Join Us!

Disproving the Troj...
 
Notifications
Clear all

Disproving the Trojan Defense  

  RSS
keydet89
(@keydet89)
Community Legend

Recently, I've read a couple of news items and articles that mention the successful use of "Trojan Defense" in child pornography cases. I've also read an academic paper that addresses the use of statistical analysis of file access times to prove/disprove this claim.

Is this an area that would benefit from further investigation and discussion? In the past couple of years, I've done some research into Windows Registry analysis, and I'm curious if this particular topic would benefit from data collection and analysis techniques that could be used to prove/disprove this claim.

Thoughts?

Thanks,

Harlan

Quote
Posted : 22/11/2005 8:00 pm
hogfly
(@hogfly)
Active Member

My estimation is that the trojan defense works because the lawyer is untrained in prosecuting digital crimes and doesn't know the right questions to ask, the evidence isn't there, or the 'expert' botched the investigation because they don't know enough about the malware, how it spreads, and how it works.

Would this area benefit from investigation? yes. Would this area benefit if the AV/Anti trojan manufacturers helped out by providing more information? yes.

I think the most important aspect of something like this would be the analysis aspect. Proving the negative(that it was the user and not the malware) is the tough part.

Can you provide links to the papers?

ReplyQuote
Posted : 22/11/2005 8:21 pm
keydet89
(@keydet89)
Community Legend

> My estimation is that the trojan defense works because the lawyer is
> untrained in prosecuting digital crimes and doesn't know the right
> questions to ask, the evidence isn't there, or the 'expert' botched the
> investigation because they don't know enough about the malware, how
> it spreads, and how it works.

From what I've read, as well as from discussions with LEOs and folks who actually go to court, none of these is really the case. What it comes down to is the presentation by the expert witness, and how much the defense attorney can confuse the issue in the minds of the jury.

> Would this area benefit if the AV/Anti trojan manufacturers helped out
> by providing more information? yes.

I'm not sure that I see how. In the Caffrey case, the suspect was found not guilty after claiming that a Trojan was responsible for the DoS attacks eminating from his system, even though A/V scans showed no signs of malware.

What information would you like to see? What's missing? What are the A/V companies failing to provide, in your view?

> Can you provide links to the papers?

The academic paper I mentioned can be found (via Google) here
http//www.idje.org (look under the vol 2, issue 4, spring 2002, for "The Trojan made me do it")

One reference to the Caffrey case I mentioned above is found (via Google) here
http//www.collisiondetection.net/mt/archives/000557.html

Others
http//news.com.com/2100-7349_3-5092781.html
http//www.techdirt.com/articles/20031017/0845248.shtml

The FedLawyerGuy.org blog has a post here
http//www.fedlawyerguy.org/archives/000342.html
Note the link to the Reuter's article seems to be down

With regards to child pornography in particular, I think it should be fairly easy to prove, through additional means, whether or not the pictures were placed their unbeknownst to the suspect via a Trojan.

Harlan

ReplyQuote
Posted : 22/11/2005 8:45 pm
hogfly
(@hogfly)
Active Member

So, legal junk science attacks at work eh?

In the Caffrey Case, suppose an AV vendor provided an analysis of how the malware on the system worked. It didn't mention it, but I wonder if the ISP provided flow logs on the case. Simply explained if someone else 'did it' you'd see an incoming connection to Caffrey's box on a backdoor port that was opened by the trojan. No connection, no outside source involved. Explaining that trojans aren't autonomous is up to the "expert".

I think a detailed malware analysis provided by AV vendors would be beneficial in cases where malware being the cause of an action is in question. If someone claims that a trojan was the cause, and the trojan's only purpose is to track someone's actions then it *could* help a case.

ReplyQuote
Posted : 22/11/2005 9:20 pm
jlloyd
(@jlloyd)
New Member

As previously reported, there were no viruses present on Aaron Caffrey's machine.
Contrary to the impression given by the Google report linked to by Harlan I do not believe that it was ever Caffrey's intention to compromise the Port of Houston server. The server was simply vulnerable to a well known IIS exploit (and had been previously compromised by the same exploit) which was utilised as part of an IRC script in order to launch a DDOS attack on IRC chat room users.
A large number of log files were presented and examined relating to IP traffic and chat logs recovered from IRC sessions. The scripts allegedly used to conduct the DDOS attack were also examined.

That Aaron Caffrey's Trojan defence succeeded is both a testament to his defence barrister's abilities and an indictment of the failure of the prosecution to pursue a variety of issues such as the social engineering aspects of the case.

The prosecution's expert evidence went right over the heads of the jury and they ended up accepting a ludicrious story as a defence simply because it was presented in a much more accessible fashion.

Win some, Lose some.

ReplyQuote
Posted : 22/11/2005 10:26 pm
keydet89
(@keydet89)
Community Legend

> So, legal junk science attacks at work eh?

Not at all. From what I've read, it seems to be a matter of playing on the public's misconceptions. All the defense has to ask is if it's *possible* that the malware could have escaped detection by the A/V scanners, or whatever other method was used.

> I think a detailed malware analysis provided by AV vendors…

Why shouldn't that analysis be provided by forensic analysts? Why wait for an A/V vendor to provide the analysis, or say that it's not detailed enough, when an analyst can do that analysis themselves? Is it a matter of time? What if someone were able to provide the necessary training to analysts, or provide the analysis as a service? Wouldn't it behoove an analyst to be able to study a bit of malware from their own perspective, rather than the perspective of an A/V vendor?

More to the point of the original topic, though…in cases involving CP, there are other methods of determining the validity of such defenses. In my own research into the topic, I haven't come across any publicly available information regarding Registry analysis in general, nor specifically for such cases.

Is this because no one's doing it, or the fact that analysts aren't interested in it?

Harlan

ReplyQuote
Posted : 22/11/2005 10:49 pm
hogfly
(@hogfly)
Active Member

Harlan,
I never said it shouldn't be up to the forensic analyst. Why the AV vendor and not the analyst? Why a commercial tool and not a homegrown one? Based on answers I've received..a vendor would hold more clout just like a commercial tool would. In the US, symantec is approved by NIST, so by rights(making an assumption here) wouldn't an analysis by an experienced symantec malware analyst hold more weight?
If someone provided the training…SANS already does (malware analysis 2 day hands on course). Not sure if there are others though. I haven't seen a malware analysis service, but I wouldn't see it hurting a case if one were used.

Yes, it certainly would behoove the analyst if they studied the malware. How many analysts unpack PE's, set breakpoints in IDA (or other tools), recover what's in the registers and translate that to english? I'd guess not many and the reason I would guess is due to limited time.

Could you share some of the methods used for determining the validity of the defenses in CP cases? I haven't seen the registry mentioned or used in any of the affadavits or testimonies I've read yet either.

ReplyQuote
Posted : 22/11/2005 11:13 pm
keydet89
(@keydet89)
Community Legend

Hogfly,

In many cases, I find analysis reports by A/V vendors to be lacking in necessary detail…largely because they are not analyzing the malware from the perspective of a foresnic analyst attempting prove or disprove something.

Regarding clout…a file recovered from an image will be the same regardless of who views it; ie, the prosecution or the defense. Analysis techniques can and should be documented, and those techniques are not available at any A/V site that I'm aware of. I'm not an expert witness, but I know for a fact that I would not go to court based on the "analysis" available from Symantec or any other site…if for no other reason that because the first question from the defense will be with regards to the analysis process. "I searched on Google" or "I read the Symantec web site" as an answer will destroy a professional reputation.

> Could you share some of the methods used for determining the validity
> of the defenses in CP cases?

Well, certain Registry files maintain information specific to user activity. Not all activity is recorded, but some is, along with timestamps, ie, LastWrite times. If the user interacted with the files that he claims were left there by a Trojan, then that interaction may be recorded in the Registry.

Some applications maintain lists of recently accessed files. For example, when you open Word and click on File, the bottom of the drop-down menu has a list of files. This infomation is maintained in the Registry.

The Registry also maintains a list of recently accessed files, by type (ie, extension). When a user double-clicks a file, the Registry is examined for the application to use to open it…but the interaction of double-clicking places a reference to the file (by type) in the Registry, along with an MRU list.

Information about USB devices connected to the system is maintained in the Registry. While EXIF data maintained within JPEG images taken with a digital camera do not contain unique identifying information (with regards to the camera), the Registry does (in some cases). Examining the Registry and the device descriptor of the camera may show that the camera used to create certain digital images had been connected to the system.

The data about USB storage devices may also be used in correlation with the contents of LNK files in the "My Recent Documents" folder.

As you can see, there are a variety of areas that can be examined. Limited testing of my own has shown that accessing image files remotely via a network share or a backdoor (ie, netcat) do not place the entries in the Registry, while accessing them locally will…which would obviate a "Trojan Defense".

> I haven't seen the registry mentioned or used in any of the affadavits
> or testimonies I've read yet either.

I would suspect, based on my conversations with LEOs, that this is because Registry analysis is not something that's being done. My impression is that this is the case, due to lack of knowledge and understanding.

ReplyQuote
Posted : 22/11/2005 11:46 pm
hogfly
(@hogfly)
Active Member

Hogfly,

Regarding clout…a file recovered from an image will be the same regardless of who views it; ie, the prosecution or the defense. Analysis techniques can and should be documented, and those techniques are not available at any A/V site that I'm aware of. I'm not an expert witness, but I know for a fact that I would not go to court based on the "analysis" available from Symantec or any other site…if for no other reason that because the first question from the defense will be with regards to the analysis process. "I searched on Google" or "I read the Symantec web site" as an answer will destroy a professional reputation.

Absolutely, but note I said a experienced malware analyst at symantec, not symantec as a whole or it's crappy analysis site where they post what equates to the executive analysis.

If the AV vendors provided a service whereby one of their analysts appeared in court after analyzing a submitted piece of malware that's being used in a 'trojan defense' case, I would think it hold more weight than a forensic analyst that dabbles in malware analysis providing 'expert' testimony.

ReplyQuote
Posted : 23/11/2005 2:16 am
keydet89
(@keydet89)
Community Legend

> note I said a experienced malware analyst at symantec

Sure, but what's the likelihood that Symantec is going to expose themselves to that kind of liability?

> If the AV vendors provided a service whereby one of their analysts
> appeared in court after analyzing a submitted piece of malware that's being
> used in a 'trojan defense' case, I would think it hold more weight than a
> forensic analyst that dabbles in malware analysis providing 'expert'
> testimony.

Well, like I said, I doubt that Symantec is going to expose themselves to that kind of liability. The analyst could serve as an expert witness without appearing as a Symantec employee…but A/V analysts don't necessarily look for the same kinds of things as a forensic analyst or expert witness. Finally, I really doubt that anyone who "dabbles" in anything is ever called to the stand as an expert witness.

So much for the original subject line, I guess…

ReplyQuote
Posted : 23/11/2005 4:17 am
Share: