R v F (2025): Addressing the Defence of Hacking

TL;DR

The paper addresses the lack of empirical guidance for addressing the SODDI hacking defence in computer-crime prosecutions by presenting R v F as the first case study where a police digital-forensics investigator and an expert collaboratively test the defence. It outlines a staged approach: theoretical assessment of potential compromises, IOC-based forensic analysis, and a timeline-driven reconstruction to determine likely causes. The study finds no evidence of hacking; most CSAM evidence arose from Telegram’s automatic downloads, not intrusions, leading to a conviction. This work offers practical, ethically mindful methodologies for digital forensics in similar cases and highlights the need for more real-world case reporting to improve forensic readiness in courts.

Abstract

The defence of hacking (sometimes referred to as the "Trojan Horse Defence" or the "SODDI Defence", Some Other Dude Did It Defence) is prevalent in computer cases and a challenge for those working in the criminal justice system. Historical reviews of cases have demonstrated the defence operating to varying levels of success. However, there remains an absence in academic literature of case studies of how digital forensics investigators can address this defence, to assist courts in acquitting the innocent and convicting the guilty. This case study follows the case of R v F where a defendant asserted this defence and the author worked alongside a police investigator to investigate the merits of the defence and bring empirical evidence before the jury. As the first case study of its kind, it presents practical lessons and techniques for digital forensic investigators.