Was Julie Amero wrongly convicted?


The essential guide to IT transformation

The problem with computer forensics

Detective Lounsbury explained later in an online article his process and thinking for the collection of forensic evidence in the Amero case. He stated:

Physical evidence and electronic evidence is collected...This evidence includes internet history, content, and registry data, including "typed URLs". It's these "typed URLs," gleaned from the registry, which are identified - not pop ups.

'Typed URLs?' Was ist das?

As far as I am aware, there is no search tool apart from either a keylogger or a remote screen capture tool that will be able to forensically and conclusively search for "typed URLs". The registry, history, and log files can show what URLs (websites) were visited, and precisely what time (based upon the system time which can be altered), and in what order. I don't know how this can show that the URL was "typed" as opposed to "clicked through" or "popped-up". In and of itself.

Now there is a "TypedURL" Registry field for Internet Explorer, HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs. This is what is used, for example, when the auto-complete feature starts to fill in a URL you have already been to. This Registry entry records these URLs after the browser is properly closed. And, of course even this is affected by adware, bots, and Trojans. So examining the "typed URLs" doesn't really tell you that those URLs were actually typed – particularly where there is adware. In addition, the Registry entry only includes the last several "typed URLs" – each new one adding itself to the queue. Since Julie was surfing the rest of the day, it's not clear what forensic value this would have – although it was a good starting point.

Many of the sites Amero visited that morning were obscure – porn sites masquerading as legitimate sites for hair-styles. It makes little sense that Amero would have "typed" a hair styling site intending to find porn. In fact, for example, one of the URLs in the cache was http://pagead2.googlesyndication.com - does the government really contend that the substitute teacher typed in that URL? Indeed, in press reports, the government expert and the prosecutor went back and forth, alternatively asserting that their evidence showed that she deliberately went to porn sites because she "typed" the URLs of these sites, and somewhat contradictorily asserting that the evidence of intent was that she "clicked on"; links to these sites – which generally would not have shown up in the "typed URL" registry.

As Dr Neal Krawetz of Hacker Factor has pointed out, a thorough forensic examination might be able to exclude the possibility that a particular URL was typed, but could not demonstrate conclusively that it was, in fact, typed. He points out that you would want to examine the hard drive to determine whether there was spyware or adware on the computer that was either capable of, or actually designed to generate the web requests. You would want to know when the spyware was added to the computer, using timestamps and sector locations, and determine whether these times coincide with the times that the substitute teacher used the computer. You would look at the URLs that were accessed at the time the time the spyware was loaded. If, for example there is a short delay between the times that each website is loaded (and the .jpg files on that website downloaded) this is a strong indication of a pop-up ad. People can only type so fast. The regularity of the opening of the URL (every three seconds, every five seconds, etc.) would indicate a likely pop-up. Were websites opened instantaneously with the closing of other websites, as Ms. Amero testified happened when she tried to shut down or close the pop-ups? There are lots of other ways you could exclude human intervention (well, I suppose pop ups are human intervention, but you know what I mean).

As a matter of fact, it has been reported that the CEO of the maker of the forensic software that Lounsbury used stated that, while the software can find all sorts of files and images, including deleted images or images in unallocated disk space, by keyword or by filetype, [it] does not determine the cause of those files being on the computer (whether caused by malware, intrusion, or direct and willful use), and that it is not the function of [the software] to make that determination." Nevertheless, both the detective and the prosecutor were unequivocal that the forensic evidence demonstrated beyond a reasonable doubt that the substitute teacher deliberately typed in the porn sites.

Detective Lounsbury went further, though. He reportedly also said that he can differentiate between what is and what is not a pop-up based on the source codes [sic]. What source codes? The source code of the websites that were visited? Did Lounsbury really access the servers that held the HTML for these hairstyle sites and forensically examine their source code, but somehow forget to look for spyware on the machine he was given? Indeed, he himself indicated that it is the normal practice to use:

Additional tools which search for specific viruses, trojans, and worms by their unique hashes can be brought into play to search for the known bad code.

Once evidence is located, police take note of the date and time it was created, modified, and last accessed. When the evidence (malware, .jpg, web page) was created is the "when" in "who, what, when, where, how and why." So, if malware was created at the same time the web pages and images were created, was the malware spawned by the "typed URL", by its content (i.e. Web Attacker kit), or mouse napping (click-throughs)? If there's no malware created prior to a web page with questionable content how do you end up at said web page?

Of course, Detective Lounsbury forgets the fact that, with sophisticated enough tools, and sufficient access, malware can be wiped from the system, system dates altered, and that even a simple rebooting or accessing of files can change their forensic value. It's understandable, though, considering the fact that he had very little substantive computer forensics training. He continued:

I ask this rhetorical question: Where does objectionable material come from - a site like Disney.com or the pornographic dot coms? Where do abusive JavaScript and Web Attacker kits reside? What about zero-day Internet Explorer Exploits such as the one discussed at this site on techfeed.net: 'A security hole in IE was recently confirmed by Microsoft. Now exploits that install tons of adware have been spotted on Porn sites. This exploit is reportedly easy to duplicate, and experts expect the problem to spread quickly to other shady sites across the Internet.'

The detective seems to be suggesting that the only way to get pornographic malware (that is, malware that loads pornographic websites) is to go to a pornographic website. While it is true that many pornographic websites do engage in "mouse-trapping" pop-ups, spyware, adware, or even fat-finger typing can send you into an infinite loop of pornography. So can hijacked websites, like the website of the NFL's Super Bowl Dolphin Stadium which, once visited, installed a nifty key-logger onto your computer. Malware can come from many sources – including the AOL mail that Julie Amero went to. Indeed, as the recent settlement with the Federal Trade Commission indicates, you can even get malware or a rootkit by simply playing a music CD.

Secure remote control for conventional and virtual desktops

More from The Register

next story
'Stop dissing Google or quit': OK, I quit, says Code Club co-founder
And now a message from our sponsors: 'STFU or else'
Ex US cybersecurity czar guilty in child sex abuse website case
Health and Human Services IT security chief headed online to share vile images
Don't even THINK about copyright violation, says Indian state
Pre-emptive arrest for pirates in Karnataka
The police are WRONG: Watching YouTube videos is NOT illegal
And our man Corfield is pretty bloody cross about it
Felony charges? Harsh! Alleged Anon hackers plead guilty to misdemeanours
US judge questions harsh sentence sought by prosecutors
Oz biz regulator discovers shared servers in EPIC FACEPALM
'Not aware' that one IP can hold more than one Website
Apple tried to get a ban on Galaxy, judge said: NO, NO, NO
Judge Koh refuses Samsung ban for the third time
prev story


Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.