Difference between pages "Legal issues" and "Windows Memory Analysis"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(added missing author and product name)
 
Line 1: Line 1:
=Legal Standards=
+
...
= The Hacker Defense (aka Trojan/Virus Defense) =
+
  
Below are accounts of different hacker/virus/Trojan related defenses.  Albeit some of these are not ‘reputable’ web sources, but they should all have official court backing from wherever the various investigators that do similar.  And the CPS (sort of FBI in UK) is training prosecutors en masse about ‘trojan defenses’ (link below).  These types of actions would not occur unwarranted.  Why do all the extra work for nothing?
+
== History ==
  
“The "Trojan defense" has now become standard in many types of computer crime cases. But the defense often plays on the ignorance of juries and prosecutors. It has raised the need for the CPS to do more to explain complex technical issues in simple terms to judges and juries, says George.” (Esther George is the policy adviser at the Crown Protection Services)
+
During the 1990s, it became a [[best practice]] to capture a [[Tools:Memory_Imaging|memory image]] during incident response. At the time, the only way to analyze such memory images was using [[strings]]. Although this method could reveal interesting details about the memory image, there was no way to associate what data came from what program, let alone what user.  
http://www.computerweekly.com/Articles/2007/01/27/221526/high-tech-crime-is-put-on-trial.htm
+
  
US man, Eugene Pitts, found not-guilty of tax evasion after blaming a computer virus.  Avoids ~$900,000 in fines.
+
In the summer 2005 the [[Digital Forensic Research Workshop]] published a ''Memory Analysis Challenge''. They distributed two memory images and asked researchers to answer a number of questions about a security incident. The challenge produced two seminal works. The first, by [[Chris Betz]], introduced a tool called [[memparser]]. The second, by [[George Garner]] and [[Robert-Jan Mora]] produced [[kntlist]].
http://www.sophos.com/pressoffice/news/articles/2003/08/va_virustax.html
+
 
+
United States v. Michael McCourt U.S. Court of Appeals Case 1/24/06 Western District of Missouri.  Guilty charge upheld.
+
http://www.ca8.uscourts.gov/opndir/06/11/061018P.pdf
+
 
+
Karl Schofield walked free from court yesterday after prosecutors accepted an expert's report that the "Trojan" program could have saved the 14 depraved images off the internet without his knowledge. http://www.getreading.co.uk/news/6/6541/program_put_child_porn_pics_on_my_pc
+
 
+
Julian Green, 45, of Torquay, Devon was cleared in court in July of 13 charges of making indecent images, claiming computer malware was to blame.
+
http://www.sophos.com/pressoffice/news/articles/2003/08/va_porntrojan.html
+
 
+
Aaron Cafrey acquitted with Trojan defense after US authorities claimed traced DOS activity to his machine
+
http://news.com.com/2100-7349-5092781.html?tag=txt
+
 
+
A former Georgia teacher blames computer viruses for altering his Web sites and uploading child porn images. Guilty charge upheld.
+
http://news.zdnet.com/2100-1009_22-6130218.html
+
 
+
Odd spin on the issue, where a hacker used a Trojan to gain access to potential pedophile’s computers.
+
http://www.darkreading.com/document.asp?doc_id=118157
+
 
+
Bandy’s defense attorney asserted that a “virus” or “trojan” must have downloaded the child pornography to Bandy’s computer without his knowledge.
+
http://www.foxnews.com/story/0,2933,247903,00.html
+
 
+
A man found with more than 1,700 indecent images of children on his computer claimed a virus was to blame, a court heard. But Mark Craney, 33, from Knowle, was found guilty at Warwick Crown Court on 16 charges of making indecent images of children by downloading them onto his computer. http://icbirmingham.icnetwork.co.uk/0100news/0100localnews/tm_objectid=15104065&method=full&siteid=50002&headline=man-blamed-net-virus-for-child-porn-name_page.html
+
 
+
 
+
More links from previous research.
+
 
+
[1] http://www.cnn.com/2003/TECH/internet/10/28/hacker.defense.reut/index.html
+
 
+
[2] http://news.com.com/2100-7349_3-5092781.html
+
 
+
[3]http://www.fedlawyerguy.org/2003/11/the_trojan_defense.html
+
 
+
[4]http://www.theregister.co.uk/2003/04/24/trojan_defence_clears_man/
+
 
+
[5]http://www.austlii.edu.au/au/cases/cth/high_ct/2006/39.html
+
 
+
[6]http://www.castlecops.com/modules.php?name=News&file=print&sid=2946
+
 
+
[7] http://direct.bl.uk/bld/PlaceOrder.do?UIN=161932125&ETOC=RN&from=searchengine
+
 
+
== External Links ==
+
 
+
* [http://www.cybersecurityinstitute.biz/tpicq.htm The "Tools Proven in Court" Question]
+
 
+
=Privacy and Surveillance Laws=
+
 
+
18 USC 2510 et seq., 18 USC 2701 et. seq., 18 USC 1030 and other statutes regulate the information private entities and law enforcement can access over a computer network. 
+
 
+
The following forensic tools, which can capture forensic images remotely over a network, may raise interesting legal questions under these and other statutes.
+
 
+
Paraben Enterprise and Shuttle:
+
http://www.paraben-enterprise.com/
+
 
+
WetStone LiveWire Investigator:
+
http://www.000.shoppingcartsplus.com/catalog/item/4170630/4050602.htm
+
 
+
ProDiscover IR:
+
http://www.techpathways.com/ProDiscoverIR.htm
+
 
+
EnCase Enterprise:
+
http://www.encase.com/products/ee_index.asp
+
 
+
Vontu:
+
http://www.vontu.com/products/default.asp
+

Revision as of 15:21, 20 May 2006

...

History

During the 1990s, it became a best practice to capture a memory image during incident response. At the time, the only way to analyze such memory images was using strings. Although this method could reveal interesting details about the memory image, there was no way to associate what data came from what program, let alone what user.

In the summer 2005 the Digital Forensic Research Workshop published a Memory Analysis Challenge. They distributed two memory images and asked researchers to answer a number of questions about a security incident. The challenge produced two seminal works. The first, by Chris Betz, introduced a tool called memparser. The second, by George Garner and Robert-Jan Mora produced kntlist.