Add a comment
W. Herbert Horner has worked in computers since 1966. He was Systems Software Engineer for General Dynamics, Operating Systems Internalist for Sperry Univac, and he has diagnosed and corrected mainframe operating systems for the U.S. Armed Forces, NSA, IRS, and various commercial interests.
He now operates his own consulting firm, Contemporary Computer Consultants, writes custom software for medical, municipal, business, and forensic applications. He also does network design, implementation, and administration. He also is a computer forensic examiner who was called as a defense expert witness in the Julie Amero case.
In an effort to dispel rumor and produce a more accurate understanding of the Amero case in the public, we have offered him a chance to offer his commentary. Tomorrow we hope to have commentary from Detective Mark Lounsbury, who testified for the prosecution at Ms. Amero's trial.
We obtained a copy of the PC hard drive from Officer Lounsbury who was most cooperative and at our office we created several copies, preserving the original.
During the copy process we received several "Security Alerts!" from our antivirus program. We analyzed the activity log and noted that there were spyware/adware programs installed on the hard drive. We ran two other adware/spyware detection programs and more spyware/adware tracking cookie/programs were discovered. Out of the 42, 27 were accessed or modified days if not a month before October 19, 2004. We also noted that there was no firewall and there was an outdated antivirus program on the PC. The PC was being tracked before October 19, 2004 by adware and spyware.
(Continued...)
We examined all internet related folders and files before October 19, 2004, during October 19, 2004 and after October 19, 2004. Most significantly, we noted freeze.com, screensaver.com, eharmony.com and zedo.com were being accessed regularly.
On October 19, 2004, around 8:00 A.M., Mr. Napp, the class' regular teacher logged on to the PC because Julie Amero being a substitute teacher did not have her own id and password. It makes sense that Mr. Napp told Julie not to logoff or shut the computer off, for if she did she and the students would not have access to the computer. The initial user continued use of the PC and accessed Tickle.com, cookie.monster.com, addynamics.com, and adrevolver.com all between 8:06:14 - 8:08:03 AM. During the next few moments Julie retrieved her email through AOL.
http://www.hair-styles.org was accessed at 8:14:24 A.M., based upon the hair style images uploaded to the PC we were led to believe that there were students using the computer to search out hair styles. The user went to http://www.crayola.com at 8:35:27 A.M. The user continued accessing the original hair site and was directed to http://new-hair-styles.com. This site had pornographic links, pop-ups were then initiated by http://pagead2.googlesyndication.com. There were additional pop-ups by realmedia.com, cnentrport.net, and by 9:20:00 A.M., several java, aspx's and html scripts were uploaded. A click on the curlyhairstyles.htm icon on the http://www.new-hair-styles.com site led to the execution of the curlyhairstyle script along with others that contained pornographic links and pop-ups. Once the aforementioned started, it would be very difficult even for an experienced user to extricate themselves from this situation of porn pop-ups and loops.
All of the jpg's that we looked at in the internet cache folders were of the 5, 6 and 15 kB size, very small images indeed. Normally, when a person goes to a pornographic website they are interested in the larger pictures of greater resolution and those jpgs would be at least 35 kB and larger. We found no evidence of where this kind of surfing was exercised on October 19, 2004.
We asked the prosecution to arrange for the defense to have unfettered access to the internet so that we could reenact the events of October 19, 2004. It was not granted. I went to court with two laptops and a box full of reference material prepared to very clearly illustrate what happened to Julie Amero. But, the prosecution objected because they were not given "full disclosure" of my examination. I was allowed to illustrate two screens, that of the www.hair-styles.org , and www.new-hair-styles.com sites.
This was one of the most frustrating experiences of my career, knowing full well that the person is innocent and not being allowed to provide logical proof.
If there is an appeal and the defense is allowed to show the entire results of the forensic examination in front of experienced computer people, including a computer literate judge and prosecutor, Julie Amero will walk out the court room as a free person.
Let this experience stand as a warning to all that use computers in an environment where minors are present. The aforementioned situation can happen to anyone without fail and without notice if there is not adequate firewall, antispyware, antiadware and antivirus protection. That was not provided by the school administration where Julie Amero taught.
Technorati Tags: Julie+Amero Connecticut+Schoolteacher Spyware Connecticut+Justice+System Law Network+Security
 |
Comments
Thank you for arranging for this, Mr. Boyko.
I suggest everyone read Mr. Horner's concluding paragraph a second time. Add to Mr. Horner's recommendation that the operating system have all available security updates installed as well.
Regards,
Corrine
Posted by: Corrine | January 22, 2007 07:52 PM
Those of us that have been using the Internet for several years knows that this can happen. I once neglected installing a popup blocker and spyware blocker on a PC my daughter used and this same thing happened to us. If these government people are not competant in a technical area they have no business prosecuting someone based on detailed knowledge of this area.
Posted by: Gerald Gibson Jr | January 25, 2007 09:04 PM
[This post has been edited --ed.]
Shortly after reading the article I decide to check on http://new-hair-styles.com/
It looked like a regular page until I click on the Image with the text "new-hair-styles.com" and on the main image of the website, and to my surprise instead of taking me back to the Home page as expected. It took me to:
[a .ru porn site]
I wish there was some other way to help Julie Amero.
Posted by: Hugo | January 26, 2007 07:19 AM
I am a substitute teacher, and in the school district where I work, substitutes are not allowed any use of school computers-period. Now I understand more fully why this is so! I have no idea how well-protected are the computers where I work, but even though I have accessed the internet (using a teacher's account with permisson), I have, thankfully, dodged the bullet so far. After reading this article, I intend to NEVER use school computers in the course of my work ever again.
Posted by: Rebecca Randolph | January 31, 2007 01:31 PM
It sounds like the Prosecution knew that they didn't have a leg to stand on if anyone with any computer experience was called to testify, and then hid behind "legal technicalities" when they saw Mr. Horner.
I've been recently hired by a local school district ("recent" in education means you've only been working 3 years) for the purpose of providing IT support for ROP computer labs in the high schools. I have a computer engineering degree and 20 years s/w & h/w testing experience, so I knew a little bit about computers.
The first thing that appalled me was the classrooms had expired antivirus software, and no one--not even the district's own IT department--understood about spyware! I had to do several special training sessions and explain to key people in charge that having an antivirus s/w won't catch spyware.
It took a lot of manhours to remove the viruses and spyware that already embedded itself into the computers, not the easiest thing sometimes.
Most school districts have a web filter (i.e. Websense) to block desired content. But if your IT is not on the ball keeping the database up to date, it is easy to bypass if someone wants to.
Instead of pointing fingers to teachers (what I call the path of least resistance) here's another possible suspect, from personal experience: I teach the last class on Saturdays and the first class on Mondays, yet I have come in on some Mondays to find porn printed on the class printer--timestamped Saturday night! Only the school custodians and plant employees have keys and be around during that time. (Unless you count intelligent mice and roaches with lockpicks!)
Law is not logical like computer code, but keep fighting the good fight, Herb!
Posted by: Melony Myers | January 31, 2007 11:02 PM
SIgh.... why does that school not bother to have and updated anti spam program... -_- ... even a free one....
Posted by: samurai | February 8, 2007 04:34 PM
I've got half an IT, half an education background.
It seems to me that this case highlights the issue that the education system in the USA, like that in NZ fails to address the issue of porn access, intentional,or inadvertent.
It would make sense to educate children, teachers and administrators how to handle the situation of unavoidable undesired PopUps.
And the law should be revised to exclude images below a certain file size, from prosecution. Postage stamp sized images aren't any more pornographic than those in 1950's National Geographic magazine.
Posted by: J wald | February 12, 2007 03:00 AM
Oh how i wish i could get my hands on that forensic image!
Did you use ENCASE to acquire the image? The fact that the system was in a open and free access area(Students, other teachers, cleaning staff) would scream "that metadata events on this computer could not be tied to a single person? Was the system locked down(shut off by pulling the power cord) when the event occured? I have so many questions and to late to help!?
Many of my clients have suffered embarrasing moments on their computers do to advertisment hijackings. I have visited websites suggested by GOOGLE.com and have been subjected to a barrage of porn which i valiantly tried to stop with the whack a mole approach...but alass I failed and simply turned off my computer.
This is a major problem even today for internet users....but with a little forensic analysis time and sweat comparing pornographic images to the source website, review of access logs from servers, a complete scan of all slack space and current data on the offending hard disk would prove whether this was a hijack occurence (which could be duplicated) or simply someone stupid enough to click on a pornographic site to view pictures while at work teaching students that would surely bring the long arm of the law to your doorstep invoking a sentence that exceeds murder punishments in most of your states.
regards
John Tunstall
Posted by: John Tunstall | February 14, 2007 11:59 AM
This story upset me enough that I took the time to write to Governor Rell to ask for a pardon for Julie Amero. If you feel the same way it might not be a bad idea to do the same.
Governor.Rell@po.state.ct.us
[This might have been a good idea except that the governor in the state of Connecticut does not have the power to grant a pardon. That belongs to the Board of Pardons and Paroles, as we took a look at in this story -- Ed.]
Posted by: Bill Beasley | February 23, 2007 01:30 PM
Never mind the outdated antivirus, why on Earth had the I.T. staff not replaced Internet Explorer with something more secure? That to me is the real criminal negligence. If they had installed Firefox or Opera then the whole case would never have happened. Plus, it would have cost them nothing to do so.
Posted by: Ian | February 24, 2007 04:35 PM
Mr. Napp should be prosecuted, not Mrs. Amero. Mr. Napp violated network security by logging in someone else onto his account. Every IT dept I have ever been associated with tells you that that the account holder is responsible for anything which happens while he is logged in, especially if he was actually the person who logged in.
Posted by: Jim Phelps | June 1, 2007 04:11 PM
Please inform me of any further happenings in the sad case of Mrs Amero, and let me know if there is anything I can do to assist
in this seemingly horrible
miscarriage of Justice other than just discussing it.
Sincerely
Stan Lynn
Posted by: Stan Lynn | June 4, 2007 12:13 AM
"Did you use ENCASE to acquire the image?"
Shure doesn't sound like a forensic image if the operator's computer was giving virus alerts!
Posted by: Sartoni | June 6, 2007 03:00 PM
As the Tech Coordinator for a K12 district and a sworn reserve police officer all I can say is... who are these people? 40 years! Anyone who has worked in IT for more than 5 minutes knows that pop-ups and redirects are a fact of the Internet. She reported the situation to the Administration; I would have apologized to her for the hassle and laughed about it. Her district reported her and then the police and DA made a case. Wow, maybe if she had sold all of those kids a pound of Meth each she would have only gotten 5-10 years. Clearly, the death of common sense at work.
mlc
Posted by: M L Clark | June 6, 2007 06:20 PM
I would like to make a small comment. At the website http://blog.washingtonpost.com/securityfix/amero2.html
you have the second page of how the defense retrieved their copy of the original drive. I quote:
"The cloning process, creating a bit for bit image of the hard drive's contents on a second hard drive, was completed using the software, Norton Ghost 2003"
If I'm not mistaken, most if not all SOFTWARE based cloning programs will _not_ make a bit by bit copy. Copying a drive in this manner will not copy deleted bits/bytes. From http://www.cybercontrols.net/forensics/attorneyforensicbasics.asp
------------------------
"The only true way to get a bit-by-bit copy would be to do a forensic bit-stream copy. (This) is the technical term for the end-product of a forensics acquisition of a computer’s hard drive. The bit-stream copy is much more thorough than a standard back-up or mirror image of a hard drive. The bit-stream copy involves the copying of every bit of data on an “evidence” hard drive, which includes the file slack, and unallocated file space in which 'deleted' files and e-mails are frequently recovered from. For more detailed information you can download a bit-stream v. mirror image white paper.
(snip)
Why is the Bit-Streaming Approach the Only Court-Approved Method?- the state and federal courts have weighed in on this matter for the last several years and have concluded that the bit-stream acquisition of a hard drive withstands all challenges of the authentication and validation for admissibility. Anything less than a bit-stream copy is unacceptable to the courts. "
------------------------
Note: I have no interest in the website mentioned above. I found it after a 3 second Google search. Thankfully the defense did not need this type of intense copy.
Best of luck to the defendant. I hope she sues the police department for damages for the actions of the police department.
-- James
Posted by: James | June 6, 2007 06:21 PM
we should treat conmputers like guns and ban them. they are too dnagerous to use as anyone can show kids pronography and hurt them. the internet and computers are much too dangerous for regular people to own without training, especially in schools, where pornography ahs no place. why are we using computers in schools anyway? kids need to learn to read and write not how to look at such filth.
Posted by: vactor | June 6, 2007 06:42 PM
I work as an IT manager and would be glad to testify for Julie Amero. This could easily happen on any PC operating on a network that does not have a high quality, current, up to date, web content filtering solution in place. It is impossible to stop something like this and in no way should something like this be blamed upon the substitute teacher. It sounds to me like to person who should be facing charges is the idiot prosecutor for falsely charging an inocent American. Are we living in Nazi Germany or what? How do cops and prosecutors get away with stuff like this. What is the name of the prosecutor?
Posted by: Eric Frykenberg | June 6, 2007 07:38 PM
The defense better be glad the computers at that school arent like the ones at mine. We have deep freeze installed on all of them, but luckily we have a good firewall and popup blocker. Although the virus/spyware/spam blocker is still symantec 2004
Posted by: Devin Weder | June 6, 2007 09:47 PM
I do not know about the legal status of all of this, but it realy sounds like a courtroom out of a Chevy Chase movie. Forensic evidence is tampered with using Ghost, which is not a forensic tool but a user-level archiver, there is no direct link to Julie and the used account (even kids/students could have clicked on links). This should have never even gone to court.. No direct evidence. The only fun of it is that it shows America as a pretty messed up country, where a schoolteacher could visit rotten.com where people killed by chainsaws is okay, but a popup of something necessary to create those students is a capital crime... If julie wasn't a real person, it would be funny.
Posted by: Unique | June 7, 2007 10:59 AM