Was Julie Amero wrongly convicted?


The Power of One Infographic

The problem with computer forensics

Detective Lounsbury explained later in an online article his process and thinking for the collection of forensic evidence in the Amero case. He stated:

Physical evidence and electronic evidence is collected...This evidence includes internet history, content, and registry data, including "typed URLs". It's these "typed URLs," gleaned from the registry, which are identified - not pop ups.

'Typed URLs?' Was ist das?

As far as I am aware, there is no search tool apart from either a keylogger or a remote screen capture tool that will be able to forensically and conclusively search for "typed URLs". The registry, history, and log files can show what URLs (websites) were visited, and precisely what time (based upon the system time which can be altered), and in what order. I don't know how this can show that the URL was "typed" as opposed to "clicked through" or "popped-up". In and of itself.

Now there is a "TypedURL" Registry field for Internet Explorer, HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs. This is what is used, for example, when the auto-complete feature starts to fill in a URL you have already been to. This Registry entry records these URLs after the browser is properly closed. And, of course even this is affected by adware, bots, and Trojans. So examining the "typed URLs" doesn't really tell you that those URLs were actually typed – particularly where there is adware. In addition, the Registry entry only includes the last several "typed URLs" – each new one adding itself to the queue. Since Julie was surfing the rest of the day, it's not clear what forensic value this would have – although it was a good starting point.

Many of the sites Amero visited that morning were obscure – porn sites masquerading as legitimate sites for hair-styles. It makes little sense that Amero would have "typed" a hair styling site intending to find porn. In fact, for example, one of the URLs in the cache was http://pagead2.googlesyndication.com - does the government really contend that the substitute teacher typed in that URL? Indeed, in press reports, the government expert and the prosecutor went back and forth, alternatively asserting that their evidence showed that she deliberately went to porn sites because she "typed" the URLs of these sites, and somewhat contradictorily asserting that the evidence of intent was that she "clicked on"; links to these sites – which generally would not have shown up in the "typed URL" registry.

As Dr Neal Krawetz of Hacker Factor has pointed out, a thorough forensic examination might be able to exclude the possibility that a particular URL was typed, but could not demonstrate conclusively that it was, in fact, typed. He points out that you would want to examine the hard drive to determine whether there was spyware or adware on the computer that was either capable of, or actually designed to generate the web requests. You would want to know when the spyware was added to the computer, using timestamps and sector locations, and determine whether these times coincide with the times that the substitute teacher used the computer. You would look at the URLs that were accessed at the time the time the spyware was loaded. If, for example there is a short delay between the times that each website is loaded (and the .jpg files on that website downloaded) this is a strong indication of a pop-up ad. People can only type so fast. The regularity of the opening of the URL (every three seconds, every five seconds, etc.) would indicate a likely pop-up. Were websites opened instantaneously with the closing of other websites, as Ms. Amero testified happened when she tried to shut down or close the pop-ups? There are lots of other ways you could exclude human intervention (well, I suppose pop ups are human intervention, but you know what I mean).

As a matter of fact, it has been reported that the CEO of the maker of the forensic software that Lounsbury used stated that, while the software can find all sorts of files and images, including deleted images or images in unallocated disk space, by keyword or by filetype, [it] does not determine the cause of those files being on the computer (whether caused by malware, intrusion, or direct and willful use), and that it is not the function of [the software] to make that determination." Nevertheless, both the detective and the prosecutor were unequivocal that the forensic evidence demonstrated beyond a reasonable doubt that the substitute teacher deliberately typed in the porn sites.

Detective Lounsbury went further, though. He reportedly also said that he can differentiate between what is and what is not a pop-up based on the source codes [sic]. What source codes? The source code of the websites that were visited? Did Lounsbury really access the servers that held the HTML for these hairstyle sites and forensically examine their source code, but somehow forget to look for spyware on the machine he was given? Indeed, he himself indicated that it is the normal practice to use:

Additional tools which search for specific viruses, trojans, and worms by their unique hashes can be brought into play to search for the known bad code.

Once evidence is located, police take note of the date and time it was created, modified, and last accessed. When the evidence (malware, .jpg, web page) was created is the "when" in "who, what, when, where, how and why." So, if malware was created at the same time the web pages and images were created, was the malware spawned by the "typed URL", by its content (i.e. Web Attacker kit), or mouse napping (click-throughs)? If there's no malware created prior to a web page with questionable content how do you end up at said web page?

Of course, Detective Lounsbury forgets the fact that, with sophisticated enough tools, and sufficient access, malware can be wiped from the system, system dates altered, and that even a simple rebooting or accessing of files can change their forensic value. It's understandable, though, considering the fact that he had very little substantive computer forensics training. He continued:

I ask this rhetorical question: Where does objectionable material come from - a site like Disney.com or the pornographic dot coms? Where do abusive JavaScript and Web Attacker kits reside? What about zero-day Internet Explorer Exploits such as the one discussed at this site on techfeed.net: 'A security hole in IE was recently confirmed by Microsoft. Now exploits that install tons of adware have been spotted on Porn sites. This exploit is reportedly easy to duplicate, and experts expect the problem to spread quickly to other shady sites across the Internet.'

The detective seems to be suggesting that the only way to get pornographic malware (that is, malware that loads pornographic websites) is to go to a pornographic website. While it is true that many pornographic websites do engage in "mouse-trapping" pop-ups, spyware, adware, or even fat-finger typing can send you into an infinite loop of pornography. So can hijacked websites, like the website of the NFL's Super Bowl Dolphin Stadium which, once visited, installed a nifty key-logger onto your computer. Malware can come from many sources – including the AOL mail that Julie Amero went to. Indeed, as the recent settlement with the Federal Trade Commission indicates, you can even get malware or a rootkit by simply playing a music CD.

The Power of One Brief: Top reasons to choose HP BladeSystem

More from The Register

next story
Sit back down, Julian Assange™, you're not going anywhere just yet
Swedish court refuses to withdraw arrest warrant
UK Parliament rubber-stamps EMERGENCY data grab 'n' keep bill
Just 49 MPs oppose Drip's rushed timetable
MPs wave through Blighty's 'EMERGENCY' surveillance laws
Only 49 politcos voted against DRIP bill
EU's top data cops to meet Google, Microsoft et al over 'right to be forgotten'
Plan to hammer out 'coherent' guidelines. Good luck chaps!
US judge: YES, cops or feds so can slurp an ENTIRE Gmail account
Crooks don't have folders labelled 'drug records', opines NY beak
Delaware pair nabbed for getting saucy atop Mexican eatery
Burrito meets soft taco in alleged rooftop romp outrage
British cops cuff 660 suspected paedophiles
Arrests people allegedly accessing child abuse images online
LightSquared backer sues FCC over spectrum shindy
Why, we might as well have been buying AIR
prev story


Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.