This is a follow-up of sorts to Jeff Debrosse's thoughtful post recently on the problem of possible conviction for the possession of illegal paedophiliac material of individuals who had no knowledge of its presence. More recently, a tweet by Bob McMillan drew my attention to an article by Geoff Liesik on "Authorities scoff at 'child porn virus' tale". This revisits the schism between those who believe that the SODDI (Some Other Dude Did It) defence is about as convincing as "the dog ate my homework", and those who are concerned that natural revulsion at paedophile activity and eagerness to prosecute those who practice it may lead to the conviction of innocent parties.

The SODDI defence been slightly misrepresented in some places. The paedophile's "Trojan defence" has been around for several years and centres around the assertion that malware got installed, downloaded illegal material, then removed itself leaving no trace behind but the pornography. This defence has been accepted in the past, but a sophisticated jury nowadays is likely to wonder why such a Trojan (which is not technically impossible, though unlikely) would have been installed. The likeliest scenario is, I suppose, that one person might use the technique to "frame" another: however, an investigator would still be interested in the identity and motivation of the malefactor, as well as the technical and forensic issues of access and programmatic behaviour.

The Trojan defence is likeliest to fail when there's illegal content remaining on the inspected computer but no trace of any malware found,  or malware is found that has never been known to have that particular payload (i.e., to download illegal material).

A variation of that defence has, however, become stronger in recent years where malware is found on a system under investigation: that's because of the way the malware threat has evolved. No-one, as far as I'm aware, has found an (untargeted) malicious program that always downloads illegal porn to a victimized system. However, if you find, as has been suggested in some reports, that there is something installed that is still downloading child-related pornography at the time of investigation, and you can state with some certainty that "something" is malware rather than a black utility deliberately installed by the user to facilitate the downloading of illegal material, there may be a viable defence.

Unfortunately, if you find malware that doesn't have that payload, it's still possible to argue that it might nevertheless have had it at some point since the machine was infected, because it's highly characteristic of botnets to change the function performed by individual infected machines according to the changing requirements of the botmeister or his customers.

Certainly, that's far too much like a get-out-of-jail-free card for my taste. :( I'm not in favour of imprisoning the innocent, but I'm not enthusiastic about freeing the guilty, either, and I suspect that a lot of guilty people will try to use this approach.

However, the only way I can see of mitigating (not fixing) this ambiguity is by absolutely scrupulous forensic examination. Nonetheless, maintaining the integrity of the chain of evidence is, though critical, by no means the hardest part of the problem. The only sort of forensic investigation that stands a chance of giving useful information in this scenario involves all sorts of legal, resourcing and administrative complications: to do it properly requires even more than forensic skill and in-depth knowledge of malware (not to mention a strong stomach. In most jurisdictions, it also requires nd clearance to work with this sort of material. (Not a job that most of us would relish, and one with a notoriously high burn-out rate.)

Even worse, the sort of examination that's hinted at in some of the rather woolly recent reports suggests a form of dynamic analysis that involves reproducing the illegal behaviour. Sometimes this may be the only way of gathering evidence, but it's an approach with obvious legal implications.

A more generic legal approach might be to link the fact that at least one of the "victims" cited in recent reports did admit to downloading "adult" porn, which, irrespective of legality or morality, escalates the risk of exposure to malware and to other forms of porn: porn merchants don't care about what they push as long as they don't expose -themselves- to punitive action. So there's an element of reckless endangerment, especially when a victim doesn't have properly functional security software, as in that particular instance. But there's also the issue that the individual concerned, who is apparently still serving his sentence, may well have been drastically disadvantaged because the court effectively curtailed defence testimony because of the cost of continuing the forensic examiner's investigation.

The Julie Amero case (though not directly concerned with child pornography) is somewhat apposite in that it was compromised by significant forensic flaws and the presence of ineffective, obsolete security software. No report I've seen has mentioned specific malware (most have just said "viruses", and use of that term in itself makes it hard to estimate how much credence to give to the reports). The "take home" point here is that in principle many malicious programs might have that functionality at some point in their life-cycles: for instance, in order to use a victim's machine as a repository for illegal material.

One of the toughest jobs I ever did for the National Health Service in the UK was writing guidelines for handling child-porn-related issues in a way that didn't break UK legislation or governmental directives (or simply give PR-sensitive management a heart attack) . It would be (much) harder still now. :(

David Harley
Director of Malware Intelligence