±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 0
Overall: 27350
Visitors: 51

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Can a virus d/l CP to my computer

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Can a virus d/l CP to my computer

Post Posted: Wed Jan 29, 2014 10:57 am

I am currently working a case where the suspect claims he views a lot of adult porn and while doing so he sustained a virus. He is claiming the virus downloaded child porn to his computer, which I was able to recover. He stated, as a result of the virus, he did a factory install of his OS in order to get rid of the virus, days before my interview. Without getting into further details, does anyone have any US Supreme court decisions or white papers negating this claim?  

mrpumba
Senior Member
 
 
  

Re: Can a virus d/l CP to my computer

Post Posted: Wed Jan 29, 2014 11:26 am

Note exactly what you are asking, but related:
www.forensicfocus.com/...ic/t=6279/
www.forensicfocus.com/...c/t=10558/

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Can a virus d/l CP to my computer

Post Posted: Wed Jan 29, 2014 11:38 am

Jaclaz, Thanks but not along the same lines as my case. The suspect never claimed he downloaded the CP himself, he is claiming a virus did it. I did recover CP and did a virus and malware scan, however with him doing a factory restore does not bode well, considering I did not find a virus or malware.  

mrpumba
Senior Member
 
 
  

Re: Can a virus d/l CP to my computer

Post Posted: Wed Jan 29, 2014 11:51 am

- mrpumba
Jaclaz, Thanks but not along the same lines as my case. The suspect never claimed he downloaded the CP himself, he is claiming a virus did it. I did recover CP and did a virus and malware scan, however with him doing a factory restore does not bode well, considering I did not find a virus or malware.

Sure Smile , but the "malware did it, not me" is older then the Chewbacca Defense Wink :
en.wikipedia.org/wiki/...ca_defense

the given threads also discuss about that defense (in an early version it was "the Devil made me do it, officer" ), see:
www.forensicfocus.com/...1/#6543071
and:
www.forensicfocus.com/.../start=14/
(I gave you links to the whole thread as posts and opinions must be read in their contexts)

The point is, that although often abused, that line of defense may actually be based on what really happened, and IMHO (and in that of some other members) somehow showing intent and placing the suspect behind the keyboard needs to be if not proved, at least made highly plausible.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Can a virus d/l CP to my computer

Post Posted: Wed Jan 29, 2014 8:46 pm

A "virus" only does what it's programmed to do, so yes it's technically possible that someone could program a virus or some form of malware to download data and put in on a computer. After all CP is a form of electronic data and at a byte level the computer just does what it's told.

A couple of things come to mind here though, how did he know he had a virus? He said he had to reinstall the OS to get rid of the virus so he must have had some software that detected the virus, what was the software? What was the virus called? After he reinstalled the OS why is the CP still there? Was the CP on a different partition/drive? If so that is highly irregular for any Malware as they tend to operate in the system drive because that is where they have the best access and can do the most damage.

When I hear that excuse from people I know 99.99% that is a complete lie and they are only saying it because it can be very difficult to disprove.

As Jaclaz says, what positive evidence do you have to support he knowingly put the CP there? If you have multiple google searches, evidence of the CP being viewed etc then the virus defence could be seen as an obvious red herring.

Good luck Smile  

Adam10541
Senior Member
 
 
  

Re: Can a virus d/l CP to my computer

Post Posted: Wed Jan 29, 2014 10:15 pm

Adam, good info and noted! I will confirm with the suspect regarding what virus protection he used. I can look to verify if a virus protection was even used during the analysis. Additionally, the cp was detected during a d/l through a hash value that was verified by the AOL DB.  

mrpumba
Senior Member
 
 
  

Re: Can a virus d/l CP to my computer

Post Posted: Wed Jan 29, 2014 11:07 pm

- mrpumba
I am currently working a case where the suspect claims he views a lot of adult porn and while doing so he sustained a virus. He is claiming the virus downloaded child porn to his computer, which I was able to recover. He stated, as a result of the virus, he did a factory install of his OS in order to get rid of the virus, days before my interview. Without getting into further details, does anyone have any US Supreme court decisions or white papers negating this claim?


Court Decisions and white papers aren't the best way to refute this argument. If I was the defendant, I'd simply say that those decisions or white papers aren't MY computer.

Thus, carve unallocated. Virus scan the exe and dll files found. Search for antivirus and event logs.

I would also check that the OS was, in fact, reinstalled when he said it was.

Was the contraband in allocated, or unallocated space (or both)?

For cases in which unallocated space is the only location, it is a very difficult case for us, because we need to show knowledge and intent.

For cases in which allocated space contains contraband, a timeline can work wonders. Even IF the virus was present on the system, if the contraband predates it, that is telling.

For knowledge and intent, internet searches are quite nice. If you are searching for contraband, and you have contraband on your computer, that is pretty dang close (if not past) reasonable doubt in some people's eyes.

The other thing is, has anyone ever made such a virus. While it is technically possible, it is only within the last year that I've heard of any malware actually downloading contraband. As such, you could research those malicious programs (I've only heard of one, so I can't imagine there would be too many even now), and use that as a checklist of artifacts to look. Of course, your job will be quite a bit harder if the virus would be in unallocated space.

Hope this gives you a few ideas.

Terry  

twjolson
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next