Feeds

Was Julie Amero wrongly convicted?

Mouse-trapped

High performance access to file storage

A bumbled forensic defense?

The PC in the classroom – like many school computers – was running Windows 98 and the browser was Internet Explorer 5. There was no evidence that either browser or OS had been, in any significant degree, updated, and neither the PC nor the network itself apparently had any kind of firewall. Win 98 is no longer even patchable and is not supported by its creator. None of this is unusual. Finally, the PC was reportedly riddled with spyware, much of which predated Julie Amero's use of the computer.

A defense forensic expert prepared a report contained the following chronology of events based upon his forensic examination.

On October 19, 2004, around 8:00 A.M., Mr Napp, the class' regular teacher logged on to the PC because Julie Amero being a substitute teacher did not have her own id and password. It makes sense that Mr Napp told Julie not to logoff or shut the computer off, for if she did she and the students would not have access to the computer. The initial user continued use of the PC and accessed Tickle.com, cookie.monster.com, addynamics.com, and adrevolver.com all between 8:06:14 - 8:08:03 AM. During the next few moments Julie retrieved her email through AOL.

Amazingly, despite having two laptops filled with forensic evidence, the defense expert, for reasons discussed below, reportedly was only able to present two powerpoint slides in Amero's defense. Not noted in the forensic examiner's report is the fact that those sites are all strongly linked to adware and automated popups. Of course, addynamnics.com and adrevolver.com are adware sites, and despite the forensic examiner's conclusion that "the initial user...accessed" these sites, a more accurate assessment would be that these sites were accessed while the initial user was logged in – consistent with adware with pornographic pop-ups. For example, Ad Dynamics is a Canadian company that advertises that it will "Manage, deliver and track banner [sic] of any size, pop-ups, text ads and many different types of rich media ads". Similarly, they are listed as known domains for spyware and popup adware. The forensic report continues:

http://www.hair-styles.org was accessed at 8:14:24 A.M., based upon the hair style images uploaded to the PC we were led to believe that there were students using the computer to search out hair styles. The user went to http://www.crayola.com at 8:35:27 A.M. The user continued accessing the original hair site and was directed to http://new-hair-styles.com. This site had pornographic links, pop-ups were then initiated by http://pagead2.googlesyndication.com. There were additional pop-ups by realmedia.com, cnentrport.net, and by 9:20:00 A.M., several java, aspx's and html scripts were uploaded. A click on the curlyhairstyles.htm icon on the http://www.new-hair-styles.com site led to the execution of the curlyhairstyle script along with others that contained pornographic links and pop-ups. Once the aforementioned started, it would be very difficult even for an experienced user to extricate themselves from this situation of porn pop-ups and loops.

All of the jpgs that we looked at in the internet cache folders were of the 5, 6 and 15 kB size, very small images indeed. Normally, when a person goes to a pornographic website they are interested in the larger pictures of greater resolution and those jpgs would be at least 35kB and larger. We found no evidence of where this kind of surfing was exercised on October 19, 2004.

Now you probably don't want to retrace the clicks of the seventh grade class noted in the forensic report – well, not unless you want a bit of porn yourself. Even a cursory review of these sites three years later shows that these are not hair design sites, they are fronts for porn or penis-enlargement sites in Russia and the Ukraine. Looking behind the site itself the style sheet for these sites is named "images/sex_style.css" and the background image lives at "http://sex.sweetmeet.ru/". If you scroll down the page far enough, you get to a penis enlargement ad that is a fixed component of the page. The ">>>" images beside the links on the left of the page link to "sweetmeat.ru" the porn site that Amero was convicted of visiting. And guess what else? There is a javascript on called "function popUP(url,h,w,resizable,scrollbars)" – to open pop-ups.

Oh, and many of the hairstyle pictures are of women wearing little or no clothing (long hair covers their chest). All this, coupled with the fact that the seventh grade girls were apparently looking for information about hair styles which might be of interest to 12-year-old girls, and not so much for 40-year-old women, one can reasonably ask what is a more reasonable explanation for the pornographic pop-ups – a 12-year-old surfing for hair styles, or a 40-year-old faculty member surfing porn from a borrowed account in the presence of 29 curious pre-teens, hoping none of them would notice?

So let's get this straight. The machine's internet history showed that a previous user had been accessing the kind of sites likely to plant pornographic malware, such as dubious dating sites. The forensic examination also showed a host of adware and spyware on the machine, much of which had been in place and operating well before the porn incident - including one designed to hijack and redirect the browser. And on this evidence, she was convicted?

Combat fraud and increase customer satisfaction

More from The Register

next story
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
Reprieve for Weev: Court disowns AT&T hacker's conviction
Appeals court strikes down landmark sentence
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.