I was recently asked to testify as an expert in a criminal trial. During the trial, the federal prosecutor read the following portion of the BitTorrent & Digital Contraband research paper [1] that I wrote for SANS Institute:
"The Trojan Horse Defense is a specific application of the more general "some other dude did it" defense but has the advantage of providing a single alternate explanation that is less abstract than an unknown perpetrator. Although lawyers refer to it as the "Trojan Horse Defense," in common use, it applies to a defense based on any malware including a virus, a worm or even browser hijacking. It also plays on a common fear about getting hacked that may resonate with members of the jury."
I stand by these remarks as they were directed at an audience comprised primarily of forensic professionals working for law enforcement. Our justice system is adversarial by design. The role of the prosecution is to prove their case beyond a reasonable doubt. The role of the defense attorney is to highlight areas where the prosecution has failed to prove their case beyond a reasonable doubt. The role of a digital forensics expert is to talk about the technical merits of the case in a truthful manner, regardless of which side has retained him or her.
As a technical expert on cyber security and digital forensics, I believe eliminating a defense based on malware should be a standard procedure for every investigation involving a computer crime. In fact, certain forensic tools, such as Axiom by Magnet Forensics [2] and Cellebrite Physical Analyzer [3] have this capability built in. If the prosecution fails to eliminate malware, it is reasonable to expect that defense arguments would explore this oversight.
[1] https://www.sans.org/reading-room/whitepapers/legal/bittorrent-digital-contraband-36887
[2] https://www.magnetforensics.com/resources/axiom-at-work-malware-investigations/
[3] https://cellebrite.com/en/glossary/malware-scanner-mobile-device-forensics/
