Just wondering if anyone has a PowerPoint Presentation or other documentation detailing the Virus / Trojan / Malware Defense. I was asked to speak about the matter since it seems to be in the news again. I know a good examination can minimize the validity but it seems it keeps being brought up in the legal arena.
Thanks…..
Just wondering if anyone has a PowerPoint Presentation or other documentation detailing the Virus / Trojan / Malware Defense. I was asked to speak about the matter since it seems to be in the news again. I know a good examination can minimize the validity but it seems it keeps being brought up in the legal arena.
In what sense?
I've presented a number of times on ways to validate or obviate the Trojan Defense. The key is that it comes down to the propensity of data, looking at all of it, not just one part.
When I write presentations, I don't put everything I say on the slides…if I did, there'd be no reason for me to be there other than to read the slides to the audience. Instead, it becomes a discussion.
It's really not difficult. You can contact me off-list if you like.
I can send you some URLs with PowerPoint presentations used, in court, to substantiate the malware defense. IMHO, they are far from sound either forensically or scientifically.
The common approach to such a defense is to establish 1) that the system was infected, 2) there are no log files demonstrating that the material was deliberately downloaded and 3) that there exist various P2P, IRC, etc., based file sharing/distribution mechanisms which could be used to distribute contraband and that these could be implemented as malware. These are used to create what purports to be "reasonable doubt". Most of these cases are affirmative defense cases, i.e., the defense can't deny that the images are there, but try to assert that the user/owner did not put them there and was not aware that they were there.
The flip side, as Harlan says, is that an established investigator will look at other aspects of the system. Are there features of the case that indicate a pattern rather than an isolated instance? What other used activity can be documented, etc.? Does the time of infection corresponding to the dates and times of the contraband?
There are really many avenues to approach to counter the defense, if the evidence is there and the investigator finds it.
One other thing that I might mention is that in many of the high profile cases where the defense has prevailed, there have been one or more problems with LE or the prosecution which have contributed to a verdict in favor of the defense.
I am not aware of any cases (which is not to say that they don't exist), where anyone has established to a reasonable degree of scientific certainty that malware was, indeed, the culprit. If anyone is aware of references to the contrary, I'd love to see them.