Ian Kennedy CEng MBCS CITP responds to the Trojan defence.

The presence of digital forensic evidence, particularly when it takes the form of still or moving images, is very compelling to a Court of law. Under UK law the proof that crime has been committed rests with the prosecution demonstrating two complementary elements: the guilty act was committed and the knowledge/intent was present. These are known in legal terms as the actus reus and the mens rea respectively.

Thus, with compelling proof of the guilty act before them in a Court, the Defence will often turn to the evidence supporting the knowledge or intent to in an attempt to refute a charge. As recent news articles show, suspected offenders are increasingly applying this tactic by holding up their hands and saying, 'Yep - it's there, but I didn't put it there - it was a Trojan'.

This kind of defence is an easy card for the Defence to play as they do not have to prove anything - they need only introduce doubt to weaken the Prosecution's case. The onus then is on the Prosecution to prove beyond all reasonable doubt that the illegal activity conducted on the computer was caused by the suspect and not a third party.

Definitions

The term Trojan horse is often confused with the term virus. Wikipedia defines the term as a 'malicious program that is disguised as or embedded within legitimate software… Trojan horse programs cannot operate autonomously'.

This is an important point in that manual intervention is required for any Trojan to become active. Much like the Epeius's large wooden horse, the electronic Trojan acts simply as a delivery mechanism which contains a payload of hidden code waiting to be executed.

Wikipedia goes on to define a computer virus (referred to hereafter simply as virus) as a 'self-replicating computer program that spreads by inserting copies of itself into other executable code or documents'. Unlike the Trojan, a virus requires no intervention from the user to replicate itself.

Similar to a virus, a worm is also self-replicating in nature but does not require a host computer program to attach itself to. It can therefore propagate itself independently.

The common theme with all of this type of software is the intent to infiltrate and sometimes damage a computer system, without the owner's consent or even knowledge. Collectively, such malicious software is commonly known as malware.

An approach

Refuting a Trojan defence can be undertaken in two stages of analysis. Having forensically copied the hard disk of the computer alleged to contain the Trojan work can commence on the first stage of analysis: static analysis.

Static analysis

One of the first tasks to perform is an anti-virus sweep. Because of the variation in results with such tools, sweeps should be performed with multiple tools. It is not uncommon for authors to deliver their malware in a compressed format in an attempt to hide it from anti-virus software.

By performing a Message Digest 5 hash (MD5) of all known system files and comparing the hashes with like files from the same version of the operating system with the same service packs and patches applied it is possible to flag up any files that may have been tampered with. An MD5 hash is a digital fingerprint that can be calculated from a file. The likelihood of two sets of data having the same MD5 hash value, yet being different data, is 2128 a level of certainty that is currently greater than that achievable with DNA matching.

Another aspect to consider is the presence of any trigger mechanism. For an item of malware to be effective it will rely on an event that will trigger its execution (be that by a user or by automation).

Thus references to the file in question should be sought in areas such as registry startup locations, login / startup scripts and any apparently modified dynamic link library (DLL) or executable files such as Winlogon.exe. Once any suspect files are located their behaviour can be investigated using a number of websites.

Dynamic analysis

Because of the wide variety of malware in the wild, static analysis may not always establish with any certainty the presence or behaviour of any such programmes. It is at this point that dynamic analysis can become a useful tool to further the examination.

The basic process involves taking a forensic copy of the original computer's hard disk and laying it down onto a second hard disk that is equal or greater in capacity to the original. This clone is then placed into the suspect's computer, which is then attached to a network hub with one another computer connected to it. Now the cloned computer is booted in the normal manner.

By monitoring port activity on the cloned computer it is possible to monitor for any suspicious ports that are either listening or attempting to open a remote port. This can be achieved by installing a tool such as TCPView. This tool will also list the processes that are associated with the open port.

This procedure can identify a virus or worm that is attempting to replicate around the local network or is attempting to 'talk home' via the internet.

Even if no suspicious port activity is identified, it does not discount the possibility that a rogue process is running silently in the background somewhere. Process Explorer is a tool that will identify resources such as files, DLLs and registry keys that given processes have open in real time.

Other tools are also available that monitor changes made to files and the registry. Thus, malware that attempts to combine triggers by creating registry keys that modify or even create a file, for example can be detected.

Impact

Should any malware be identified using this process the next important stage to consider is the impact it has on the computer system and, more importantly, the likelihood that such malware is responsible for any illegal files or activity found on the computer.

Locating any anti-virus and firewall software that is both installed and configured to run automatically upon start-up will go a long way to refuting the claim that malware is responsible for illegal activity. Analysis of any log files found with dates and times will support this further.

If the suspect is charged with distributing files of an illegal nature across a network and states that it is a result of some malware then installing a packet sniffer on the network may help identify if any such file activity is occurring.

The location of any files found to contain malware can indicate if the file is live or simply dormant. For example, files found only in a browser's internet cache are highly likely to have been downloaded from the internet but are most likely dormant.

Finally, the type of any malware found can be an easy way to refute any claims of foul play at the hands of malicious software. For example, consider a computer that is found to contain only two items of malware that are both classified as a Trojan dropper (a piece of malware designed to simply download a Trojan Horse). The dropper will (at this time on the computer) have no impact on the computer system as a whole.

Limitations

This method works well if a relatively small amount of malware is identified as potentially active. However, with a larger number the analysis can become quite tedious and difficult to isolate to any one given cause.

The dynamic analysis works well in most scenarios but cannot account for every possible trigger mechanism, such as the when a particular application starts.

In the case of R v Caffrey (2003), the Defence claimed that the absence of any malware was as a result of the malware deleting itself after performing the alleged illegal activity.

Some malware is specifically designed to 'kill' any anti-virus or firewall software found to be running, thus paving the way for other malicious software to execute without being detected.

Conclusions

Monitoring the static and dynamic behaviour of a suspect machine in this way is an extremely powerful instrument to refute claims of Trojan horse variety.

One might be tempted to believe that the caveats identified above may render the whole process somewhat academic, but showing that a suspect not only sought out and subsequently viewed illegal files on their computer over a sustained period of time is a compelling counter argument. Let us not forget as well that Trojan horses, wooden or otherwise, do not burn illegal files to a compact disc and then place the disc in a desk drawer.

Further reading