The Trojan Horse Defense Revisited

Journal of Digital Forensics, Security and Law

Volume 9 Number 4 Article 4

2014

Technical Soddi Defenses: The Trojan Horse Defense Revisited

Chad M. Steel Steel George Mason University

Follow this and additional works at: https://commons.erau.edu/jdfsl

Part of the Computer Engineering Commons, Computer Law Commons, Electrical and Computer Engineering Commons, Forensic Science and Technology Commons, and the Information Security Commons

Recommended Citation Steel, Chad M. (2014) "Technical Soddi Defenses: The Trojan Horse Defense Revisited," Journal of Digital Forensics, Security and Law: Vol. 9 : No. 4 , Article 4. DOI: https://doi.org/10.15394/jdfsl.2014.1192 Available at: https://commons.erau.edu/jdfsl/vol9/iss4/4

This Article is brought to you for free and open access by the Journals at Scholarly Commons. It has been accepted for inclusion in Journal of Digital Forensics, Security and Law by an authorized administrator of (c)ADFSL Scholarly Commons. For more information, please contact [email protected]. Technical SODDI Defenses: The Trojan Horse Defense Revisited JDFSL V9N4 This work is licensed under a Creative Commons Attribution 4.0 International License.

TECHNICAL SODDI DEFENSES: THE TROJAN HORSE DEFENSE REVISITED Chad M. S. Steel George Mason University MS 2B5 Fairfax, VA 22030 [email protected]

ABSTRACT In 2004, the Trojan horse defense was at a crossroads, having been successfully employed in two child pornography cases in the United Kingdom, resulting in acquittals. Despite the early successes, the Trojan horse defense has failed to become a regularly employed strategy. The original Trojan horse defense has now become part of the more general technical SODDI (Some Other Dude Did It) defense, which includes the possibility of unknown actors using unsecured Wi-Fi connections or having physical access to a computer to perform criminal acts. In the past ten years, it has not been effective in the United States for criminal cases, with no published acquittals in cases where it was the primary defense. Where the technical SODDI defense has been successfully used as leverage in plea negotiations, there has been either poor forensics performed by the prosecution or political pressure to resolve a matter. On the civil side, however, the defense has been wildly successful, effectively shutting down large John Doe copyright infringement litigation against non-commercial violators. Keywords: SODDI defense, Trojan horse, copyright infringement 1. INTRODUCTION matters. Despite increases in computer literacy for judges and juries and an In 2004, Brenner et al visited the use of the increased prosecutorial and investigative Trojan horse defense in court, citing two awareness of the defense, it is still recent cases in the United Kingdom where occasionally employed, although it has not reasonable doubt was successfully become a commonplace strategy. established. In their seminal review, they speculated that: The Trojan horse defense and the more general technology-driven SODDI (Some It may well be, as was suggested Other Dude Did It) defense are raised most earlier, that the success the defense frequently in child pornography cases, has so far enjoyed will be a transient though variants have been successfully phenomenon, a product of the employed in civil litigation related to general public’s current unfamiliarity copyright infringement. On the criminal with computer technology and online side, the defense has been largely (Brenner, Carrier, & Henninger, unsuccessful, though on the civil side, 2004). specifically in cases of copyright In the decade that followed, the defense infringement, it has been employed more has evolved and, consistent with the fruitfully. prediction above, has failed to become a This paper examines the current state of successful, mainstream strategy in criminal the Trojan horse defense, and the related,

© 2014 ADFSL Page 49 JDFSL V9N4 Technical SODDI Defenses: The Trojan Horse Defense Revisited This work is licensed under a Creative Commons Attribution 4.0 International License. more frequent employed, technical SODDI software, and the more general technical defense, which can include blaming an SODDI defenses, which blame the actions unknown actor for using anything from a on an unknown actor that may be either a single computer with multiple accounts to person or malware. an open wireless access point. It examines United States case law for the past ten 3. TRADITIONAL years, and provides an analysis of the TROJAN HORSE current and future state of the technical CASES SODDI defense. Traditional Trojan horse cases generally rely 2. TYPOLOGY OF on forensic evidence to cast doubt that the TECHNICAL SODDI actions ascribed to a defendant’s machine DEFENSES were performed by the defendant. They sidestep the issue of “putting the defendant Trojan horses are a form of malware named at the keyboard” by blaming malicious code after the legendary Greek ploy to enter the running on the machine for the observed city of Troy. The term refers to a particular actions. The two common defense type of malware that masquerades as approaches are to forensically identify innocent software but contains malicious malware currently on the machine (or code inside that entices a victim to install it previously present on the machine), or to on their system (Landwehr, Bull, find that sufficient malware protection was McDermott, & Choi, 1994). For the not in place at the time of the events of purposes of the Trojan horse defense, the interest. malware involved does not necessarily meet Traditional Trojan horse cases can be the strict definition of a Trojan horse, but broken up into two categories–content- may be a virus, worm, spyware, or even related cases, where the malware is blamed legitimate software that facilitates an for the presence of contraband on a system, unauthorized remote or local access. and illegal access/system interference cases At its heart, the Trojan horse defense is where the malware is blamed for some simply a variant of the age-old SODDI activity associated with a system. In cases strategy. The strategy is to blame the where both claims are made, the claim digital activities under investigation on associated with the primary activity being another actor, either known or unknown charged is used to classify the case. (Lubet, 1992). The Trojan horse defense is the most common form of the technical 3.1 Content-Related Cases SODDI defense, but other forms of the Content-related cases are those where the defense exist. The actor in question in the presence of material on an individual’s technical SODDI defense may be a person, digital media form the basis of the malware, or a combination of both. criminality. The primary crime involved in In general, the technical SODDI defense these cases is child pornography possession. can be broken into a taxonomy based on the The general standard for possession of type activity that is being put forth as contraband was set by United States v. evidence. While the base defense is the Kuchinski (US v. Kuchinski, 2006), a child same, the strategy relies on different actors pornography possession case. In the case, and motivations (if motive can be indirectly Kuchinski was found to have approximately ascribed to malware) based on the type of 19,000 images of child pornography in his offense. Case law can be broken up into two Temporary Internet Files directory, both separate areas of offense–traditional Trojan active and deleted, and was charged with horse defenses, which blame the actions on

Page 50 © 2014 ADFSL Technical SODDI Defenses: The Trojan Horse Defense Revisited JDFSL V9N4 This work is licensed under a Creative Commons Attribution 4.0 International License. possession and receipt of child pornography. reasonable possibility of bias. The court On appeal, the court held that Kuchinski further held that finding an extensive could not be charged with possession of the collection of child erotica and browser temporary files, finding: activity related to child pornography were sufficient grounds to overcome the Trojan Where a defendant lacks knowledge horse defense and to uphold the original about the cache files, and conviction. concomitantly lacks access to and control over those files, it is not In several content-related cases, the proper to charge him with possession technical SODDI defense has been made and control of the child pornography before proceeding to trial. In at least one images located in those files, without case, a defense forensics team conducted an some other indication of dominion analysis and made use of the press prior to and control over the images. trial, potentially facilitating a plea agreement. In State of Arizona v. Bandy Post-Kuchinski, possession of (State of Arizona v. Matthew Bandy, 2005), contraband requires that the prosecution the defendant, the then 16-year-old show the defendant had knowledge about Matthew Bandy, was charged with the existence of content on a device and uploading child pornography to a Yahoo! access to a mechanism to affect that group and with possessing the child content. This case would at first appearance pornography that was found on both his tend to support a technical SODDI defense, computer and on a CD in his home. The requiring the prosecution to show that the defense hired Tami Loehrs to perform a defendant had knowledge of the presence of forensic analysis. Loehrs identified what she child pornography on a computer. The believed to be Trojan horse software on courts have narrowly applied Kuchinski in Bandy's computer, and concluded that it "is relation to technical SODDI defenses, common for a person that views child however. pornography to store the images on an In Wise v. State of Texas (Wise v. innocent person’s computer". A subsequent State, 2012), Wise was convicted of the forensic analysis found that, while there was possession of child pornography based on malware present, it was installed after the deleted images found in free space on his dates of the child pornography offense and computer. The conviction was overturned did not contain the functionality to on appeal, based on Wise’s double defense surreptitiously download child pornography. that (1) there were viruses found on his The examination further identified web computer, and the viruses could have searches consistent with child pornography downloaded the child pornography, and (2) activity and registration information linking the computer was purchased at a flea Bandy and the online Yahoo! account. market and the previous owner could have Bandy ultimately pleaded guilty to three downloaded the child pornography. The counts of distributing pornography to a appellate court’s decision was similarly minor. The prosecutor's office ultimately overturned and the trial court’s decision concluded: held. The court found neither count In light of the circumstances credible, opining that “placement of a surrounding this case–such as the pornographic image on the free space of a age of the juvenile and his lack of computer would be inconsistent with the prior criminal conduct–we felt 90 purpose for placing a virus on a computer”, years was disproportionately harsh and that the testimony about previous and offered a plea bargain allowing owner came from the defendant’s brother Bandy to plead guilty to the lesser and lacked specificity, leading to a

© 2014 ADFSL Page 51 JDFSL V9N4 Technical SODDI Defenses: The Trojan Horse Defense Revisited This work is licensed under a Creative Commons Attribution 4.0 International License. charge of distributing pornography installed on the computer of a defendant or to minors. Bandy accepted this used to take over the account of a agreement (Alexander, 2007). defendant. That computer or account was then used as a launch pad to conduct illegal In United States v. Kerr (US v. Kerr, activities. The activities may have been the 2006), Kerr was identified by the FBI when direct result of the malware, with the he offered child pornography through malicious code automatically retrieving Internet Relay Chat (IRC). Kerr provided content, or indirectly the result of the the address of a server he hosted in the chat malware, with the malicious code facilitating room, offering to allow anyone who first remote access for a human attacker. uploaded a contraband image to download child pornography. An FBI special agent In United States v. Miller (US v. Miller, was able to download an image depicting 2008), Miller was found to be in possession sexual activity between pre-teen minors, and of a Zip disk containing approximately 1,200 an analysis of Kerr’s computer found child images of pornography, of which 20 were pornographic images present. In a twist on child pornography. Miller claimed to have the Trojan horse defense, Kerr claimed that no knowledge of the images, and presented a he was actually writing a virus, for which he two-part Trojan horse defense. In the first would use the child pornography as a part, Miller claimed that he previously had distribution vector. The planned virus a virus on his machine that may have would allegedly infect and damage the downloaded the images on his behalf (a machines of pedophiles. The forensic stored content claim). In the second portion analysis of Kerr’s machine found, however, of the claim, Miller stated that he had been no evidence that he was writing any such the victim of credit card fraud and that the virus and Kerr’s conviction was upheld. accesses to websites may have been because “someone may have gotten access to his ‘log Although there have yet to be any ons’ and credit card numbers”. The court malware defenses brought forth in court rejected both arguments. The digital that have identified specific malware forensics report showed multiple accesses to associated with child pornography, at least the Zip disk to copy child pornography. one virus made claims of finding child Additionally, the defendant admitted to pornography already present on a computer. acquiring the adult pornography on the The Reveton ransomware virus would infect disk, which the forensics showed was copied a machine and claim to be from the FBI, concurrent with the child pornography. “identify” child pornography on the machine, and then request the user pay a fine online. In United States v. Gardner (US v. While the virus did not place any actual Gardner, 2012), Gardner was charged with child pornography on machines, one user, both possession and distribution of child Jay Riley, went to his local police pornography. Part of the defense strategy department asking if he was wanted on was to claim that either the defendant’s child pornography charges after being brother was responsible (he had access to infected with the virus. After Riley allowed the computer and the defendant had police to view his machine, they found child bookmarked his online account to allow pornography on it and he was arrested automatic logins) or a virus found on the (Matyszczyk, 2013). computer was responsible. The court reviewed the report of the computer 3.2 Illegal Access/System forensics expert presented by the defense, Interference Cases and denied the inclusion of the portions related to a possible Trojan horse defense, In illegal access/system interference cases, stating: the Trojan horse claim is that malware was

Page 52 © 2014 ADFSL Technical SODDI Defenses: The Trojan Horse Defense Revisited JDFSL V9N4 This work is licensed under a Creative Commons Attribution 4.0 International License. Absent any evidence (other than the definitive conclusions can be drawn speculation offered by the regarding the state of compromise in the Defendant) that a third party case. hacked into the Gardner family In State of Connecticut v. Amero (State computer to download the offending of Connecticut v. Amero, 2007), a substitute images, [the defense expert’s] teacher, Julie Amero, was initially convicted conclusion is, at best, not relevant, on four counts of endangering the welfare of and would confuse the jury. a child for allowing her seventh grade class One of the most reported illegal to see pop-up ads containing adult access/system interference cases employing pornography. The prosecution claimed that a technical SODDI defense never made it to Amero visited pornographic websites on the trial. Michael Fiola, a then-employee of the classroom computer that was visible to her Massachusetts Department of Industrial students. During the initial trial, the defense Accidents, was charged with possession of was prevented from putting forth a theory child pornography on his State-issued laptop that malware caused the pop-ups (Green, in August 2007. The charges were based, in 2008). part, on an examination of the laptop by A review of the court transcripts and a State IT staff following unusually high forensic examination of a logical drive image Internet activity associated with the (the original drive was never forensically machine. The examination purported to find imaged and had been accessed after the child pornography and web activity incident) were conducted by an independent associated with child pornography. The group of forensics experts. They concluded charges were dropped in 2008, but Fiola was that the testimony provided by the still terminated (Sweet, 2008). prosecution's expert witness was in error, The only publicly available examination and that their forensic analysis was not of Fiola’s computer was performed on behalf performed in accordance with industry best of the defense, and while it concludes there practices. The group further concluded that was malware present on the system, the the machine was infected with adware, and malware cited is not known to be associated that it would pop up ads related to search with child pornography. Statements in the terms entered and sites visited by the user. report such as "Since BBS’s have not been Further, a site visit by Amero to what could active in almost 20 years, the use of this reasonably have been mistaken for a site on term as a current search term makes no hairstyles was found to have pornographic sense and seems suspicious" regarding the material present. Additionally, the close term "sun Lolita bbs" exhibit a poor proximity of the load times for the understanding of the terms used by child pornographic material was consistent with pornographers (Steel, 2009), and far an automated retrieval (Eckelberry et al., reaching conclusions such as "I can say with 2007). In 2007, the appellate court vacated 100% certainty that the Laptop was the conviction based on false facts presented compromised by numerous viruses and during the trial and Amero ultimately Trojans and may have been hacked by pleaded to a single court of disorderly outside sources" are beyond those that can conduct (Green, 2008). be drawn from the information available in In United States v. Solon (US v. Solon, the forensic report (Loehrs, 2009). On the 2013), Solon was convicted of possession and other hand, the IT examination done by the attempted receipt of child pornography in State is not available, and the 2008. Solon was initially identified by the administrative investigation was not Wyoming Internet Crimes Against Children performed by forensic specialists, so no (ICAC) taskforce after he used Limewire to

© 2014 ADFSL Page 53 JDFSL V9N4 Technical SODDI Defenses: The Trojan Horse Defense Revisited This work is licensed under a Creative Commons Attribution 4.0 International License. download five movies containing child cases, but it has been used extensively in pornography. Solon’s computer was seized, civil litigation related to copyright and a forensic analysis confirmed the infringement and intellectual property theft. presence of the child pornography movies on his computer. The defendant admitted to 4.1 Illegal Access/System installing Limewire and using it to download Interference Cases "Grand Theft Auto", but not to downloading the child pornography. The Individuals who have their connections defense asserted Solon's computer was hijacked or their computers used by another compromised by malware, leading to the individual for illegal purposes rarely end up downloads (Associated Press, 2009). A jury in court, with the confusion generally found Solon guilty, and the conviction was resolved prior to indictment. They have, upheld on appeal. however, been subject to erroneous and invasive searches and seizures in several In one of the more audacious illegal cases. While many of the cases involve access/system interference cases, David content-related offenses, the defenses put Goldstein was charged with felony forth are based on illegal access. possession of child pornography following an attempt to frame two other individuals for In United States v. Smith (US v. Smith, the same offense. Goldstein, a mental health 2014), Smith’s laptop was identified as patient, allegedly posted links to child having downloaded 26 child pornography pornographic images in online forums using movies to his local hard drive using the the names of Timothy Jerman, a Vermont peer-to-peer client Frostwire. The defense state representative, and Dr. Stuart Graves, presented the case that one of Smith’s a mental health professional. Graves was roommates, who also had access to the associated with a facility that Goldstein had laptop, had downloaded the child previously been admitted to, and Jerman's pornography. The jury convicted Smith, but wife worked as a nurse at the same facility. the district court entered an acquittal based The "distribution" was reported to the on insufficient evidence of guilt being Internet Crimes Against Children taskforce presented. The jury’s conviction was upheld by Goldstein. Goldstein never obtained on appeal, with the appellate court ruling physical or virtual access to the devices that the jury was allowed to determine owned by Jerman or Graves, so there were Smith’s guilt based on their assessment of no forensic ties to their machines and the the testimony of the roommates. police quickly cleared them and identified In other cases, individuals used their Goldstein, who used his own email to roommate’s computer to commit offenses. register fake profiles he used to post the In United States v. Moriarity (US v. images (Moats, 2010). Moriarty, 2005), Moriarity admitted to using his roommate’s computer to access 4. TECHNICAL SODDI child pornography, which he later attempted CASES to distribute in return for money. In The more general technical SODDI cases are Commonwealth v. Robertson-Dewar (Com. similar to illegal access/system interference v. Robertson-Dewar, 2003), the defendant cases, but the defendant claims that an admitted to using both his roommate’s unnamed individual used their Wi-Fi computer and his roommate’s Penn State connection (which is generally unsecured) or account to download child pornography. In their computer to commit the charged United States v. Holness (US v. Holness, offenses. The technical SODDI defense has 2013), Holness used his roommate’s only been used occasionally in criminal computer to obtain a $500,000 life insurance policy on his wife, who he was subsequently

Page 54 © 2014 ADFSL Technical SODDI Defenses: The Trojan Horse Defense Revisited JDFSL V9N4 This work is licensed under a Creative Commons Attribution 4.0 International License. convicted of murdering. None of these cases Similarly, in United States v. Stanley resulted in any charges against the (US v. Stanley, 2014), Stanley was identified computer owners, however, indicating that when police used a tool called investigators and prosecutors were able to MoocherHunter to track a connection from recognize that the owner was not likely the his computer to his neighbor’s Wi-Fi. perpetrator of the criminal acts prior to Stanley’s neighbors were targeted when indictment. their IP address was associated with distributing child pornography. Following a A confession to being the “mysterious forensic review of their computers, police stranger” in a technical SODDI defense is identified no child pornography but did find not sufficient, however, to assign guilt. In that they had an unsecured Wi-Fi one of the more unusual technical SODDI connection. Police tracked a connection to defenses, People v. Lindstrom (People v. their access point to Stanley’s home and Lindstrom, 2009), Steven Lyle Lindstrom obtained a warrant to search his computer. wrote a letter taking responsibility for Stanley was convicted for child pornography downloading child pornography using his offenses, but challenged the use of roommate’s computer. Lindstrom later MoocherHunter in an appellate court. The admitted his “roommate generally told him conviction was upheld, with the appellate what to write, and he had confessed to court determining that Stanley had “opened something he did not do. He made the false his window and extended an invisible, confession because his roommate and the virtual arm across the street to the roommate's girlfriend helped defendant [sic] Neighbor’s router so that he could exploit when he was homeless.” Because of his false his Internet connection”(Lord, 2014). testimony, Lindstrom was convicted of perjury and the creation of false In United States v. Luchetti (US v. documentation. Luchetti, 2013), federal agents executed a search warrant on the home of the While an unnamed individual having Luchetti’s neighbors for downloading child direct access to a defendant’s computer is pornography. Similar to United States v. usually an easy claim to prove or disprove, Stanley above, the neighbor’s computers technical SODDI defenses based on the use were determined to have no child of wireless networks are generally more pornography present, and the agents found fungible. The widespread use of Wi-Fi has Luchetti piggybacking on their Wi-Fi increased the number of technical SODDI connection. After the execution of a second issues that have arisen, primarily due to warrant that found child pornography on open wireless access points. In United States his machines, Luchetti plead guilty to v. Heiland (US v. Heiland, 2014), the receipt of child pornography (Thompson, government obtained a warrant to search 2011). the home of Heiland’s neighbors after tracing child pornography downloads to an In another case, a home was raided by a IP address associated with their home. After local SWAT team in Evansville, Illinois executing the warrant and finding no child when the owner’s open Wi-Fi router was pornography in their forensic examination, used to make anonymous Internet threats. the investigators found that the home had In June 2012, a series of online threats an open wireless access point that had been against the local police were posted to a setup by Heiland. Several thousand child Topix forum from the home of Louise pornography images and videos were found Milan. The police obtained a search warrant in a subsequent search of Heiland’s for the IP address associated with the computer, and he is currently awaiting trial account, and following a dynamic entry by (Pulkkinen, 2014). the SWAT team were unable to link the

© 2014 ADFSL Page 55 JDFSL V9N4 Technical SODDI Defenses: The Trojan Horse Defense Revisited This work is licensed under a Creative Commons Attribution 4.0 International License. posting to the homeowner. A more thorough passwords or enable lesser encryption investigation of her unsecured Wi-Fi led the options such as WEP. Exploitation of Wi-Fi police to a neighbor, Derrick Murray, who has, for criminal purposes, has led to the was subsequently arrested for posting the search and seizure of computer equipment threats. One of the detectives associated belonging to innocent parties, and to the with the case noted that he had identified intrusion into their homes, but there were the unsecured access point as part of his no acquittals identified where the defendant surveillance of the home prior to the used a technical SODDI defense. The warrant execution, but the department technical SODDI defense has, however, been failed to appropriately incorporate this widely employed in civil litigation, primarily information in planning their approach related to copyright infringement. (Anderson, 2012; Wilson, 2014). 4.2 Copyright Infringement Not all misattribution is meant to conceal activity. In United States v. Ardolf Cases (US v. Ardolf, 2012), Ardolf was upset with Civil litigation related to activities his neighbors when they filed a police associated with an IP address largely began complaint against him after he kissed their with a provision of the Digital Millennium four-year-old on the lips. In this case, his Copyright Act that allowed copyright neighbor’s Wi-Fi network was secured by holders to subpoena ISPs to obtain the WEP, an easy-to-crack form of wireless names of the individuals responsible for security that has been largely eclipsed by accounts sharing copyrighted material the more secure WPA and WPA2. Ardolf (Digital Millenium Copyright Act, 1998). used a WEP cracker and hijacked their Wi- Starting in 2003, the Recording Industry Fi connection, creating a fake MySpace Association of America (RIAA) and the page, downloading child pornography, and Motion Picture Association of America sending threats to Vice President Joe Biden, (MPAA), along with several copyright all masquerading as his neighbors. After his aggregators, began filing lawsuits against neighbors installed a wireless sniffer and individuals that held accounts associated engaged the FBI, Ardolf was identified and with IP addresses found to be sharing arrested and convicted of identity theft, allegedly infringing material online. By making threats against the Vice President, 2007, the RIAA alone had filed an estimated and receipt and distribution of child 30,000 lawsuits, achieving successful pornography (Hughes, 2011). judgments of up to $9,250 per song shared The above cases are a representative (Leeds, 2007). In 2006, however, the courts sample of the issues illustrating the began to accept the technical SODDI difference between identifying an originating defense from those being sued. IP address and/or an originating device and In Virgin Records v. Marson (Virgin the human committing the offense– Records America Inc et al v. Tammie numerous similar examples exist. For most Marson, 2006), the Recording Industry residential connections, IP addresses are Association of America traced copyrighted dynamically assigned to the consumer’s music being shared online to Marson’s IP wireless access point. Through network address and identified Marson as the address translation (NAT), multiple devices subscriber through her ISP. After may share the same externally facing IP attempting unsuccessfully to get Marson to address. Additionally, even though most settle for $3,500, they filed suit against her. providers have recently started providing Marson claimed that, because she was a access points with encryption already cheerleading teacher, she frequently had enabled, they frequently use default students over to her house and both her

Page 56 © 2014 ADFSL Technical SODDI Defenses: The Trojan Horse Defense Revisited JDFSL V9N4 This work is licensed under a Creative Commons Attribution 4.0 International License. students and her daughter’s friends had defendants was identified by their ISPs as access to her computer. Additionally, owning the IP addresses that had shared Marson’s home network was configured with adult films using the BitTorrent peer-to- an open wireless access point. Marson’s peer software. The group put forth several technical SODDI defense was successful due technical SODDI defenses: to an inability by the groups suing her to One movant–John Doe #16–has identify Marson as the infringer, and the stated that he was at work at the lawsuit was dropped (Fisher, 2006). time of the alleged download. John In Capitol Records v. Foster (Capitol Doe #2 states under oath that he Records, Inc. v. Foster, 2007), the account closed the subject Earthlink account, “Fflygirl11” was found to have a shared which had been compromised by a folder containing copyrighted music that hacker, before the alleged download. was made available on a peer-to-peer file John Doe #29's counsel represents sharing network. Through a subpoena, that his client is an octogenarian Foster was found to be the account holder with neither the wherewithal nor the associated with the IP address responsible interest in using BitTorrent to for the sharing. Foster contended that the download Gang Bang Virgins. John account was not hers, and that other Doe #10 represents that individuals had access to her Internet downloading a copy of this film is connection. The RIAA sued Foster on the contrary to her "religious, moral, grounds that she was guilty of “contributory ethical and personal views." Equally infringement”. Ultimately, the suit was important, she notes that her dropped when Foster requested summary wireless router was not secured and judgment and the RIAA was forced to pay she lives near a municipal parking Foster’s attorney’s fees (Jones, 2007). lot, thus providing access to countless neighbors and passersby. The RIAA is not the only group that has had difficulty combating the technical The court found the various defenses SODDI defense. The MPAA and their compelling, and further found that the film constituent studios have had similar studios were improperly avoiding court fees difficulties. In Elf-Man v. Cariveau (Elf- by aggregating offenders. Aside from John Man, LLC v. Cariveau, 2014), the producers Doe #1, the actions against the other of the movie Elf-Man sued 152 individuals defendants were dismissed, with the court who owned ISP accounts associated with IP partially concluding: addresses sharing the movie online. The It is no more likely that the court dismissed the lawsuits, finding: subscriber to an IP address carried Home wireless networks are out a particular computer function– ubiquitous, meaning that a single IP here the purported illegal address can simultaneously support downloading of a single pornographic multiple computer devices film–than to say an individual who throughout the home and, if not pays the telephone bill made a secured, additional devices operated specific telephone call... Indeed, due by neighbors or passersby. Thus, the to the increasingly popularity of risk of false positives is very real. wireless routers, it much less likely... Unless the wireless router has been Similarly, in In Re BitTorrent Adult appropriately secured (and in some Film Copyright Infringement Cases (In Re cases, even if it has been secured), BitTorrent Adult Film Copyright neighbors or passersby could access Infringement Cases, 2012), a group of the Internet using the IP address

© 2014 ADFSL Page 57 JDFSL V9N4 Technical SODDI Defenses: The Trojan Horse Defense Revisited This work is licensed under a Creative Commons Attribution 4.0 International License. assigned to a particular subscriber malware is activated and monitored to show and download the plaintiff's film. that its behavior is consistent with the alleged activity or (b) reverse engineering 5. DISCUSSION the malware shows that it has the capability The technical SODDI defense has moved of performing the alleged actions. In the beyond the basic Trojan horse defense and case of a Trojan horse that allows has been used primarily in child unfettered remote access, the defense would pornography cases in the criminal courts need to show that the infection was present and in copyright cases in the civil courts. and active at the time of the alleged activity The traditional Trojan horse defense has and that the activity was inconsistent with been used, albeit infrequently, when other activity by the defendant (Kardasz, contraband is found on a machine and the 2009). defendant claims no knowledge of the The forensic analysis presented in material but cannot otherwise attribute the several of the cases that resulted in reduced material to another person. A more general or dropped charges was similar and technical SODDI defense has been used contained the logical errors noted by more frequently when activity is associated Kardasz above. In Bandy, Solon, and Fiola, with an IP address, or when there is a the same defense technical expert, Tami shared computer without separate accounts Loehrs, provided the analysis that supported for each user. the Trojan horse defense. Loehrs was cited Since 2004, this study was unable to in Solon by the court for being "outrageous identify any published cases in the United in her charges" related to a bill for over States where the technical SODDI defense $10,000 for three days of services, further resulted in an acquittal (the closest was in claiming that court had "never heard a Fiola, where the charges were dropped). more abrasive witness than that." The court Additionally, there have been no court cases then advised defense counsel not to use that have had forensics definitively show "this woman with pretty exalted ideas of that malware placed child pornography on a her worth." Further, when the witness subject's computer (the Amero case was testified that that she had to stop her exam adult pornography pop-ups). A review of at the analysis of virus logs, the court the forensics reports available for many of provided the jury instruction: the above cases mistake correlation with Members of the jury, the witness causation–the argument is essentially: just said that she was stopped and 1) Malware is present on the device and, coupled with her testimony 2) It is theoretically possible for someone yesterday there is the implication to write malware that causes child that the court stopped her from pornography to be present on the working. That is absolutely untrue. machine and, It is a falsity, and you are instructed 3) Child pornography is present on the to ignore it. And we will hear no machine, more such testimony. I never did Therefore, stop this witness from working. I did 4) The child pornography is due to the stop her from submitting excessive malware. bills to the United States, and that's all I ever did (US v. Solon, 2013). In addition to the errors in logic present in this argument, it also represents an Further, Loehr's objectivity was incomplete forensic analysis. To show questioned related to an anti-law causation to the point of a valid legal enforcement bias in United States v. Elmer defense would require that either (a) the Guy Smith, where she engaged in a

Page 58 © 2014 ADFSL Technical SODDI Defenses: The Trojan Horse Defense Revisited JDFSL V9N4 This work is licensed under a Creative Commons Attribution 4.0 International License. Facebook conversation with David Loehrs, to find its proper target (Anderson, writing: 2012). FBI: "our mission is to protect you The approach noted above should be from the most dangerous threats considered in all cases where criminal facing our nation" activity has been traced to an IP address without corroborating information that ties FBI: the most dangerous threat the activity to a specific person. facing our nation In contrast with criminal cases, civil David Loehrs replied "F** those guys. litigation involving the technical SODDI I'll pee on them."(US v. Smith, 2011) defense has been extremely successful in In Amero, the case was brought forward recent case law. The mass lawsuits sent out based in part on poor forensics by the by the MPAA and the RIAA have prosecution. The need for a thorough essentially been halted due to their inability forensic analysis was highlighted when a to tie an IP address to a particular infringer. proper forensic review showed basic flaws in Part of this limitation is the inability to the initial analysis, which was performed by seize and perform forensics on devices a non-expert practitioner using a less-than- belonging to defendants, which results in the robust digital forensics tool. While the case counterintuitive situation of the defense resulted in a conviction that was overturned being more successful in civil cases, where and an eventual plea agreement, there was the burden of proof is lower, than in sufficient doubt raised in the expert forensic criminal cases (preponderance of the analysis to have made a second prosecution evidence v. reasonable doubt). unlikely to be successful. 6. CONCLUSION For the general technical SODDI defense cases, multiple cases resulted in the wrong Despite a proliferation of botnets that use home being searched due to an unsecured or hijacked computers to launch computer a compromised wireless access point. None attacks and hackers who attack systems of these resulted in court cases against the after multiple hops through compromised victims, and forensics was able to clear the machines, there have been no published individuals quickly. There was, however, a cases in the United States where the major disruption to many innocent technical SODDI defense has resulted in an individuals–ranging from knock-and-talks to acquittal, and the defense itself is rarely put a full SWAT response. Because of the forth in criminal matters outside of child frequency with which Wi-Fi cases have been pornography cases. found to be due to neighbors, law The Trojan horse defense has been enforcement is taking a better approach to subsumed into the broader technical SODDI warrants, for example: defense. What originated as “the malware On April 30, two FBI special agents did it” has now morphed into a mosaic of drove past the Carmel home and “either the malware did it or someone else noted the existence of two WiFi with access to my computer/network did it.” networks reachable from the More thorough forensics prior to charging is property. One used WEP now becoming the norm, going beyond encryption, the other had the more simply showing that the subject was at the robust WPA2, but the key point keyboard at the time of the activity in from the FBI’s perspective was that question. In content-related and illegal neither network was unsecured. A access/system interference cases, a review search thus seemed much more likely and through analysis of seized devices for malware is needed to head off faulty forensic

© 2014 ADFSL Page 59 JDFSL V9N4 Technical SODDI Defenses: The Trojan Horse Defense Revisited This work is licensed under a Creative Commons Attribution 4.0 International License. claims made to the media or in pretrial Eckelberry, A., Dardick, G., Folkerts, J. A., negotiations. Similarly, prior to obtaining a Shipp, A., Sites, E., Stewart, J., & search warrant for any cases involving Stuart, R. (2007). Technical review of network activity, a review of the network the trial testimony State of Connecticut capabilities, specifically Wi-Fi, of the target vs. Julie Amero. Retrieved from location should be performed. http://dfir.com.br/. Unlike criminal cases, the technical Elf-Man, LLC v. Cariveau, No. C13- SODDI defense has been used successfully 0507RSL (Dist. Court, WD Wash. and has largely defeated copyright 2014). infringement claims in civil litigation. It is Fisher, K. (2006, August 3). The RIAA, IP unlikely that mass copyright infringement addresses, and evidence. Retrieved from cases targeting individuals sharing movies or http://arstechnica.com/. music in a non-commercial manner will continue to the extent previously seen. Even Green, R. (2008, November 22). if civil imaging of computing devices were Misdemeanor plea ends Norwich case. permitted, it would not likely be cost Retrieved from effective to pursue these actions for http://articles.courant.com/. individual infringement actions. Hughes, J. (2011, July 12). Minnesota Wi-Fi REFERENCES hacker gets 18 years in prison for terrorizing neighbors. Digital Trends. Alexander, R. (2007, January 28). Defense Retrieved from http://news.yahoo.com/. in child porn case distorts the truth. Retrieved from In Re BitTorrent Adult Film Copyright http://www.foxnews.com/. Infringement Cases, No. 2012 U.S. Dist. LEXIS 61447 (E.D. New York 2012). Anderson, N. (2012, June 26). SWAT team throws flashbangs, raids wrong home Jones, P. (2007, February 8). For the due to open WiFi network. Retrieved cynics, an antidote: The Order in from Capitol v. Foster. Retrieved from http://arstechnica.com/. http://www.groklaw.net/. Associated Press. (2009, November 8). Kardasz, F. (2009, November 9). Highly Computer viruses can make you an unlikely that a virus would ever place unsuspecting collector of child images on your computer. Retrieved pornography. Retrieved from from http://kardasz.blogspot.com/. http://blog.al.com/. Landwehr, C. E., Bull, A. R., McDermott, Brenner, S., Carrier, B., & Henninger, J. J. P., & Choi, W. S. (1994). A (2004). The Trojan horse defense in taxonomy of computer program security cybercrime cases. Santa Clara Computer flaws. ACM Computing Surveys, 26(3), & High Tech. LJ, 21(1). 211-254. Capitol Records, Inc. v. Foster, No. Civ. 04- Leeds, J. (2007, October 5). Labels win suit 1569-W (Dist. Court, WD Ok. 2007). against song sharer. The New York Times. Retrieved from Com. v. Robertson-Dewar, No. 829 A.2d http://www.nytimes.com/. 1207 (Pa. Superior Court 2003). Loehrs, T. (2009). Report of forensic Digital Millenium Copyright Act, 17 U.S. examination. Presented at the Winning Code § 512 (1998). Strategies. Retrieved from http://www.fd.org/.

Page 60 © 2014 ADFSL Technical SODDI Defenses: The Trojan Horse Defense Revisited JDFSL V9N4 This work is licensed under a Creative Commons Attribution 4.0 International License. Lord, R. (2014, June 11). Court rejects US v. Heiland, No. CR14-5188BHS (Dist. appeal of man who piggybacked on Wi- Court, WD Washington 2014). Fi signal to access child porn. Retrieved US v. Holness, 706 F. 3d 579 (Court of from http://www.post-gazette.com/. Appeals, 4th Circuit 2013). Lubet, S. (1992). Reasserting in cross- US v. Kerr, 472 F. 3d 517 (Court of examination control. Litigation, 18(4), Appeals, 8th Circuit 2006). 24-29. US v. Kuchinski, 469 F. 3d 853 (Court of Matyszczyk, C. (2013, July 27). Man gets Appeals, 9th Circuit 2006). fake FBI child porn alert, arrested for child porn. Retrieved from US v. Luchetti, No. 11-CR-143 (Dist. Court, http://www.cnet.com/. WD New York 2013). Moats, T. (2010, January 23). Montpelier US v. Miller, 527 F. 3d 54 (Court of man charged in Internet child porn Appeals, 3rd Circuit 2008). scam. Retrieved from US v. Moriarty, No. 429 F. 3d 1012 (Court http://www.vermonttoday.com/. of Appeals, 11th Circuit 2005). People v. Lindstrom, No.60608 (Cal. Court US v. Smith, No. 4:09-CR-00441-CKJ-DTF of Appeal, 3rd Appellate Dist. 2009). (Dist. Court, Arizona 2011). Pulkkinen, L. (2014, April 8). Feds: US v. Smith, No. 739 F. 3d 843 (Court of Neighbor’s Wi-Fi a path to child porn Appeals, 5th Circuit 2014). for Bonney Lake man. Retrieved from http://www.seattlepi.com/. US v. Solon, No. 13-8058 (Court of Appeals, 10th Circuit 2013). State of Arizona v. Matthew Bandy, No. CR2005-014635-001 DT (Maricopa US v. Stanley, No. 753 F. 3d 114 (Court of County Superior Court 2005). Appeals, 3rd Circuit 2014). State of Connecticut v. Amero, No. CR-04- Virgin Records America Inc et al v. Tammie 93292 (Conn. Superior Court 2007). Marson, No. 2:2005cv03201 (California Central District Court 2006). Steel, C. M. S. (2009). Web-based child pornography: Quantification and Wilson, Mark. (2014, September 13). City qualification of demand. International seeks favorable ruling in SWAT incident Journal of Digital Crime and Forensics lawsuit; Police video shows what (IJDCF), 1(4), 58–69. happened. Retrieved from doi:10.4018/jdcf.2009062405 http://www.courierpress.com/. Sweet, L. (2008, June 16). Probe shows Wise v. State, 364 SW 3D 900 (Texas State kiddie porn rap was bogus. Retrieved Court of Criminal Appeals 2012). from http://bostonherald.com/. Thompson, C. (2011, April 24). Innocent man accused of child pornography after neighbor pirates his WiFi. Retrieved from http://www.huffingtonpost.com/. US v. Ardolf, No. 683 F. 3d 894 (Court of Appeals, 8th Circuit 2012). US v. Gardner, No. WL 6680395 (Dist. Court, D. Utah 2012).