R v F (2025): Addressing the Defence of Hacking

Junade Ali

arxiv: 2510.03764 · v2 · submitted 2025-10-04 · 💻 cs.CY

R v F (2025): Addressing the Defence of Hacking

Junade Ali This is my paper

Pith reviewed 2026-05-18 10:53 UTC · model grok-4.3

classification 💻 cs.CY

keywords digital forensicsdefence of hackingTrojan horse defenceSODDI defencecomputer crimeforensic investigationcriminal casesevidence presentation

0 comments

The pith

Digital forensics can counter hacking defences by presenting empirical evidence to juries.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper is a case study of the criminal case R v F, in which the defendant claimed that a hacker had used their computer to commit the offence. The author worked with a police investigator to examine the digital evidence and assess whether the hacking defence had merit. They collected empirical data to present to the jury. If true, this shows a way for investigators to help courts reach better decisions in computer crime cases by distinguishing real hacking from false claims. It matters because the defence is common and can lead to wrong outcomes without proper investigation.

Core claim

In R v F the defendant asserted the defence of hacking, claiming someone else had accessed their device. By applying digital forensic techniques in collaboration with law enforcement, the author brought empirical evidence before the jury to address this claim, offering practical lessons for investigators facing similar defences.

What carries the argument

Empirical digital forensic analysis to evaluate the defence of hacking or Trojan horse defence in a specific criminal trial.

Load-bearing premise

The investigative approach and evidence presentation from this single case can be generalized to other instances of the defence of hacking.

What would settle it

If in subsequent cases using these techniques the hacking defence continues to succeed without the evidence being able to refute it effectively, that would falsify the usefulness of the presented methods.

read the original abstract

The defence of hacking (sometimes referred to as the "Trojan Horse Defence" or the "SODDI Defence", Some Other Dude Did It Defence) is prevalent in computer cases and a challenge for those working in the criminal justice system. Historical reviews of cases have demonstrated the defence operating to varying levels of success. However, there remains an absence in academic literature of case studies of how digital forensics investigators can address this defence, to assist courts in acquitting the innocent and convicting the guilty. This case study follows the case of R v F where a defendant asserted this defence and the author worked alongside a police investigator to investigate the merits of the defence and bring empirical evidence before the jury. As the first case study of its kind, it presents practical lessons and techniques for digital forensic investigators.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

This is a plain case report from one UK trial where the author helped police build forensic evidence to counter a hacking defense claim.

read the letter

The core of the paper is a description of work on R v F, where the defendant claimed someone else had accessed their system. The author collaborated with investigators to examine logs, malware traces, and other digital evidence, then helped present that material to the jury. It is framed as the first academic case study on handling this particular defense in court, which fills a gap noted in the abstract since prior work has mostly been historical reviews rather than hands-on accounts from active cases. That practical angle is the main value: it walks through concrete steps like verifying access logs and ruling out remote intrusion in a real prosecution setting. For readers who deal with digital evidence in criminal matters, those details can serve as a reference point for similar situations. The limitation is straightforward. Everything rests on the facts of this single case, with no side-by-side comparison to other trials, no explicit boundary conditions, and no discussion of how the same methods might fail when logs are missing or the malware differs. The claim that these techniques offer transferable lessons therefore stays untested. Readers in digital forensics or criminal justice training programs would get the most out of it as an example rather than a validated method. It is not a theoretical or quantitative piece, so its strength is in the reported experience. I would send it for peer review in an applied forensics or law-and-technology venue, mainly to check whether the authors can add more on scope and limitations before wider circulation.

Referee Report

1 major / 1 minor

Summary. The manuscript presents a case study of the UK criminal prosecution R v F (2025), in which the defendant raised the defence of hacking (also termed the Trojan Horse or SODDI defence). The author collaborated with police investigators to examine the merits of this defence and to compile and present empirical digital-forensic evidence to the jury. The paper positions itself as the first such academic case study and claims to supply practical lessons and techniques that digital forensic investigators can use when confronting similar defences in other cases.

Significance. If the investigative steps and evidence-presentation methods described prove transferable, the work could address a documented gap in the literature on handling hacking defences in criminal proceedings. As a first-hand account of academic–law-enforcement collaboration that resulted in evidence being placed before a jury, it offers concrete, practitioner-oriented examples that may be useful to investigators. The single-case design, however, limits the strength of any claim to general applicability.

major comments (1)

[Abstract] Abstract: The central claim that the case study 'presents practical lessons and techniques for digital forensic investigators' to address the hacking defence presupposes that the methods employed in R v F are transferable. The manuscript supplies no comparative cases, no explicit boundary conditions, and no falsifiable criteria for when the same approach would succeed or fail in a different factual or jurisdictional setting, leaving the generalizability of the reported techniques untested.

minor comments (1)

The abstract and introduction could more explicitly separate the factual narrative of the single case from the derived lessons, to help readers assess which elements are case-specific and which are intended to be portable.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for their constructive feedback on the scope and generalizability of our single-case study. We address the concern directly below and outline targeted revisions to clarify the manuscript's claims without overstating transferability.

read point-by-point responses

Referee: [Abstract] Abstract: The central claim that the case study 'presents practical lessons and techniques for digital forensic investigators' to address the hacking defence presupposes that the methods employed in R v F are transferable. The manuscript supplies no comparative cases, no explicit boundary conditions, and no falsifiable criteria for when the same approach would succeed or fail in a different factual or jurisdictional setting, leaving the generalizability of the reported techniques untested.

Authors: We acknowledge that the work is a single-case study and does not include comparative cases or formal falsifiable criteria for transferability, as no prior published academic case studies of this specific defence exist in the literature. The manuscript's contribution is the first detailed, practitioner-oriented account of investigative steps and evidence presentation that succeeded in placing empirical digital-forensic evidence before a jury in R v F. We do not claim the techniques are automatically transferable without adaptation; rather, they illustrate concrete methods that investigators may draw upon and modify for other contexts. To address the referee's point, we will revise the abstract to explicitly frame the lessons as derived from this specific UK prosecution and add a dedicated 'Limitations and Applicability' subsection. This subsection will outline boundary conditions observable from the case (e.g., reliance on particular categories of digital artefacts, the UK criminal procedure rules, and the nature of the hacking defence raised) and note that success in other jurisdictions or fact patterns would require case-specific validation. revision: partial

Circularity Check

0 steps flagged

No significant circularity: descriptive single-case report without derivations or fitted claims

full rationale

The manuscript is a descriptive case study of an external criminal prosecution (R v F) in which the author collaborated with police investigators to examine a hacking defence. It contains no equations, no parameter fitting, no predictions derived from models, and no load-bearing self-citations that reduce the central claim to prior work by the same authors. The contribution consists of practical lessons drawn from one specific investigation and presented as empirical observation; these observations are externally falsifiable against the court record and do not rely on any internal derivation chain that collapses to the paper's own inputs by construction. The single-case design raises separate questions of generalizability, but that is a limitation of scope rather than circularity.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

This is a descriptive legal case study with no mathematical models, free parameters, axioms, or postulated entities.

pith-pipeline@v0.9.0 · 5652 in / 995 out tokens · 31595 ms · 2026-05-18T10:53:27.781272+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith/Foundation/RealityFromDistinction.lean reality_from_one_distinction unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

This case study follows the case of R v F where a defendant asserted this defence and the author worked alongside a police investigator to investigate the merits of the defence and bring empirical evidence before the jury.

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.