The Trojan horse defense is a technologically based take on the classic SODDI defense, believed to have surfaced in the UK in 2003. The defense typically involves defendant denial of responsibility for (i) the presence of cyber contraband on the defendant's computer system; or (ii) commission of a

cybercrime A cybercrime is a crime that involves a computer or a computer network.Moore, R. (2005) "Cyber crime: Investigating High-Technology Computer Crime," Cleveland, Mississippi: Anderson Publishing. The computer may have been used in committing the ...

via the defendant's computer, on the basis that a

malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...

(such as a

Trojan horse The Trojan Horse was a wooden horse said to have been used by the Greeks during the Trojan War to enter the city of Troy and win the war. The Trojan Horse is not mentioned in Homer's ''Iliad'', with the poem ending before the war is concluded, ...

virus A virus is a submicroscopic infectious agent that replicates only inside the living cells of an organism. Viruses infect all life forms, from animals and plants to microorganisms, including bacteria and archaea. Since Dmitri Ivanovsky's 1 ...

, worm,

Internet bot An Internet bot, web robot, robot or simply bot, is a software application that runs automated tasks (scripts) over the Internet, usually with the intent to imitate human activity on the Internet, such as messaging, on a large scale. An Internet ...

or other program)Steel, C.M.S, "Technical SODDI Defences: the Trojan Horse Defence Revisited", DFSL V9N4 (http://ojs.jdfsl.org/index.php/jdfsl/article/viewFile/258/236) or on some other perpetrator using such malware, was responsible for the commission of the offence in question. A modified use of the defense involves a defendant charged with a non-cyber crime admitting that whilst technically speaking the defendant may be responsible for the commission of the offence, he or she lacked the necessary criminal intent or knowledge on account of malware involvement.Brenner, S., Carrier, B., Henninger, J., 'The Trojan Horse Defense in Cybercrime Cases' (2004) 21 Santa Clara Computer and High Technology Law Journal 1, page 18. See the case of Eugene Pitts (2003) The phrase itself is not an established legal term, originating from early texts by digital evidence specialists referring specifically to trojans because many early successful Trojan horse defenses were based on the operation of alleged Trojan horses. Due to the increasing use of Trojan programs by

hackers A hacker is a person skilled in information technology who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means. Though the term ''hacker'' has become associated in popu ...

, and increased publicity regarding the defense, its use is likely to become more widespread.

Legal basis of the defense

Excluding offences of

strict liability In criminal and civil law, strict liability is a standard of liability under which a person is legally responsible for the consequences flowing from an activity even in the absence of fault or criminal intent on the part of the defendant. ...

, criminal law generally requires the prosecution to establish every element of the

actus reus (), sometimes called the external element or the objective element of a crime, is the Law Latin term for the "guilty act" which, when proved beyond a reasonable doubt in combination with the ("guilty mind"), produces criminal liability in th ...

and the

mens rea In criminal law, (; Law Latin for "guilty mind") is the mental element of a person's intention to commit a crime; or knowledge that one's action (or lack of action) would cause a crime to be committed. It is considered a necessary element ...

of an offenceLaird, K., Ormerod, D., "Smith and Hogan's Criminal Law" 14th Edition, page 59 together with the ''"absence of a valid defence''". Guilt must be proved, and any defense disproved, beyond a

reasonable doubt Beyond a reasonable doubt is a legal standard of proof required to validate a criminal conviction in most adversarial legal systems. It is a higher standard of proof than the balance of probabilities standard commonly used in civil cases, becau ...

. In a trojan horse defense the defendant claims he did not commit the actus reus. In addition (or, where the defendant cannot deny that they committed the actus reus of the offence, then in the alternative) the defendant contends lack of the requisite mens rea as he "''did not even know about the crime being committed''". With notable exception, the defendant should typically introduce some credible evidence that (a) malware was installed on the defendant's computer; (b) by someone other than the defendant; (c) without the defendant's knowledge. Unlike the real-world SODDI defense, the apparent anonymity of the perpetrator works to the advantage of the defendant.

Prosecution rebuttal of the defense

Where a defense has been put forward as discussed above, the prosecution are essentially in the position of having to "''disprove a negative''" by showing that malware was not responsible. This has proved controversial, with suggestions that "''should a defendant choose to rely on this defense, the burden of proof (should) be on that defendant''".Starnes, R., "The Trojan Defence", Network Security, Volume 2003, Issue 12, December 2003, page 8 If evidence suggest that malware was present and responsible, then the prosecution need to seek to rebut the claim of absence of defendant requisite mens rea. Much will depend on the outcome of the forensic investigative process, together with expert witness evidence relating to the facts. Digital evidence such as the following may assist the prosecution in potentially negating the legal or factual foundation of the defense by casting doubt on the contended absence of actus reus and/or mens rea:- * Absence of evidence of malware or backdoors on the defendant's computer. * Where malware absence is attributed by the defense to a self wiping trojan, evidence of anti-virus/firewall software on the computer helps cast doubt on the defense (such software can result in trojan detection rates of up to 98%) as does evidence of the absence of wiping tools, as "''it is practically impossible that there would be no digital traces of ..the use of wiping tools''". * Evidence showing that any located malware was not responsible, or was installed after the date/s of the offences. * Incriminating activity logs obtained from a

network packet In telecommunications and computer networking, a network packet is a formatted unit of data carried by a packet-switched network. A packet consists of control information and user data; the latter is also known as the ''payload''. Control informa ...

capture. * In cyber-contraband cases, the absence of evidence of automation - e.g. of close proximity of load times, and contraband time/date stamps showing regularity. Volume of contraband is also relevant. * Corroborating digital-evidence showing defendant intent/knowledge (e.g. chat logsSee for example ''Regina v Aaron Caffrey,'' Southwark Crown Court, 17 October 2003). Such properly obtained, processed and handled digital evidence may prove more effective when also combined with corroborating non-digital evidence for example (i) that the defendant has enough knowledge about computers to protect them; and (ii) relevant physical evidence from the crime scene that is related to the crime.

The role of computer forensics

Whilst there is currently "''no established standard method for conducting a computer forensic examination''", the employment of

digital forensics Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery, investigation, examination and analysis of material found in digital devices, often in relation to mobile devices and co ...

good practice and methodologies in the investigation by

computer forensics Computer forensics (also known as computer forensic science) is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensical ...

experts can be crucial in establishing defendant innocence or guilt.Everett, C., 'Viruses Bottleneck Prosecution' (2003) Mayfield Press, Oxford, Computer Fraud & Security This should include implementation of the key principles for handling and obtaining computer based electronic evidence - see for example the (ACPO) Good Practice Guide for Computer-Based Electronic Evidence. Some practical steps should potentially include the following:- * Making a copy of the computer system in question as early as possible to prevent contamination (unlike in the case of Julie Amero where the investigator worked directly off Amero's hard drive rather than creating a forensic image of the drive. * Mounting as a second disk onto another machine for experts to run a standard anti-virus program. * Correct handling of volatile data to ensure evidence is acquired without altering the original. * If a Trojan is found, it is necessary to examine the totality of the circumstances and the quantity of incriminating materials. * Including a "''network forensic approach''" e.g. by way of legally obtained packet capture information.

Cases involving the Trojan Horse Defense

There are different cases where the Trojan horse defense has been used, sometimes successfully. Some key cases include the following:- ''Regina v Aaron Caffrey'' ''(2003)'': The first heavily publicised case involving the successful use of the defense,Bowles, S., Hernandez-Castro, J., "The first 10 years of the Trojan Horse defence", Computer Fraud & Security, January 2015, Vol.2015(1), pp.5-13, page 7 Caffrey was arrested on suspicion of having launched a

Denial of Service In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connect ...

attack against the computer systems of the Port of Houston, causing the Port's webserver to freeze and resulting in huge damage being suffered on account of the Port's network connections being rendered unavailableŠepec, M., "The Trojan Horse Defence -- a Modern Problem of Digital Evidence", Digital Evidence and Electronic Signature Law Review, 9, (2012), page 3 thereby preventing the provision of information to "''ship masters, mooring companies, and support companies responsible for the support of ships saling and leaving the port"''. Caffrey was charged with an unauthorised modification offence under section 3 of the

Computer Misuse Act 1990 The Computer Misuse Act 1990 is an Act of the Parliament of the United Kingdom, introduced partly in response to the decision in ''R v Gold & Schifreen'' (1988) 1 AC 1063 (see below). Critics of the bill complained that it was introduced hastily ...

(section 3 has since been amended by the

Police and Justice Act 2006 The Police and Justice Act 2006 (PJA) is an act of the Parliament of the United Kingdom. It received royal assent on 8 November 2006. The PJA created the National Policing Improvement Agency. It changed how members of police authorities may be ...

creating an offence of temporary impairment. The prosecution and defense agreed that the attack originated from Caffrey's computer. Whilst Caffrey admitted to being a "''member of a hacker group''", Caffrey's defense claimed that, without Caffrey's knowledge, attackers breached his system and installed "''an unspecified Trojan...to gain control of his PC and launch the assault"'' and which also enabled the attackers to plant evidence on Caffrey's computer. No evidence of any trojan, backdoor services or log alterations were found on Caffrey's computer. However evidence of the Denial of Service script itself was found with logs showing the attack program has been run. Incriminating chat logs were also recovered.Brenner, S., Carrier, B., Henninger, J., 'The Trojan Horse Defense in Cybercrime Cases' (2004) 21 Santa Clara Computer and High Technology Law Journal 1, p.13 referring to the article published by Neil Barrett, an expert witness in the Cafffey trial Caffrey himself testified that a Trojan horse "''armed with a wiping tool''" could have deleted all traces of itself after the attack. Despite expert testimony that no such trojans existed, the jury acquitted Caffrey. The case also raises issues regarding digital forensics best practice as evidence may have been destroyed when the power to Caffrey's computer was terminated by investigators. ''Julian Green (2003)'': A United Kingdom-based case, Julian Green was arrested after 172 indecent pictures of children were found on Green's hard drive. The defense argued that Green had no knowledge of the images on his computer and that someone else could have planted the pictures. Green's computer forensics consultant identified 11 Trojan horses on Green's computer, which in the consultant's expert witness testimony, were capable of putting the pornography on Green's computer without Green's knowledge or permission. The jury acquitted Green of all charges after the prosecution offered no evidence at

Exeter Crown Court The Exeter Law Courts is a Crown Court venue, which deals with criminal cases, as well as a County Court venue, which deals with civil cases, in Southernhay Gardens, Exeter, England. History Until the early 21st century all criminal and civi ...

, due to their failure to prove that Green downloaded the images onto the computer. The case also raises issues related to the evidential

chain of custody Chain of custody (CoC), in legal contexts, is the chronological documentation or paper trail that records the sequence of custody, control, transfer, analysis, and disposition of materials, including physical or electronic evidence. Of particular ...

, as the possibility of evidence having been planted on Green's computer could not be excluded. ''Karl Schofield (2003)'''':'' Karl Schofield was also acquitted by using the Trojan horse defense. He was accused of creating 14 indecent images of children on his computer but forensic testimony was given by a defense expert witness that a Trojan horse had been found on Schofield's computer and that the program was responsible for the images found on the computerBrenner, S., Carrier, B., Henninger, J., 'The Trojan Horse Defense in Cybercrime Cases' (2004) 21 Santa Clara Computer and High Technology Law Journal 1, page 8 Prosecutors accepted the expert witness testimony and dismissed the charges, concluding they could not establish beyond a reasonable doubt that Schofield was responsible for downloading the images.Brenner, S., Carrier, B., Henninger, J., 'The Trojan Horse Defense in Cybercrime Cases' (2004) 21 Santa Clara Computer and High Technology Law Journal 1, p.8. ''Eugene Pitts (2003)'''':'' A US-based case involving an Alabama accountant who was found innocent of nine counts of tax evasion and filing fraudulent personal and business state income tax returns with the Alabama state revenue department. The prosecution claimed he knowingly underreported more than $630,000 in income over a three-year period and was facing a fine of $900,000 and up to 33 years in prison. Pitts apparently had previously been accused in preceding years of under reporting taxes. Pitts argued that a computer virus was responsible for modifying his electronic files resulting in the under-reporting the income of his firm, and that the virus was unbeknown to him until investigators alerted him. State prosecutors noted that the alleged virus did not affect the tax returns of customers, which were prepared on the same machine. The jury acquitted Pitts of all charges.

The future of the defense

Increased publicity, increased use As the defense gains more publicity, its use by defendants may increase. This may lead to criminals potentially planting Trojans on their own computers and later seeking to rely on the defense. Equally, innocent defendants incriminated by malware need to be protected. Cyberextortionists are already exploiting the public's fears by "''shaking down''" victims, extorting payment from them failing which the cyber-criminals will plant cyber-contraband on their computers.Ghavalas, B., Philips, A., ''"Trojan defence: A forensic view part II''", Digital Investigation (2005) 2, 133-136, page 136 As with many criminal offences, it is difficult to prevent the problematic matters that arise during the term of the investigation. For example, in the case of Julian Green, before his acquittal, he spent one night in the cells, nine days in prison, three months in a bail hostel and lost custody of his daughter and possession of his house. In the following case of Karl Schofield, he was attacked by vigilantes following reports of his arrest, lost his employment and the case took two years to come to trial. Appropriate digital forensic techniques and methodologies must be developed and employed which can put the "''forensic analyst is in a much stronger position to be able to prove or disprove'' ''a backdoor claim''". Where applied early on in the investigation process, this could potentially avoid a reputationally damaging trial for an innocent defendant. Juries For a

layman In religious organizations, the laity () consists of all members who are not part of the clergy, usually including any non-ordained members of religious orders, e.g. a nun or a lay brother. In both religious and wider secular usage, a layperson ...

juror, the sheer volume and complexity of expert testimonies relating to computer technology, such as Trojan horse, could make it difficult for them to separate facts from fallacy. It is possible that some cases are being acquitted since juror are not technologically knowledgeable. One possible suggested method to address this would involve be to educate juries and prosecutors in the intricacies of information security Mobile Technology The increasing dominance of

Smart Device A smart device is an electronic device, generally connected to other devices or networks via different wireless protocols (such as Bluetooth, Zigbee, near-field communication, Wi-Fi, LiFi, or 5G) that can operate to some extent interactively and ...

technology (combined with consumer's typically lax habits regarding smart device security) may lead to future cases where the defense is invoked in the context of such devices Government Trojans Where the use of Government Trojans results in contraband on, or commission of a cybercrime via, a defendant's computer, there is a risk that through a

gag order A gag order (also known as a gagging order or suppression order) is an order, typically a legal order by a court or government, restricting information or comment from being made public or passed onto any unauthorized third party. The phrase may ...

(for example a US

National security letter A national security letter (NSL) is an administrative subpoena issued by the United States government to gather information for national security purposes. NSLs do not require prior approval from a judge. The Stored Communications Act, Fair Cred ...

) the defendant could be prevented from disclosing his defense, on national security grounds. The balancing of such apparent national security interests against principles of civil liberties, is a nettle which, should the use of government trojans continue,Gliss, H., ''"German police and Secret Service propose use of Trojan horse: a crazy notion"'', Computer Fraud & Security, 2007, Vol.2007(4), pages 16-17 may need to be grasped by

Legislatures A legislature is an assembly with the authority to make laws for a political entity such as a country or city. They are often contrasted with the executive and judicial powers of government. Laws enacted by legislatures are usually known as p ...

in the near future.

References