As the use of Trojan programs by hackers becomes more widespread, the Trojan Defense is likely to be deployed in an increasing number of legal cases. Therefore, Trojans present a challenge to law enforcement agencies (LEAs). This paper examines the digital forensic report of Trojan Defense from a ticket scalping case in Taiwan and proposes the identify/perform/understand (IPU) model for exploring and analyzing evidence-relevant data. The IPU model improving a digital evidence review is proposed in three stages: identify temporal data to build the sequence (when), perform functional testing to gain insights (how), and understand relational reconstructions to clarify the actions (who, what, where). The model can help the judge in a Trojan Defense case weigh the value of digital evidence more systematically. A temporal, functional, and relational analysis was used to reconstruct the events in the ticket scalping case. This research can efficiently assist law enforcement officials in dealing with the ever-increasing Trojan Defense.