Sunday, December 23, 2018

The malware did it, I swear!

A couple of months back, someone posted on the Forensic Focus forums raising the possibility that a hacker or malware was responsible for some child abuse images found on a relative's computer.  I responded at some length, but I also wanted to post here to lay out some of my thoughts on this defense.  For some background, please see Chad Steel's excellent article.  The defense seems to have been mostly unsuccessful but it is raised occasionally and appears to have been successful in a couple of early cases.  I hope here to point out some reasons why the defense should be avoided (absent clear evidence that it actually happened) and to give some ideas for refuting it.

As laid out in Steel's article, the defense is based primarily on the fact that it is technically possible that a hacker could plant contraband images, or that some malware could distribute them.  And it is technically possible.  It's also wildly improbable. Here are the issues:

1) Hackers aren't generally in the business of planting child abuse images. I'm not aware of any case where this has happened.  What's the motivation?  Personal revenge is a possibility, but it requires that there is an individual with the requisite technical skills who is so bent on revenge that they are willing to find this material, compromise the computer in question, and plant it on the computer.  Most people, hackers or otherwise, would probably be unwilling to handle this material or search for it.  But, I am aware of at least one case where someone planted child abuse images on a computer.  In that case, the wife's new boyfriend downloaded these images onto the husband's computer (which was left in the martial home after the husband moved out).  The husband was charged initially but those charges were dropped and the boyfriend was charged when a forensic analysis by an outside firm showed that the initial examination was shoddy and that the timeline clearly showed that all the relevant activity happened after the husband had moved out.

2) Malware doesn't ordinarily distribute child abuse images.  I am not specifically a malware expert but I work in information security, have attended security and malware conferences, keep up with the news in my field, read about malware, have analyzed a few samples, and even have a collection of old DOS viruses.  I have never seen or heard about any malware that plants or distributes child abuse images.  It's possible that it exists, but it's not common or information security and forensics practitioners such as myself would have heard about it.

3) It does not make sense for people who collect or trade child abuse images to plant them on other people's computers.  I can see the utility in hosting some of this material on a hacked server, but not on a personal computer or laptop that is not online all the time.  Anyone who wants access to this material or who wants to trade it will want it to be available.  The pattern that I've seen in the busts/stings that have made the news is that they use servers hosted in countries with weak laws or weak enforcement related to child abuse images.  Further, creating a worm or other malware that distributes this material widely would get a lot of unwanted attention.  If someone created a worm that infected a hundred thousand or a million computers with child abuse images it would be all over CNN, the AP newswire, Reuters, etc.  That would lead to a major investigation involving multiple agencies in multiple states and/or countries.  A person collecting and/or trading images that are illegal to possess or distribute would probably not risk that attention.

4) It does not make sense to use other people computers (e.g. over Remote Desktop) to browse child abuse images.  This is one of the possibilities that I've seen raised, but this activity would probably be visible to the owner of the computer if they happened to try to use the computer at that time.  It would be much easier to just use TOR.

From the perspective of a forensic examiner, there are several things we can do to rebut this defense.  Establish timelines and related activity for everything on the computer.  If child abuse images are found, where did they come from?  Is there evidence the user searched for these or similar images?  Did they access chat rooms related to this?  Did they download and share the material on a P2P network?  When did the activity occur?  Was it when the user was home or on the computer?  Does the schedule suggest it might have been someone else in the house (e.g. a child, roommate, or spouse)?  Are there forensic artifacts (e.g. recent files) that show that the user accessed the material?

If malware is found on the computer, identify it.  We know, for example, that the Emotet banking trojan is associated with the theft of passwords and personal information, not child abuse images.  If that malware is found, it is NOT evidence of someone else being responsible for the contraband images.  If the malware is new or unknown, reverse engineer it or bring in an expert to do so.  Depending on the constraints of your agency, you might be able to submit it to VirusTotal or directly to one or more vendors to analyze.  Viruses, trojan horses and other malware are not magic.  They are programs built by one or more individuals to do certain tasks.  If the malware is responsible for the child abuse images, there should be evidence that it is responsible (e.g. it contains IPs or URLs of sites that host these images).

If you think that this defense might actually apply to your case, why?  Is there a specific individual you think might be responsible?  Is there specific evidence of hacking or malware?  Is there something that connects the hacking or malware to the child abuse images?  Have you reverse engineered the malware and found a connection to child abuse images or the sites that host them?  Is there also a lack of evidence that the computer user (suspect) accessed or was aware of the material?  Make sure that you can justify your conclusion by methodically connecting the facts.

I think that this defense is mostly BS and that the people raising it know that it's BS.  That doesn't mean you won't have to refute it; you should be prepared if that situation arises.  You may even come across a case where the defense seems plausible.  If so, you should proceed methodically in establishing why you think that's the case.  Go where the facts lead you.

No comments:

Post a Comment

Understanding Scope in Go

As per my New Year's resolution, I've been learning to program in Go and reading  The Go Programming Language .   On page 141 of the...