Feeds

Suspected paedophile cleared by computer forensics

Trojans found on accused man's HDD

  • alert
  • submit to reddit

SANS - Survey on application security programs

IT forensics firm Vogon has explained how its work helped clear a man accused of storing child pornography on his computer by proving his PC was contaminated by Trojan horse infection capable of downloading illicit images onto his machine.

Julian Green was arrested in October 2002 after police raided his home and found 172 indecent pictures of children on his hard drive. His solicitor, Chris Bittlestone of South Devon law firm Kitson Hutchings, called in one of Vogon International's forensic investigators, Martin Gibbs, to help.

A clone of Green's hard drive was sent to Vogon International in Bicester, where it was imaged and processed in the forensic laboratory using Vogon's specialist software. The data was then extensively examined and a report prepared, which highlighted that the Trojans were most likely to have come from unsolicited emails that Green opened before he deleted them.

Gibbs identified 11 Trojan horse programs on Green's computer which were set to log onto "inappropriate sites" without Green's permission whenever he loaded up a browser to access the Internet.

These findings were decisive in clearing Green of the 13 charges of making indecent images he faced at Exeter Crown Court this summer. On receiving evidence from Vogon the prosecution decided to drop the case.

"The prospects of my client being able to effectively defend himself without Vogon's help were very remote," said Bittlestone. "The stakes for him were extremely high - if he had been convicted, prison was a strong likelihood.

"The maximum sentence for possession of such images is ten years' imprisonment, and anyone convicted of such a matter would have become subject to registration with the police as a sex offender for a period of five years. Martin Gibbs' report was pivotal in this very important case."

Green's acquittal is one of three recent cases where a Trojan defence has succeeded in a British court. In April this year, Karl Schofield, 39, was cleared of possession of child porn when prosecutors accepted expert testimony that the unnamed Trojan could have been responsible for the presence of 14 child porn images on his PC.

Aaron Caffrey, the teenager hacker accused of crippling the Port of Houston's web-based systems, was found not guilty of computer crime offences this month after a jury accepted his story that attackers used an unspecified Trojan to gain control of his PC and launch the assault.

The prosecution argued that no trace of Trojan infection was found on Caffrey's PC but the defence was able to counter this argument with testimony from Caffrey that it was possible for a Trojan to wipe itself.

Nobody is disputing the validity of these verdicts, however legal and security experts have expressed concerns that the Trojan defence might become subject to misuse.

Vogon's Gibbs believes such concerns have been overplayed.

"I don't believe, as some have suggested, that recent cases with 'open the floodgates' to Trojan defences in cybercrime cases. When we look at how indecent images got onto a PC, for example, there is more to substantiate a claim that a Trojan was responsible than just the viral infection of a PC," Gibbs told The Register.

Gibbs was reluctant to go into details but said that factors like file directory structures and registry entries are among the items it considers when making a forensic examination of evidence. Vogon is asked to carry out computer forensic examinations in a variety of civil and criminal cases, working for both the prosecution and defence.

When a Trojan defence is used in a criminal case it is "down to the prosecution expert to dispute the claim", Gibbs added. ®

Related Stories

Caffrey acquittal a setback for cybercrime prosecutions
Teen hacker is not guilty
Trojan defence clears man on child porn charges

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.