This article is more than 1 year old

Was Julie Amero wrongly convicted?

Mouse-trapped

The problem with computer forensics

Detective Lounsbury explained later in an online article his process and thinking for the collection of forensic evidence in the Amero case. He stated:

Physical evidence and electronic evidence is collected...This evidence includes internet history, content, and registry data, including "typed URLs". It's these "typed URLs," gleaned from the registry, which are identified - not pop ups.

'Typed URLs?' Was ist das?

As far as I am aware, there is no search tool apart from either a keylogger or a remote screen capture tool that will be able to forensically and conclusively search for "typed URLs". The registry, history, and log files can show what URLs (websites) were visited, and precisely what time (based upon the system time which can be altered), and in what order. I don't know how this can show that the URL was "typed" as opposed to "clicked through" or "popped-up". In and of itself.

Now there is a "TypedURL" Registry field for Internet Explorer, HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs. This is what is used, for example, when the auto-complete feature starts to fill in a URL you have already been to. This Registry entry records these URLs after the browser is properly closed. And, of course even this is affected by adware, bots, and Trojans. So examining the "typed URLs" doesn't really tell you that those URLs were actually typed – particularly where there is adware. In addition, the Registry entry only includes the last several "typed URLs" – each new one adding itself to the queue. Since Julie was surfing the rest of the day, it's not clear what forensic value this would have – although it was a good starting point.

Many of the sites Amero visited that morning were obscure – porn sites masquerading as legitimate sites for hair-styles. It makes little sense that Amero would have "typed" a hair styling site intending to find porn. In fact, for example, one of the URLs in the cache was http://pagead2.googlesyndication.com - does the government really contend that the substitute teacher typed in that URL? Indeed, in press reports, the government expert and the prosecutor went back and forth, alternatively asserting that their evidence showed that she deliberately went to porn sites because she "typed" the URLs of these sites, and somewhat contradictorily asserting that the evidence of intent was that she "clicked on"; links to these sites – which generally would not have shown up in the "typed URL" registry.

As Dr Neal Krawetz of Hacker Factor has pointed out, a thorough forensic examination might be able to exclude the possibility that a particular URL was typed, but could not demonstrate conclusively that it was, in fact, typed. He points out that you would want to examine the hard drive to determine whether there was spyware or adware on the computer that was either capable of, or actually designed to generate the web requests. You would want to know when the spyware was added to the computer, using timestamps and sector locations, and determine whether these times coincide with the times that the substitute teacher used the computer. You would look at the URLs that were accessed at the time the time the spyware was loaded. If, for example there is a short delay between the times that each website is loaded (and the .jpg files on that website downloaded) this is a strong indication of a pop-up ad. People can only type so fast. The regularity of the opening of the URL (every three seconds, every five seconds, etc.) would indicate a likely pop-up. Were websites opened instantaneously with the closing of other websites, as Ms. Amero testified happened when she tried to shut down or close the pop-ups? There are lots of other ways you could exclude human intervention (well, I suppose pop ups are human intervention, but you know what I mean).

As a matter of fact, it has been reported that the CEO of the maker of the forensic software that Lounsbury used stated that, while the software can find all sorts of files and images, including deleted images or images in unallocated disk space, by keyword or by filetype, [it] does not determine the cause of those files being on the computer (whether caused by malware, intrusion, or direct and willful use), and that it is not the function of [the software] to make that determination." Nevertheless, both the detective and the prosecutor were unequivocal that the forensic evidence demonstrated beyond a reasonable doubt that the substitute teacher deliberately typed in the porn sites.

Detective Lounsbury went further, though. He reportedly also said that he can differentiate between what is and what is not a pop-up based on the source codes [sic]. What source codes? The source code of the websites that were visited? Did Lounsbury really access the servers that held the HTML for these hairstyle sites and forensically examine their source code, but somehow forget to look for spyware on the machine he was given? Indeed, he himself indicated that it is the normal practice to use:

Additional tools which search for specific viruses, trojans, and worms by their unique hashes can be brought into play to search for the known bad code.

Once evidence is located, police take note of the date and time it was created, modified, and last accessed. When the evidence (malware, .jpg, web page) was created is the "when" in "who, what, when, where, how and why." So, if malware was created at the same time the web pages and images were created, was the malware spawned by the "typed URL", by its content (i.e. Web Attacker kit), or mouse napping (click-throughs)? If there's no malware created prior to a web page with questionable content how do you end up at said web page?

Of course, Detective Lounsbury forgets the fact that, with sophisticated enough tools, and sufficient access, malware can be wiped from the system, system dates altered, and that even a simple rebooting or accessing of files can change their forensic value. It's understandable, though, considering the fact that he had very little substantive computer forensics training. He continued:

I ask this rhetorical question: Where does objectionable material come from - a site like Disney.com or the pornographic dot coms? Where do abusive JavaScript and Web Attacker kits reside? What about zero-day Internet Explorer Exploits such as the one discussed at this site on techfeed.net: 'A security hole in IE was recently confirmed by Microsoft. Now exploits that install tons of adware have been spotted on Porn sites. This exploit is reportedly easy to duplicate, and experts expect the problem to spread quickly to other shady sites across the Internet.'

The detective seems to be suggesting that the only way to get pornographic malware (that is, malware that loads pornographic websites) is to go to a pornographic website. While it is true that many pornographic websites do engage in "mouse-trapping" pop-ups, spyware, adware, or even fat-finger typing can send you into an infinite loop of pornography. So can hijacked websites, like the website of the NFL's Super Bowl Dolphin Stadium which, once visited, installed a nifty key-logger onto your computer. Malware can come from many sources – including the AOL mail that Julie Amero went to. Indeed, as the recent settlement with the Federal Trade Commission indicates, you can even get malware or a rootkit by simply playing a music CD.

More about

TIP US OFF

Send us news


Other stories you might like