Story continued from Page 2
Even the Connecticut model jury instructions simply say that you are guilty of the crime if you without legal right or justification permit a person under sixteen, to be placed in a situation that . . . was likely to . . . impair his morals. The jury was also told that "morals" means good morals, living, acting and thinking in accordance with those principles and precepts which are commonly accepted among us as right and decent. So Amero could be convicted even if she didnt type any URLs or click on any porn sites in fact, even if (and maybe specifically because) she never even touched the computer! Indeed, she could have been convicted even if there was no porn on any of these sites all the law appears to have required was that the materials be indecent a four letter word would have supported a decade in the pokey. Perhaps it is the governments theory that not yanking the plug placed the members of the seventh grade class in a situation that was likely to impair their morals. If that was the case, then why present any forensic testimony? Talk about strict liability! Without individually interviewing each of the jurors, we have, quite frankly no idea what the jury convicted her of. I love the law.
Whether or not the government thinks that Ameros crime was not yanking the cord, they asserted in court and out of court that the forensic evidence conclusively demonstrated that she actually typed the URLs deliberately went to porn sites. And this is clearly not the case, as we'll see with further analysis.
The problem with computer forensics
Detective Lounsbury explained later in an online article his process and thinking for the collection of forensic evidence in the Amero case. He stated:
"Physical evidence and electronic evidence is collected. . . . This evidence includes internet history, content, and registry data, including "typed URLs". It's these "typed URLs," gleaned from the registry, which are identified - not pop ups."
Typed URLs? Was ist das?
As far as I am aware, there is no search tool apart from either a keylogger or a remote screen capture tool that will be able to forensically and conclusively search for typed URLs. The registry, history, and log files can show what URLs (websites) were visited, and precisely what time (based upon the system time which can be altered), and in what order. I dont know how this can show that the URL was typed as opposed to clicked through or popped-up. In and of itself.
Now there is a "TypedURL" Registry field for Internet Explorer,
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs. This is what is used, for example, when the auto-complete feature starts to fill in a URL you have already been to. This Registry entry records these URLs after the browser is properly closed. And, of course even this is affected by adware, bots, and Trojans. So examining the typed URLs doesnt really tell you that those URLs were actually typed particularly where there is adware. In addition, the Registry entry only includes the last several typed URLs each new one adding itself to the queue. Since Julie was surfing the rest of the day, its not clear what forensic value this would have although it was a good starting point.
Many of the sites Amero visited that morning were obscure porn sites masquerading as legitimate sites for hair-styles. It makes little sense that Amero would have typed a hair styling site intending to find porn. In fact, for example, one of the URLs in the cache was http://pagead2.googlesyndication.com - does the government really contend that the substitute teacher typed in that URL? Indeed, in press reports, the government expert and the prosecutor went back and forth, alternatively asserting that their evidence showed that she deliberately went to porn sites because she typed the URLs of these sites, and somewhat contradictorily asserting that the evidence of intent was that she clicked on links to these sites which generally would not have shown up in the typed URL registry.
As Dr. Neal Krawetz of Hacker Factor has pointed out, a thorough forensic examination might be able to exclude the possibility that a particular URL was typed, but could not demonstrate conclusively that it was, in fact, typed. He points out that you would want to examine the hard drive to determine whether there was spyware or adware on the computer that was either capable of, or actually designed to generate the web requests. You would want to know when the spyware was added to the computer, using timestamps and sector locations, and determine whether these times coincide with the times that the substitute teacher used the computer. You would look at the URLs that were accessed at the time the time the spyware was loaded. If, for example there is a short delay between the times that each website is loaded (and the .jpg files on that website downloaded) this is a strong indication of a pop-up ad. People can only type so fast. The regularity of the opening of the URL (every 3 seconds, every 5 seconds, etc.) would indicate a likely pop-up. Were websites opened instantaneously with the closing of other websites, as Ms. Amero testified happened when she tried to shut down or close the pop-ups? There are lots of other ways you could exclude human intervention (well, I suppose pop ups are human intervention, but you know what I mean).
As a matter of fact, it has been reported that the CEO of the maker of the forensic software that Lounsbury used stated that, while the software can find all sorts of files and images, including deleted images or images in unallocated disk space, by keyword or by filetype, [it] does not determine the cause of those files being on the computer (whether caused by malware, intrusion, or direct and willful use), and that it is not the function of [the software] to make that determination." Nevertheless, both the detective and the prosecutor were unequivocal that the forensic evidence demonstrated beyond a reasonable doubt that the substitute teacher deliberately typed in the porn sites.