R v F (2025): Addressing the Defence of Hacking

This paper presents a pioneering case study of *R v F* (2025) that demonstrates how digital forensic investigators can empirically counter the "hacking" or "SODDI" defence by collaborating with law enforcement to provide evidence that helps courts distinguish between innocent and guilty defendants.

The Gist

Imagine you are a detective trying to solve a mystery, but the suspect has a very clever excuse: "I didn't do it! Someone else broke into my house, stole my keys, and left the mess there. I'm just the victim of a high-tech burglary!"

This is exactly what happened in a real court case called R v F, and this paper is the story of how a digital detective proved that excuse was a lie.

Here is the story broken down into simple terms, using some fun analogies.

The Setup: The "Trojan Horse" Excuse

In the world of computer crimes, there is a common defense called the "Trojan Horse Defense" (or the "SODDI" defense: Some Other Dude Did It).

• The Analogy: Imagine you are accused of leaving a pile of trash in your living room. You tell the judge, "I didn't do it! A burglar broke in, threw the trash around, and left. I was asleep!"
• The Problem: In the digital world, it's hard to prove who actually touched the computer. Did the owner download illegal images, or did a hacker do it remotely?

In this case, a man named F was caught with thousands of illegal images on his phone. He told the court, "My phone was hacked. A ghost in the machine downloaded all this stuff. I didn't do it."

The Investigation: The Three-Step Detective Game

The authors of this paper (a digital forensics expert named Dr. Junade Ali and a police detective) didn't just look at the files; they played a game of "Three-Step Detective" to see if the story held up.

Step 1: The "Paperwork" Check (The Logic Test)

First, they looked at the suspect's story without even touching the phone.

• The Suspect's Claim: "Look at my phone bill! There was weird internet activity while I was in police custody. That proves a hacker was using my phone!"
• The Detective's Reply: "That's a misunderstanding. Phone bills are like a grocery receipt that just says 'Total: $50'. It doesn't tell you what you bought or when you bought it. The data on the bill actually matched normal background noise, not a hacker's activity."
• The Logic Check: The suspect also claimed his accounts were hacked via email. But the illegal files were found in an app that requires a phone number to log in, not just a password. You can't hack a phone number remotely without physical access. Plus, the suspect had been chatting with people about illegal stuff on the same phone. If a hacker did it, why was the owner also chatting about it?

Step 2: The "House Search" (The Forensic Scan)

Next, they opened the phone up (digitally) to look for "burglar tools."

• The Search: They used special tools (like a high-tech metal detector) to look for "Indicators of Compromise" (IOCs). These are the digital footprints a hacker leaves behind, like a broken lock or a muddy footprint.
• The Findings:
  • On the iPhone: They found some web browsing history about cybersecurity. It looked like the owner was reading about hackers, not being hacked. The phone wasn't "jailbroken" (which is like picking the lock to let a hacker in).
  • On the Android: No signs of "root access" (the master key) or strange apps.
  • The Verdict: No burglar tools were found. The house was locked tight.

Step 3: The "How Did the Trash Get Here?" (The Real Explanation)

If no hacker did it, how did thousands of illegal images get on the phone?

• The Discovery: The detective found that most of the images were in the Telegram app's "Cache."
• The Analogy: Imagine you join a group chat where people are sharing photos. You don't have to click "Download" on every single photo. The app is like a greedy vacuum cleaner; it automatically sucks up every photo that passes through the chat and stores it in a hidden folder (the cache) so it loads faster next time.
• The Truth: The suspect joined a Telegram group sharing these images. The app automatically downloaded them. He didn't have to click "save" for every single one, but he did choose to join the group.

The Courtroom: The Final Showdown

The trial happened in late 2025.

• The Prosecution: Showed the jury the evidence: "No hacker tools found. The app automatically downloaded the files because he joined the group. He intended to join the group."
• The Defense: The suspect tried a new story: "I was drunk, and my friends used my phone!"
• The Twist: The prosecutor pointed out that the suspect had been asking for these images before he claimed to be drunk. The story kept changing, which is a bad sign.
• The Jury's Question: The jury asked, "If the phone downloaded them automatically, does that mean he is guilty?"
• The Judge's Answer: "You need to be sure he intended to be part of the group where these images were shared. If he joined the group on purpose, he is responsible for what the group shared."

The Result: The jury decided he was guilty on all counts. The "Hacker" excuse failed.

Why This Paper Matters

This paper is important because it teaches digital detectives a new way to think.

• Old Way: Just use a robot tool to scan the phone and say, "Here are the files."
• New Way (The Lesson): Think like a detective first. Ask: "Does the story make sense?" "Are there holes in the logic?" "Could a tool have made a mistake?"

The author also mentions another case where a robot tool did make a mistake, blaming a man for creating chat groups he didn't create. By using the "Three-Step Detective" method, they proved the tool was wrong and saved the man from a harsher sentence.

The Big Takeaway

When someone says, "A hacker did it," you can't just take their word for it. You have to:

1. Check if the story makes logical sense.
2. Look for the physical (or digital) evidence of a break-in.
3. Find the real reason the data is there (like an automatic download).

This case shows that with the right mix of logic and science, we can tell the difference between a real victim and someone trying to pull a fast one.

Technical Summary

Based on the paper "R v F (2025): Addressing the Defence of Hacking" by Junade Ali, here is a detailed technical summary covering the problem, methodology, contributions, results, and significance.

1. Problem Statement

The paper addresses the prevalence of the "Trojan Horse Defence" (also known as the "SODDI" or "Some Other Dude Did It" defence) in computer crime cases. Defendants frequently claim their devices were hacked or compromised by third parties to explain the presence of illegal digital content (specifically Child Sexual Abuse Material, or CSAM).

• The Gap: While academic literature has discussed this defence theoretically, there is a critical absence of real-world forensic case studies demonstrating how investigators can empirically disprove these claims.
• The Challenge: Courts often lack the technical evidence required to distinguish between genuine hacking (e.g., zero-day exploits, "ghostware") and user interaction, leading to difficulties in securing convictions or acquitting the innocent.
• Specific Context: The case involves a defendant (F) charged with making indecent images of children, who claimed his devices were hacked to plant the material.

2. Methodology

The author, Dr. Junade Ali, employed a staged, hypothesis-testing approach in collaboration with a police digital forensics detective. This methodology moved beyond simple artifact extraction to a holistic investigation:

• Phase 1: Preliminary Paper Review & Theoretical Analysis

  • Network Analysis: The defence cited mobile network bills showing "unusual activity" during custody. The investigation debunked this by explaining mobile carrier billing practices (aggregate data rolling vs. per-KB usage), showing the data was consistent with background usage.
  • Credential Analysis: The defence claimed compromised credentials allowed remote planting of CSAM. The investigation noted that the specific application containing the material required control over a mobile phone number (not just a password), making remote planting via credential theft impossible.
  • Vulnerability Assessment: The investigation assessed the likelihood of a "zero-day" exploit. Given the devices were modern (iOS and Android) with up-to-date firmware, and the cost of such exploits (millions of dollars), the probability of a successful, undetected compromise on two separate OS platforms was deemed negligible.

• Phase 2: Forensic Investigation & Artifact Analysis

  • Tooling: Used Cellebrite UFED and Magnet Forensics Graykey for imaging. For deep analysis, the Amnesty International Mobile Verification Toolkit (MVT) was utilized to search for Indicators of Compromise (IOCs).
  • IOC Evaluation:
    • iPhone: IOCs found were limited to Safari favicon entries related to cybersecurity research, not command-and-control (C2) infrastructure. No jailbreak or backdoor indicators were present.
    • Android: No root access, no advanced debugging features, and no suspicious non-standard applications were found.
  • Behavioral Reconstruction: Instead of looking only for hacking tools, the investigation analyzed the Telegram messenger app cache.
    • Finding: The bulk of the CSAM was located in the Telegram cache.
    • Mechanism: Telegram automatically downloads media to the cache (autoplay cache or full file if small) when a user joins a group. The defendant joined a CSAM-sharing group; the app automatically downloaded the content without the user manually pressing a "download" button for every file.

• Phase 3: Peer Review & Joint Reporting

  • The expert witness (Ali) and the police detective produced a Joint Statement, agreeing on the forensic findings. This unified expert opinion was presented to the court to establish the facts.

3. Key Contributions

• First Empirical Case Study: This is the first documented case study detailing the practical forensic techniques used to dismantle the "Trojan Horse Defence" in a modern criminal trial involving mobile devices.
• Holistic Hypothesis Testing: It demonstrates that effective digital forensics requires more than just running automated tools. It necessitates:
  1. Understanding the theoretical feasibility of the attack (e.g., cost of zero-days, OS architecture).
  2. Validating specific technical claims (e.g., network billing mechanics).
  3. Reconstructing the actual user behavior (e.g., app caching mechanisms) to explain the data presence.
• Tool Validation & Limitations: The paper highlights that automated parsing tools can be flawed. It references a subsequent case (R v M) where a parsing tool incorrectly attributed group chat creation to a defendant; a deeper manual analysis of SQLite databases and timelines corrected this, proving the defendant was not an admin.
• Integration of MVT: It documents the practical application of the Mobile Verification Toolkit (MVT), originally designed for counter-espionage, within a criminal justice context to rule out state-level or advanced malware.

4. Results

• Court Outcome: The defendant was convicted on every count of the indictment.
• Jury Reasoning: The jury was convinced that while the vast majority of the material was downloaded automatically by the Telegram app (due to joining a group), the defendant had intent (mens rea) because:
  1. He intentionally joined the group.
  2. He intentionally copied some specific material to his device.
  3. The "hacking" defence was empirically disproven by the lack of IOCs, jailbreaks, or root access.
• Expert Testimony: The police detective deferred to the expert's conclusion that there was no evidence of hacking, and the expert's written report was accepted as an agreed fact by both prosecution and defence counsel.

5. Significance

• Legal Precedent: The case provides a blueprint for how courts can handle "hacking" defences by requiring empirical evidence of compromise rather than accepting speculative claims.
• Forensic Best Practices: It emphasizes the need for a layered approach:
  1. Theoretical feasibility check.
  2. Technical artifact verification (IOCs).
  3. Behavioral reconstruction (explaining how the data got there).
• Mitigation of Miscarriages of Justice: By documenting these techniques, the paper aims to prevent future wrongful convictions (where hacking is real but unproven) and wrongful acquittals (where hacking is faked but unchallenged).
• Future Directions: The author suggests future work should focus on "pattern-of-life" identification and developing validated tooling that helps experts identify reasonable lines of inquiry even when they contradict the narratives of either the prosecution or defence.

In summary, the paper successfully demonstrates that the "Trojan Horse Defence" can be effectively neutralized through a combination of theoretical computer science knowledge, rigorous mobile forensics, and behavioral analysis of application caching mechanisms.