This was the second of two papers I presented at CFET in 2010.
This paper looks at the implications in the age of the botnet of the “Some Other Dude Did It” and “it must have been a Trojan” defences against conviction for possession of illegal material, especially pornography. Presented at the 4th Cybercrime Forensics Education & Training (CFET 2010) Conference in September 2010.
Here’s the abstract.
SODDI is a familiar acronym among those working in cybercrime: it stands for Some Other Dude Did It. There’s nothing novel about criminals claiming that some offence with which they are charged was someone else’s responsibility, of course, whether it’s the victim or some third party. In the specific area of child abuse, it can be difficult to untangle layers of denial [1, 2] but in recent years frequent use has been made of the Trojan Defence,  which might be tersely if loosely summarized as “it must have been a virus” (leaving aside for now the technical differences in malware classification). This attempt at a “Get Out of Jail Free” card is not confined to one type of crime (indeed, it’s as likely to be heard in workplace disciplinary contexts as in courtrooms), but it is currently particularly associated with child-related offences, at least in popular perception.
As always where child abuse is concerned, attempts to negotiate these murky legal waters have been hampered by a strong emotional undercurrent: debate has been polarized between those who believe that the SODDI defence is about as convincing as “the Internet ate my homework” , and those who fear that natural revulsion at paedophile activity and eagerness to prosecute those who practice it may lead to the conviction of innocent parties. In fact, as a general rule, the assertion that “malware installed itself, performed some illegal act, then removed itself leaving evidence of the activity behind but no trace of itself”, while not technically impossible, is not particularly likely. But most modern malware is primarily a constantly changing delivery mechanism for attacks that themselves change ownership, target, and context according to market forces and the need to evade tracking by law-enforcement and other interested parties. 
Much has been made of the way in which the Julie Amero case was compromised not only by forensic flaws and inadequate preservation of the chain of evidence, but by the presence ineffective, obsolete security software.  Malware and anti-malware have evolved since then, but has forensic understanding of those evolutions increased correspondingly?
This paper will review the 2010 threatscape, considering some cases and scenarios that highlight some of the ways in which malicious software has impacted (or could impact in the future) on investigation, whether by law enforcement agencies or in the workplace. But it will also look at some of the psychosocial issues that may distort our ability to apply our understanding of those technologies appropriately in emotionally charged contexts.
Small Blue-Green World
ESET Senior Research Fellow