Radio interview - thoughts from you pros out there.

I agree with RobRoy's post about some of the posted comments on here, quite a few are informative and helpful but there are some that seem to be personal and nasty. Also just because the website was created in april does not mean that they have only just started working in forensics.

You have to look at all the information, not just pick and choose. Had the linkedin profile still been up you would have seen that that is indeed the case.

Don't confuse passionate for nasty, many analysts are passionate about their work and this is reflected when someone tries to undermine it using such tactics.

I've been lurking on this site for some time and most of the content is useful and informative. However, some of the posts make me extremely happy that I do not work in computer forensics - I thought consultants could be nasty! What's next? Make an effigy of this woman and stick pins in it?

RobRoy,

Given your use of a 'cursory search' to justify your stance I too am glad you don't work in this field. lol

What you are failing to realise is that the majority of Forensic Analysts working in Law Enforcement spend 90% of their time working on cases where people have been trading in images of children beng abused. This is not like consulting where you may or may not secure a contract, or where a project may go over budget, this is serious stuff that has a direct effect on children's lives.

Occasionally (prob more so after the 2 recent stories!) someone comes along and sells the 'trojan defense' to the suspect's legal team, which is essentially to run a virus scan then say 'anyone of these virus could have planted it' to the suspect's legal team.

The negative reactions to this are two fold

1) Someone is making a profit selling snake-oil, and in doing so is attempting to get someone with a sexual interest in children off-the-hook. Luckily this is normally easily combatted by a competent analyst and the offender is convicted regardless. Occasionally for a miriad of reasons (Read the first thread you posted a link to for a better understanding)
this defense, whilst untrue is sufficient to suceed thus allowing the paedophole to walk free and not be on the sex offender's regster. LE Analysts, quite rightly, take their work very seriously and take a very dim view of this.

2) That by spinning out this defense, based upon 1/2 a forensic examination, they are generating a large amount of work for the Police analyst, which in turn prevents them from dealing with other cases. This is particularly serious in an arena where large (6 Month) backlogs of work are common and where it is not unusual to discover from the computer work that the offender arrested for images of child abuse is in actual fact abusing children they have access to.

Hope this clears things up for you a bit, I for one am glad I work in this arena - I get to make a real difference in the world.

I don't need to guess what else I share with Tigger - I know. We share a house, a dog and a wonderful civil ceremony on May 1 this year.

Congratulations. I think what Jamie was referring to was an IP address, which to the Site Admin (Jamie) would have made it look like you were one person posting using two user accounts. Luckily you have cleared that up.

The point that Tigger was trying to get across is that just because a business may be new doesn't mean that the people who run it are new to the business.

Again I refer you to the now defunct (but cached by google) LinkedIn entry which was the other part of the post 'Tigger' was commenting on.

I've been lurking on this site for some time and most of the content is useful and informative. However, some of the posts make me extremely happy that I do not work in computer forensics - I thought consultants could be nasty! What's next? Make an effigy of this woman and stick pins in it?

A cursory search for "Trojan Defence" brings up
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=564&view=previous <http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=564&view=previous>

http//www.getreading.co.uk/news/s/6541_program_put_child_porn_pics_on_my_pc <http//www.getreading.co.uk/news/s/6541_program_put_child_porn_pics_on_my_pc>

http//news.zdnet.co.uk/security/0,1000000189,39115422,00.htm?r=11 <http//news.zdnet.co.uk/security/0,1000000189,39115422,00.htm?r=11>

http//www.infomaticsonline.co.uk/vnunet/news/2162838/child-porn-spam-hides-trojan <http//www.infomaticsonline.co.uk/vnunet/news/2162838/child-porn-spam-hides-trojan>

I don't see any nastiness in this thread. Forensics is about revealing the 'truth' in a case and as Crutey says some are passionate about this.

The links you provided don't give any credence to the validity of a Trojan Defence more that they have been used, hence why I said in my first post that I'd like to do analysis on such a case. I think most experienced analysts could prove otherwise when the old " it was the Trojan that did it" defence is rolled out.

The first link is a discussion on this forum which mentions a case where there was no malware present and a discussion where they talk about the Trojan defence working because the lawyer is untrained in prosecuting digital crimes and doesn't know the right questions to ask, that the 'expert' botched the investigation because they don't know enough about the malware and how it works and also how much the defense attorney can confuse the issue in the minds of the jury.

The case in the second link states "prosecutors accepted an expert's report that the "Trojan" program could have saved the 14 depraved images off the internet without his knowledge". Well yes, someone could also have broken into his house and put the CP on his PC. Is it possible? Yes. Is it likely? No. Looks like the prosecution weren't up to the task in hand. Same with the third link.

The fourth link is to do with an email scam and has nothing to do with a Trojan defence.

The point that Tigger was trying to get across is that just because a business may be new doesn't mean that the people who run it are new to the business.

But the interviewee said that she had been an IT teacher in a local school which she hated, so moved out and took a recent degree in CF which interested her more. This with the fact the company was formed on 2 February this year and the domain name was registered shortly after, it does appear that they are relatively new in the field. Everyone has to start somewhere of course, but if you get interviewed on the radio about your cases and post the link on your website, I think it reasonable that others should be able to discuss its contents.

Even after some years within this arena, I am very cautious when dealing with the media. I don't really trust them (there is always a trend to try to sensationalise or not deal with enough detail) and it's easy to make a slip up (especially when it's live) bearing in mind that we deal in something that is very specific and peer review can be intense (rightly so I think), obviously, the upside is some free PR but how many radio listeners are potential customers?(sorry to go slightly off topic)

Slightly surprised not to see mention of this more recent and fairly well publicised case

http//www.crn.com/security/208700507

What do we make of it?

This case has been the source of much discussion on another forum, where some useful observations were posted. I'll repeat what I have time to here (off out), with thanks to the original posters.

Firstly the actual report is available here

http//blogs.csoonline.com/files/Forensic%20Report.pdf

Many practitioners have taken exception to much of it.

Firstly the report does not evidence a Trojan being responsible, the analyst simply runs a virus scan, googles the found viruses then uses that as the basis for some sweeping conclusions.

Some of the statements made are misleading, this for example

“The shellexp.exe virus file was found in the registry’s Run folder, allowing the file to execute each time the computer booted up.”

A REFERENCE to a virus was located, not the actual virus. Infact, the specified virus was not located during the analyst's own virus scan. This is indicative of a virus that failed to deploy or one which was picked up by AV software and rendered useless.

Another example of statements that are simply not true

"One of the first things that viruses and Trojans do is disable the antivirus protection software.”

And another

"The term “bbs” is commonly used to refer to the electronic Bulletin Board System. The BBS was created in the late 1970’s, connecting computers with phone modems and phone numbers for the purpose of sharing information and became obsolete in the 1990’s with the popularity of high speed Internet access and the World Wide Web. Since BBS’s have not been active in almost 20 years, the use of this term as a current search term makes no sense and seems suspicious."

Read the report… there is much more of the same I simply don't have the time to post.

Without wanting to be acused of making this personal this same analyst has used the same defense before, this time both the report and the State's response are available

http//www.justice4matt.com/pdf/Tami%20Loehrs%20Computer%20Exam%20Report.pdf

http//www.maricopacountyattorney.org/Press/PDF/bandy_case_20070107.pdf

Hope this helps, enjoy! I'm off out to enjoy the (partial) sun!

Very useful post, Chris, thanks.

Crutey,

Thank you for posting this - it has cleared a few misconceptions in my mind.

I share a lot of Crutey's views. I both love and hate my job.

For me it is all about accountability and anything that gives the people that offend against children a way out instead of facing their crimes sickens me.

How people can sow the seed of literally a get out of jail free card, when the best advice will always be, "you have a problem, admit it and seek help" is beyond me.

It is hard to not take it personally and get insulted when you take your work and it's impact seriously, and I for one respect anyone who is willing to stand up and say "this is not right" instead of relying on smoke and mirrors to line their pockets.