Malware

What's there to comment on? It's not the defense's job to prove it did happen, its his job to prove it didn't. The defense did their job, your colleague didn't do his.

That said, I don't always do malware scans and research, but its highly case dependant. For instance, malware sin't going to print off photos and place it with a rental agreement. Malware isn't going to conduct google searches. Malware isn't going to download and install peer to peer applications which then download and save child sexual exploitation videos.

Terry

I guess I’m looking for other people's experience on the matter. I know the defense's job is to make his client look as not guilty as possible but I'm looking at what other people have done (either pre-emptively or during court) to overcome this? I'm relatively new in the field (under 2 years) and will be replacing him as the sole forensic investigator in my department.

There have been a number of documented examples in Australia and the UK of the type of defense used in the case you cite. In this instance it sounds like an example of having what might be a too narrow a view of what our role is in investigations. If you carry out an analysis, find what you believe might be relevant evidence and simply hand that over to the investigator you have failed to complete the job.
Early in my career I was lucky enough to spend considerable time with some very experienced crime scene examiners and one of the many lessons they taught me is that finding a piece of evidence is only one aspect of our role. You also need to, as best you can, try to explain from the information available how that evidence came to be where it is. Examine alternative explanations of how particular evidence came into existence and whether there is information available that discounts or bolters a particular scenario. Our role is about describing the scene in as a complete a manner as possible, which in our case is the device being examined.

There is always going to be an element of doubt.

Malware scans on static files aren't actually very effective. Modern anti-virus software works on multiple levels (like scanning web traffic, sandboxing, looking for suspicious API calls, black listing, memory analysis, etc..). So there is a reduced probability of finding a virus by doing a scan of the static files on a disk image. Modern viruses are often polymorphic meaning that the virus signature changes on each machine.

A virus could in theory do anything a real user can do. Simulating key-presses, opening web pages, etc..

Some viruses also open up the machine to remote usage. These Remote Administration Tools (RATs) allow an actual human to control your machine in a similar fashion to remote desktop software used for tech support.

I think it is very difficult to prove this never happened. But some things that can help would be,
- Scanning for viruses / malware
- Booting the disk image and leave it running for a while without touching it. Then see if new images magically appeared on the machine without human intervention.
- Look for additional evidence that shows a collection of activity that would be inconsistent with typical malware. e.g. a virus isn't going to be able to have a sensible human like chat session at least not yet.

Thanks Passmark (and AuseForensic) for the helpful advice! I'm thinking about also using the time-line to (if i'm grasping it correctly) build on what Ause was talking about and disprove the theory based on events around the creation/access (etc) of the artifacts in question to show that malware wouldn’t be doing all of these things all at once.

Modern viruses are often polymorphic meaning that the virus signature changes on each machine.

As an aside Polymophic viruses have been around for a long time - I was teaching students about them on Dr Solomons live virus workshop back in 1993 D

Just reminiscing about the good old days D

Hello,

I think in the UK we tend to be fairly lucky, because if the defendant's argument is "a virus did it" then by the time it reaches crown court we (should) be informed ahead of time - so you can then take further steps. But to be honest, timescales in UK LE cases tend to be such that it's not practical to "leave no stone unturned" for every exhibit in every case, meaning unless your defendant makes a specific point then you tend not to check for it.

If the argument does come up, then IMO it becomes important to find out how the evidence appeared on the device. This can include such items as relevant search terms or peer-to-peer activity - and timelining your case also helps so that you can understand what other activity took place around the same time the material was created. Did he check his email? Did he edit his CV? Is there evidence of the files being viewed via LNK files, jumplists, registry MRU?

It is also worthwhile to check whether there is AV installed on the device, how up to date it is, and if it was actively running during the time the evidence was created. And further to this, if you yourself scan the device does it detect anything? If so, was it active and could it potentially download that sort of material without the user being aware? And on and on.

None of this, of course, conclusively answers there question of "is the suspect behind the keyboard at the time of the offence" (what can?) - but it may suggest that it is highly unlikely that it was the result of malicious actions by some unknown remote actor.