, SecurityFocus 2007-06-19
A group of security professionals, legal experts and educators who helped former Connecticut substitute teacher Julie Amero overturn a conviction on charges of exposing her students to pornographic pop-up ads has formed a permanent organization that aims to educate the courts and legislators about technology, crime and digital forensics.
Taking the name of the person who brought them together, the members of the Julie Group intend to teach lawyers and end user about issues of technology and criminal law, lobby policy makers for fairness in criminal codes and regulations, and bring to light unfair prosecutions. The group will likely again offer their computer-security expertise to prosecutors and defense attorneys in future cases.
"Our helping Julie Amero was about two things: Getting Julie out of jail and making sure that something like this doesn't happen to other people," said Alexander Eckelberry, president of security firm Sunbelt Software. "We learned with Julie that giving people a voice makes a big difference."
On January 5, a six-person jury found Amero, a former substitute teacher at Kelly Middle School in Norwich, Connecticut, guilty of four counts of risk of injury to a minor, a Connecticut law that includes endangering a the morals of a minor. The charges stem from an incident on October 19, 2004, when Amero's classroom computer started displaying pornographic pop-up advertisements.
Prosecutors argued that the images appeared because Amero visited porn sites while in class, while the former teacher's defense attorney argued that spyware installed from a hairstyling Web site caused the deluge of digital smut. The four convictions could have resulted in a maximum of 40 years in prison for the former schoolteacher.
Following the conviction, Eckelberry and others formed a group to analyze the evidence, producing a digital-forensics report that refuted many of the statements made by the prosecution's cybercrime expert, Mark Lounsbury, a detective with the Norwich Police Department, Eckelberry said.
The analysis was not straightforward. Other people, including the middle school's information technology administrator, had accessed the hard drive of the classroom's computer -- a Windows 98 SE machine sporting Internet Explorer 5 and expired security software -- following the pop-up incident. Moreover, the investigators only gave the defense a copy of the files on the hard drive, not a bit-for-bit copy of the disk, said Joe Stewart, senior researchers for security firm SecureWorks and a member of the Julie Group's forensic analysis team.
"We had to go with what the prosecution gave to the defense," Stewart said. "You couldn't tell after the fact what had happened. You could tell that things were changed, but you couldn't tell how they were changed."
The security researcher hacked together a Web server that could use the browser cache and temporary files to recreate the last Web pages that appeared on the computer. The researchers used that and other digital forensics techniques to piece together some of what happened and refute the prosecution's interpretation of events.