Teacher Porn Case and Computer Forensics

I posted recently about a teacher who has been convicted of visiting porn sites in front of her class, Kelly Middle School in Norwich, and exposing same students to pornography and whatever else was on the screen at the time. She was charged with 10 counts of risk of injury to a minor, or impairing the morals of a child, and while 6 counts were dropped, she was convicted on the other four. This teacher, Julie Amero, faces 40 years in prison and will be sentenced on March 2, 2007 in Norwich Superior Court.

To say that this is a miscarriage of justice is an understatement. It appears to me that this is all about the conviction now, and the fact that these people don’t want to lose. In a post yesterday on the Norwich Bulletin, the prosecutor for the case David J Smith said all she had to do was turn it off, but that she let it go on for “hours”.

“I think the state proved she was the person using the computer at the time the pornographic Web sites were accessed,” Smith said. “By her own testimony, she allowed those hardcore pornographic images to be accessible in a class of 11-, 12- and 13-year-old children. All she would have to do was turn off the monitor or cover the monitor. But she allowed the situation to go on for hours.” Source: Teacher porn case draws world’s ear

This is the first time I saw anyone mention it going on for hours, so I don’t really know what that is referring to, but, she was a substitute teacher, the normal teacher logged her in and told her not to turn it off because she wouldn’t be able to get back on. So, I guess that is why she just didn’t turn the computer off, that, and being overwhelmed with porn and not knowing what to do in such situations. Without proper training, what would you do?

The main thrust of this post is how Computer Forensics combined without a full knowledge of how a computer works and why and where data is stored can be a very dangerous thing. This is the definition of computer forensics at wikipedia:

The simple definition of Computer Forensics, “… is the use of specialized techniques for recovery, authentication, and analysis of electronic data when a case involves issues relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data and computer usage. Computer forensics requires specialized expertise that goes beyond normal data collection and preservation techniques available to end-users or system support personnel.” (Kroll-OnTrack). This process often involves investigating computer systems to determine whether they are or have been used for illegal or unauthorized activities. Mostly, computer forensics experts investigate data storage devices, either fixed like hard disks or removable like compact disks and solid state devices. Computer forensics experts:

  1. Identify sources of documentary or other digital evidence.
  2. Preserve the evidence.
  3. Analyze the evidence.
  4. Present the findings.

Source: Computer forensics

The police detective Mark Lounsbury says he knows she visited those sites and that by looking at the source code he could tell that it was not popup based. From today’s article on the Norwich Bulletin:

Norwich Detective Mark Lounsbury maintained his investigation showed Amero knowingly accessed sites, which included meetlovers.com and femalesexual.com, along with others with names too graphic to print.

In examining the computer’s hard drive, Lounsbury said he found numerous instances in which graphic images would have appeared on the computer screen. He said he can differentiate between what is and what is not a pop-up based on the source codes.

Here is where it gets dangerous, because this cop says he knows it to be true, he is influencing the jury, the judge, and the public because he is an “expert” in this case. This expert was using software called ComputerCop, available here, software that was created years ago, as this case actually happened in October of 2004 and is just now coming to trial, a software program that was designed to restore deleted files, it did not check where or how they got there. So, he looked at the URLs recorded in the registry, looked at the images and determined she had to go there, and it could not be from a popup. The article also said this is the very first time this software has ever been used as an acceptable tool for convicting someone in a court case.

“To my knowledge, this is the first conviction using ComputerCop software as an acceptable tool for police officers to conduct a computer forensic examination that is acceptable to the court,” Jacobs said.

That is mostly because it’s not really designed for that. Her defense lawyer had their own guy, Herbert Horner, who has worked in computers since 1966, called in as their expert witness who forensically copied the suspect’s hard drive and did their own examination. He said their antivirus programs send security alerts because it detected the spyware, and that the spyware was tracking the computer before the day of the incident. Some of his findings:

Most significantly, we noted freeze.com, screensaver.com, eharmony.com and zedo.com were being accessed regularly.

On October 19, 2004, around 8:00 A.M., Mr. Napp, the class’ regular teacher logged on to the PC because Julie Amero being a substitute teacher did not have her own id and password. It makes sense that Mr. Napp told Julie not to logoff or shut the computer off, for if she did she and the students would not have access to the computer.

http://www.hair-styles.org was accessed at 8:14:24 A.M., A click on the curlyhairstyles.htm icon on the http://www.new-hair-styles.com site led to the execution of the curlyhairstyle script along with others that contained pornographic links and pop-ups. Once the aforementioned started, it would be very difficult even for an experienced user to extricate themselves from this situation of porn pop-ups and loops.

All of the jpg’s that we looked at in the internet cache folders were of the 5, 6 and 15 kb size, very small images indeed. Normally, when a person goes to a pornographic website they are interested in the larger pictures of greater resolution and those jpgs would be at least 35 kb and larger. We found no evidence of where this kind of surfing was exercised on October 19, 2004.

We asked the prosecution to arrange for the defense to have unfettered access to the internet so that we could reenact the events of October 19, 2004. It was not granted. I went to court with two laptops and a box full of reference material prepared to very clearly illustrate what happened to Julie Amero. But, the prosecution objected because they were not given “full disclosure” of my examination. I was allowed to illustrate two screens, that of the www.hair-styles.org , and www.new-hair-styles.com sites.

If there is an appeal and the defense is allowed to show the entire results of the forensic examination in front of experienced computer people, including a computer literate judge and prosecutor, Julie Amero will walk out the court room as a free person. Source: The Strange Case of Ms. Julie Amero: Commentary by Mr. Herb Horner

But they didn’t let him testify because her lawyer forgot to tell the prosecution about him, and since the prosecution case did not check for spyware or anything else that could’ve caused these websites to popup, there is no sure way to tell for sure whether she visited them or whether a website or software caused them. Also, the school system had not paid their bill for their content filter, and this caused it not to update, so, something that should’ve blocked it to start with was not even running, which, if you ask me, puts the blame squarely on the school system. I’ll quote one more person from the Norwich bulletin article to wrap this up:

Since the computer search by investigators did not include spyware, malware or adware — typically advertising integrated into software — there is no way to decisively prove she was the cause of the sexually explicit sites showing up on screen, he said.

Nancy Willard has worked in the field of educational technology for 17 years and spent the last decade focusing on effective management of Internet use in schools and youth risk online. She said the school should have a policy in place to report technical concerns.

“Since none of the technology protections can be trusted to be entirely safe, every staff member and student should be taught that the action to take, if inappropriate material appears, is to turn off the screen and report the problem to the technical department so that the department can investigate and resolve the problem,” Willard said.

Technical fixes are never going to provide total protection, Willard said.

So true. I work for our state school system and I have been to forensic training classes, so I know a little bit about what we are talking about. Hopefully Julie’s defense will be able to get Mr. Horner or someone else in so they can show how these things can happen innocently and how the prosecution did not really prove she visited these websites on purpose. Anyone involved in the case can feel free to contact me if they need some direction.