=10558/

jaclaz

 
Posted : 29/01/2014 9:26 pm
mrpumba
(@mrpumba)
Posts: 116
Estimable Member
Topic starter
 

Jaclaz, Thanks but not along the same lines as my case. The suspect never claimed he downloaded the CP himself, he is claiming a virus did it. I did recover CP and did a virus and malware scan, however with him doing a factory restore does not bode well, considering I did not find a virus or malware.

 
Posted : 29/01/2014 9:38 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Jaclaz, Thanks but not along the same lines as my case. The suspect never claimed he downloaded the CP himself, he is claiming a virus did it. I did recover CP and did a virus and malware scan, however with him doing a factory restore does not bode well, considering I did not find a virus or malware.

Sure ) , but the "malware did it, not me" is older then the Chewbacca Defense wink
http//en.wikipedia.org/wiki/Chewbacca_defense

the given threads also discuss about that defense (in an early version it was "the Devil made me do it, officer" ), see
http//www.forensicfocus.com/Forums/viewtopic/p=6543071/#6543071
and
http//www.forensicfocus.com/Forums/viewtopic/t=10558/postdays=0/postorder=asc/start=14/
(I gave you links to the whole thread as posts and opinions must be read in their contexts)

The point is, that although often abused, that line of defense may actually be based on what really happened, and IMHO (and in that of some other members) somehow showing intent and placing the suspect behind the keyboard needs to be if not proved, at least made highly plausible.

jaclaz

 
Posted : 29/01/2014 9:51 pm
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

A "virus" only does what it's programmed to do, so yes it's technically possible that someone could program a virus or some form of malware to download data and put in on a computer. After all CP is a form of electronic data and at a byte level the computer just does what it's told.

A couple of things come to mind here though, how did he know he had a virus? He said he had to reinstall the OS to get rid of the virus so he must have had some software that detected the virus, what was the software? What was the virus called? After he reinstalled the OS why is the CP still there? Was the CP on a different partition/drive? If so that is highly irregular for any Malware as they tend to operate in the system drive because that is where they have the best access and can do the most damage.

When I hear that excuse from people I know 99.99% that is a complete lie and they are only saying it because it can be very difficult to disprove.

As Jaclaz says, what positive evidence do you have to support he knowingly put the CP there? If you have multiple google searches, evidence of the CP being viewed etc then the virus defence could be seen as an obvious red herring.

Good luck )

 
Posted : 30/01/2014 6:46 am
mrpumba
(@mrpumba)
Posts: 116
Estimable Member
Topic starter
 

Adam, good info and noted! I will confirm with the suspect regarding what virus protection he used. I can look to verify if a virus protection was even used during the analysis. Additionally, the cp was detected during a d/l through a hash value that was verified by the AOL DB.

 
Posted : 30/01/2014 8:15 am
(@twjolson)
Posts: 417
Honorable Member
 

I am currently working a case where the suspect claims he views a lot of adult porn and while doing so he sustained a virus. He is claiming the virus downloaded child porn to his computer, which I was able to recover. He stated, as a result of the virus, he did a factory install of his OS in order to get rid of the virus, days before my interview. Without getting into further details, does anyone have any US Supreme court decisions or white papers negating this claim?

Court Decisions and white papers aren't the best way to refute this argument. If I was the defendant, I'd simply say that those decisions or white papers aren't MY computer.

Thus, carve unallocated. Virus scan the exe and dll files found. Search for antivirus and event logs.

I would also check that the OS was, in fact, reinstalled when he said it was.

Was the contraband in allocated, or unallocated space (or both)?

For cases in which unallocated space is the only location, it is a very difficult case for us, because we need to show knowledge and intent.

For cases in which allocated space contains contraband, a timeline can work wonders. Even IF the virus was present on the system, if the contraband predates it, that is telling.

For knowledge and intent, internet searches are quite nice. If you are searching for contraband, and you have contraband on your computer, that is pretty dang close (if not past) reasonable doubt in some people's eyes.

The other thing is, has anyone ever made such a virus. While it is technically possible, it is only within the last year that I've heard of any malware actually downloading contraband. As such, you could research those malicious programs (I've only heard of one, so I can't imagine there would be too many even now), and use that as a checklist of artifacts to look. Of course, your job will be quite a bit harder if the virus would be in unallocated space.

Hope this gives you a few ideas.

Terry

 
Posted : 30/01/2014 9:07 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

The other thing is, has anyone ever made such a virus. While it is technically possible, it is only within the last year that I've heard of any malware actually downloading contraband. As such, you could research those malicious programs (I've only heard of one, so I can't imagine there would be too many even now), and use that as a checklist of artifacts to look. Of course, your job will be quite a bit harder if the virus would be in unallocated space.

Maybe "virus" is not necessarily an accurate term, what happened in this case
http//www.forensicfocus.com/Forums/viewtopic/t=9702/
may well have happened with CP as object opposed to "normal" pornography.
It could be caused by a BHO
http//en.wikipedia.org/wiki/Browser_Helper_Object
or similar browser hijacking.

jaclaz

 
Posted : 30/01/2014 4:57 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

As jaclaz wrote, the word "virus" might not be the proper name for it. Malware, a very generic term would be more appropriate. I presume the defendant isn't too technically savvy.

Let's presume that you are a malware (say a tor zombie, i.e. a machine that is simply used as a drop box for files, in the background, unbeknown to the user).
Would you put the files in "My Documents"?
Would you put them in a single location?
Would you spread them all over the place?
Would you … etc.

The next step you can do is look at upstream what crumbs the defendant left. Google/Y!/MS/ etc. accounts, search history, ISP logs, etc.

 
Posted : 04/02/2014 2:43 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I would add that, more generally, the good ol' same questions should be asked (and answered)
WHO?
WHEN?
WHY?
HOW?
CUI PRODEST? (or CUI BONO?)
http//en.wikipedia.org/wiki/List_of_Latin_phrases_(C)
http//en.wikipedia.org/wiki/Cui_bono

jaclaz

 
Posted : 04/02/2014 5:19 pm
Page 1 / 2
Share: