Digg this story   Add to del.icio.us   (page 3 of 7 ) previous  next 
Mouse-Trapped
Mark Rasch, 2007-02-12

Story continued from Page 2

Even the Connecticut model jury instructions simply say that you are guilty of the crime if you “without legal right or justification” permit a person under sixteen, “to be placed in a situation that . . . was likely to . . . impair his morals.” The jury was also told that "morals" means good morals, living, acting and thinking in accordance with those principles and precepts which are commonly accepted among us as right and decent. So Amero could be convicted even if she didn’t type any URLs or click on any porn sites – in fact, even if (and maybe specifically because) she never even touched the computer! Indeed, she could have been convicted even if there was no porn on any of these sites – all the law appears to have required was that the materials be “indecent” – a four letter word would have supported a decade in the pokey. Perhaps it is the government’s theory that not yanking the plug placed the members of the seventh grade class in a situation that was likely to impair their morals. If that was the case, then why present any forensic testimony? Talk about strict liability! Without individually interviewing each of the jurors, we have, quite frankly no idea what the jury convicted her of. I love the law.

Whether or not the government thinks that Amero’s crime was not yanking the cord, they asserted in court and out of court that the forensic evidence conclusively demonstrated that she actually typed the URLs – deliberately went to porn sites. And this is clearly not the case, as we'll see with further analysis.

The problem with computer forensics

Detective Lounsbury explained later in an online article his process and thinking for the collection of forensic evidence in the Amero case. He stated:

"Physical evidence and electronic evidence is collected. . . . This evidence includes internet history, content, and registry data, including "typed URLs". It's these "typed URLs," gleaned from the registry, which are identified - not pop ups."

“Typed URLs?” Was ist das?

As far as I am aware, there is no search tool apart from either a keylogger or a remote screen capture tool that will be able to forensically and conclusively search for “typed URLs.” The registry, history, and log files can show what URL’s (websites) were visited, and precisely what time (based upon the system time which can be altered), and in what order. I don’t know how this can show that the URL was “typed” as opposed to “clicked through” or “popped-up.” In and of itself.

Now there is a "TypedURL" Registry field for Internet Explorer, HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs. This is what is used, for example, when the auto-complete feature starts to fill in a URL you have already been to. This Registry entry records these URLs after the browser is properly closed. And, of course even this is affected by adware, bots, and Trojans. So examining the “typed URLs” doesn’t really tell you that those URLs were actually typed – particularly where there is adware. In addition, the Registry entry only includes the last several “typed URLs” – each new one adding itself to the queue. Since Julie was surfing the rest of the day, it’s not clear what forensic value this would have – although it was a good starting point.

Many of the sites Amero visited that morning were obscure – porn sites masquerading as legitimate sites for hair-styles. It makes little sense that Amero would have “typed” a hair styling site intending to find porn. In fact, for example, one of the URLs in the cache was http://pagead2.googlesyndication.com - does the government really contend that the substitute teacher typed in that URL? Indeed, in press reports, the government expert and the prosecutor went back and forth, alternatively asserting that their evidence showed that she deliberately went to porn sites because she “typed” the URL’s of these sites, and somewhat contradictorily asserting that the evidence of intent was that she “clicked on” links to these sites – which generally would not have shown up in the “typed URL” registry.

As Dr. Neal Krawetz of Hacker Factor has pointed out, a thorough forensic examination might be able to exclude the possibility that a particular URL was “typed,” but could not demonstrate conclusively that it was, in fact, typed. He points out that you would want to examine the hard drive to determine whether there was spyware or adware on the computer that was either capable of, or actually designed to generate the web requests. You would want to know when the spyware was added to the computer, using timestamps and sector locations, and determine whether these times coincide with the times that the substitute teacher used the computer. You would look at the URLs that were accessed at the time the time the spyware was loaded. If, for example there is a short delay between the times that each website is loaded (and the .jpg files on that website downloaded) this is a strong indication of a pop-up ad. People can only type so fast. The regularity of the opening of the URL (every 3 seconds, every 5 seconds, etc.) would indicate a likely pop-up. Were websites opened instantaneously with the closing of other websites, as Ms. Amero testified happened when she tried to shut down or close the pop-ups? There are lots of other ways you could exclude human intervention (well, I suppose pop ups are human intervention, but you know what I mean).

As a matter of fact, it has been reported that the CEO of the maker of the forensic software that Lounsbury used stated that, while the software can find all sorts of files and images, including deleted images or images in unallocated disk space, by keyword or by filetype, [it] does not determine the cause of those files being on the computer (whether caused by malware, intrusion, or direct and willful use), and that it is not the function of [the software] to make that determination." Nevertheless, both the detective and the prosecutor were unequivocal that the forensic evidence demonstrated beyond a reasonable doubt that the substitute teacher deliberately “typed in” the porn sites.

Story continued on Page 4 



Mark D. Rasch is an attorney and technology expert in the areas of intellectual property protection, computer security, privacy and regulatory compliance. He formerly worked at the Department of Justice, where he was responsible for the prosecution of Robert Morris, the Cornell University graduate student responsible for the so-called Morris Worm and the investigations of the Hannover hackers featured in Clifford Stoll’s book, "The Cuckoo’s Egg."
    Digg this story   Add to del.icio.us   (page 3 of 7 ) previous  next 
Comments Mode:
Mouse-Trapped 2007-02-12
Matthew Murphy
Mouse-Trapped 2007-02-13
Anonymous (1 replies)
Re: Mouse-Trapped 2007-02-13
Anonymous
Mouse-Trapped 2007-02-13
Anonymous
Mouse-Trapped 2007-02-13
Frank Krasicki (2 replies)
Re: Mouse-Trapped 2007-02-14
Mark D. Rasch
Re: Mouse-Trapped 2007-02-15
Elc0chin0
Mouse-Trapped 2007-02-13
Anonymous (6 replies)
Re: Mouse-Trapped 2007-02-13
Anonymous (1 replies)
Re: Re: Mouse-Trapped 2007-02-15
Anonymous
Re: Mouse-Trapped 2007-02-13
Dr. Anonymous (2 replies)
Re: Re: Mouse-Trapped 2007-02-14
Mark D. Rasch
Re: Re: Mouse-Trapped 2007-02-14
Elc0chin0
Re: Mouse-Trapped 2007-02-14
Anonymous (1 replies)
Re: Mouse-Trapped 2007-02-14
Anonymous
That arguement makes no sense 2007-02-14
Anonymous (1 replies)
Re: That arguement makes no sense 2007-02-14
ElC0chin0
Mouse-Trapped 2007-02-14
Anonymous
Mouse-Trapped 2007-02-15
Anonymous
Mouse-Trapped 2007-02-15
Negrodamus
Proxy missing? 2007-02-15
Anonymous
Mouse-Trapped 2007-02-17
Anonymous
Daniel Axelrod 2007-02-18
Anonymous
Mouse-Trapped 2007-02-21
FreewheelinFrank (2 replies)
Re: Mouse-Trapped 2007-02-21
FreewheelinFrank
Re: Mouse-Trapped 2007-02-22
Anonymous (1 replies)
Mouse-Trapped 2007-02-24
Mihaela Lica
Typed URL's 2007-02-26
DL_Zero
Mouse-Trapped 2007-08-07
Anonymous
Mouse-Trapped 2008-07-29
Cate Groves


 

Privacy Statement
Copyright 2010, SecurityFocus