I know this has been discussed a thousand times before (since 2003 at least!), but a recent assignment has made me think again about this. Let's just presume you're on a forensic task, and you're surfing through the suspect's computer. You end you finding the contents you were looking for, but meanwhile you start the routine antivirus scan. Ding, you hit a well known trojan.
It's password protected, and was obviously installed before the data you were looking for were downloaded.
You dig deeper, and discover the trojan will actually start at boot and be exposed to the internet.
That's it, the suspect has not lowered its security level during normal operations - assuming the trojan is actually safe and the password was hard enough to guess - and you are left wondering who has actually put that data into place. How can you tell it wasn't the remote aggress controlling the suspect's computer?
Sure, you can try to retrieve some more data to uncover the truth, but carefully leveraging this trivial issue (think about actually giving it encryted commands from time to time using a different account to confuse even a 100% sniffed wiretapping) is enough to obtain plausible deniability.
It seems too easy: I'll keep thinking about that, but any idea is really