Trojan Horses Complexities

January 1, 2004

Recently there have been a number of cases, where the existence of a Trojan horse, or a number of Trojan horses, on a suspect computer have been used as part of a defence.

A Trojan horse is a term used to describe a piece of software that contains code, which when executed, performs a function other than that intended by the operator. Usually, but not always, this action is malicious in its nature.

Vogon have been involved in two recent cases: R v Green, and R v Caffrey, which have caused much comment about the presence or otherwise of Trojan software.

Some confusion is often apparent particularly relating to the issues of the functioning or otherwise of a computer system infected by a Trojan, especially in light, s 3 of the Computer Misuse Act 1980.

In most instances this confusion can be easily resolved, by considering the wording, and the practical application of the erstwhile s 69 of the Police and Criminal Evidence Act 1984. Under this Act, it was clearly understood that computer evidence collected was admissible if any faults that were observed did not materially affect the integrity of that evidence.

In this respect the action of a Trojan should be considered in the same way as any other piece of software running on a system. Generally the common-sense approach to these issues is the most practical, and most spurious arguments put forward by defence/prosecution experts can be dealt with before the issues go before a jury. This assumes that ‘a meeting of experts’ is convened at an early stage to review the facts. It is interesting to note that in R v Caffrey, the defence expert evidence was not put before the court.

My suspicion is that the issue of Trojans on computer systems is currently being viewed as a means to blur otherwise solid computer evidence. In some instances the presence of Trojan software will be relevant; in others, it will be of little consequence.

Should the evidence be thrown out? Of course not. As always it is a matter of methodical forensic investigation, identifying the context within which the Trojan exists.

Clive Carmichael-Jones is Operations Director at Vogan International Limited.