From my perspective, the issue here may be less the truth than reasonable doubt.
I had a case where an individual had been accused of spoliation of evidence because he had continued to use his computer for two weeks after being served with an ex parte preservation order not to delete any files. The order was issued prior to the 2006 revisions of the Federal Rules of Evidence which would have clarified his responsibilities and his limited protections under safe harbor clauses.
There were a number of areas on the disk which seemed to have been overwritten . The plaintiff argued that this was evidence of spoliation. I noted that there were over 30 different malware infestations which had not been detected or treated at the time that his computer was examined and that it simply could not be determined what effect these would have had on the background activity of his machine. Some of these included backdoor type Trojans and mail relays.
The issue boiled down not to the truth of what really happened, but the possibility that the actions of this severe malware infestation could have producted artifacts of spoliation on his drive. This is something that would be almost impossible to resolve, practically, since one would need to recreate the process and order by which his machine became progressively infected. The antivirus community was not much help because, while they could say how the malware could be detected and removed, there was limited public information on the kinds of artifacts the malware might leave behind.
When I read about this case, my first thought was the defense was less "the malware did it" than "you can't say that the malware DIDN'T do it". In fact, it struck me a little like a DUI case where the verdict is often less about the truth than about what you can say, for certain.
I'm not saying that the defense in this case was not correct. What I am saying is that given the limited public knowledge about the precise behavior of malware, it is not hard to establish reasonable doubt when you have an infected system and a possible perpetrator.
Interesting points - and opinions - being expressed.
Playing devil's advocate for one moment, would it not be fair to say that in cases where the "Trojan defence" has been used successfully, the defence counsel is guilty of nothing more than having done it's job? Are we in danger of forgetting that the burden of proof lies with the prosecution? If we accept the suggestion that the Trojan defence is indeed leading to the guilty being set free, why is this so - and more importantly, what should be done about it?
If we accept the suggestion that the Trojan defence is indeed leading to the guilty being set free, why is this so - and more importantly, what should be done about it?
I think part of the issue lies in being tried by a jury of your peers. As we sit here, in essence a jury of peers, reviewing what others have presented it is easy to poke holes in the presentation of the defense (or prosecution). Unfortunately the jury pool that most of us present to consists of people that were unable to get out of jury duty. So if you have an expert for the prosecution "dumbing down" what is in essence an incredibly technical issue, the defense has a much easier time of instilling "doubt" in the mind of the jury because the jury has difficulty understanding the basic concepts let alone having a common body of knowledge to know when someone is obfuscating what to us is obvious with smoke and mirrors.
I work primarily on the fraud side of things so the Trojan Defense is probably less of an issue than in an IIoC case, but complexity is still the mountain in the courtroom. Not only do we have to explain the computer side of things, but our CFEs are explaining the accounting/financial issues involved in a case. Most people barely remember that debits equal credits let alone some of the very complex tax and reporting issues. It is very disheartening to be sitting in the gallery watching the jury slowly but surely zone-out during a lengthy technical testimony from either side. Often the whole case turns on one witty retort or anecdote by one of the attorneys or experts that often has little to do with the technical issues involved.
Playing devil's advocate for one moment, would it not be fair to say that in cases where the "Trojan defence" has been used successfully, the defence counsel is guilty of nothing more than having done it's job?
I don't know about other countries but in the UK the defence's responsibility is to ensure their client gets a fair trial, the ultimate goal of which is to establish the truth. It is NOT to get their client off by any means possible. The law society is very clear on this.
And in fairness I don't think the criticism is being levelled at counsel, more at the analysts who simply run a virus scan then dress it up as evidence of innocence without making any effort to investigate whether the viruses were active, whether any of the evidence pre-dates the infections, if the configuration of the computer or network would have prevented them working, etc, etc.
There are two main problems with the way the Trojan defence is presented
1) Lack of analysis. In most cases there is no work done on the viruses other than a virus scan and googling the viruses found. This is used to muddy the water an infer that it could easily be one of them.
2) Over-stating. Because the trojan defence is often based on a poorly researched inference, it is often over-stated in reports to give it the credence it requires to be taken seriously by a lay-person (see one of my previous post in this thread for examples).
I don't know about other countries but in the UK the defence's responsibility is to ensure their client gets a fair trial, the ultimate goal of which is to establish the truth. It is NOT to get their client off by any means possible. The law society is very clear on this.
Continuing in the role of devil's advocate for the moment, it could be (and clearly is!) argued that the Trojan defence is absolutely valid, i.e. not just a convenient get out of jail free card the that the defence may choose to employ when convenient. However, if the basis of that defence is indeed flawed - if it is often based on poor analysis or overstatement as suggested - what does the prosecution need to do to expose that weakness? In essence, what is the best form of defence against the Trojan defence?
In essence, what is the best form of defence against the Trojan defence?
Generally, get the other party to demonstrate
a) the particular trojan has the capability to download IIoC material?
b) using a copy of the trojan from the suspect's computer - without modifying it in anyway -?
c) loaded on to a PC and running network access?
c) show the trojan directing to a dummy website where the images came from and download ?I am of course talking about working under closed lab conditions here, using standard html page lawful content and lawful images run from an internal server (acting as a website). The point being prove the trojan had the capability in the first place - if not to be shown as 'impossible'.
I am also thinking along the lines of parallel testing based upon just because a trojan is on a computer it does not automatically follow that the host system will work with that trojan anyway.
I don't know about other countries but in the UK the defence's responsibility is to ensure their client gets a fair trial, the ultimate goal of which is to establish the truth. It is NOT to get their client off by any means possible. The law society is very clear on this.
It is not quite the same in the US. While the defense is barred from doing anything illegal in the defense of the client it is not the obligation of the defense to see to it that a guilty person is convicted. The presumption of innocence is far greater than the presumption that the prosecution wouldn't be bringing the case to trial unless there was sufficient evidence to convict. The purpose of the trial is twofold To attempt to establish the truth but, equally as important, to provide a check to the government's power to incarcerate its citizens. Thus, reasonable doubt is a standard which risks letting a few guilty people walk as an alternative to wrongly convicting innocent people.
I suspect that if this guy decided to sue for wrongful prosecution, he would have a much harder time since he would have to establish that the malware actually did cause CP to be loaded onto his computer. I have read that he plans to do this but I'd strongly advise him against it.
Finally, I also read the consultant's report and the references to the other cases and SOLELY on the basis of the report and its contents I would have to say that the report provides no evidence to support the major conclusions of the author and, in some cases, the findings presented in the report actually contradict the conclusions.
I have no opinions as to Mr. Fiola's guilt or innocence but it does seem to me to be curious why a defendant in New England would choose a forensic expert in Arizona unless defense had concluded it wanted an "expert" in the Trojan defense.
The obvious defense to the Trojan Horse Defense is to show evidence that can be tied directly to the activities of the defendant.
If the prosecution expert cannot do that, when it is their burden to do so, then the defense has not only the right, but the responsibility to present other evidence into the trial.