The Strange Case of Ms. Julie Amero: Commentary by Detective Mark Lounsbury

Detective Mark Lounsbury is the crime prevention officer with the Norwich Police Department. He has served with the Norwich PD for 18 years – eight of them as a detective, and for the past seven years he has been the sole proprietor of the Norwich computer crime and cybercrime units, which deals with online sexual crimes against children.
He has received training from the State of Connecticut Municipal Police Training Academy, and from the FBI in basic network intrusion and advanced network intrusion in Unix.
In an effort to dispel rumor and produce a more accurate understanding of the Amero case to the public, we have invited Detective Lounsbury to talk about his position and computer crime related investigation in general, although he cannot talk about the Amero case specifically until after Ms. Amero’s sentencing. This article continues our coverage of the Amero case, with previous articles offering commentary from defense witness Mr. Herb Horner.

Generally speaking, if police receive a complaint from a victim or victims who report seeing an individual who is engaged in criminal activity, the police are responsible to the victim or victims and investigate accordingly. The police take into account all the available facts and circumstances, for example: who was the individual, what was the individual doing, when were they doing it, where were they doing it, and how long was the individual engaged in the observed activity? (A minute, twenty minutes, two hours?)
Including the account of the accused individual is important but, sometimes the individual refuses to speak to the police and retains legal representation.
Physical evidence and electronic evidence is collected. In the case of crimes involving computers, the evidence is collected with tools designed to find the evidence. This evidence includes internet history, content, and registry data, including “typed URLs”. It’s these “typed URLs,” gleaned from the registry, which are identified – not pop ups.
(Continued…)


Additional tools which search for specific viruses, trojans, and worms by their unique hashes can be brought into play to search for the known bad code.
Once evidence is located, police take note of the date and time it was created, modified, and last accessed. When the evidence (malware, .jpg, web page) was created is the “when” in “who, what, when, where, how and why.” So, if malware was created at the same time the web pages and images were created, was the malware spawned by the “typed URL”, by its content (i.e. Web Attacker kit), or mouse napping (click-throughs)? If there’s no malware created prior to a web page with questionable content how do you end up at said web page?
I ask this rhetorical question: Where does objectionable material come from – a site like Disney.com or the pornographic dot coms? Where do abusive JavaScript and Web Attacker kits reside? What about zero-day Internet Explorer Exploits such as the one discussed at this site on techfeed.net: “A security hole in IE was recently confirmed by Microsoft. Now exploits that install tons of adware have been spotted on Porn sites. This exploit is reportedly easy to duplicate, and experts expect the problem to spread quickly to other shady sites across the Internet.”
What about a certain industry’s favorite money making tools?
“The online pornography industry is highly competitive and adult marketers are continually developing new strategies to drive traffic to their sites.
Some of their tactics are:
‘Click-throughs’: Every time someone clicks through an adult site to another one, the site’s advertising revenues go up. To increase the number of click-throughs, some sites use pop-up windows. Known as ‘mouse napping,’ this technique traps users in an endless loop of porn.
‘Home page hi-jacking’: This involves planting a Java script command on computers to change the user’s default home page to a porn site. Changing the home page back to its original setting appears to solve the problem until the computer is rebooted, then the offensive site re-appears as the home page.
‘Stealth’ sites: These are porn sites that steer users their way through a variety of techniques, including buying up expired domain names, exploiting common misspellings, or using well-known names of companies or artists.
Using hidden key words that are picked up by search engines: Porn operators bury key words, including brand names of popular toys, in the code of their Web sites to attract children.”
Maybe it’s DNS Poisoning? I’m not an expert on this subject and never said I was. When it comes to investigations where evidence is located on a computer and other resources are not available I use a simple tool [ComputerCOP Professional v.3.16.3] to search for the evidence. The tool provides me with an audit trail, evidence log, the evidence, web content log, and visited sites log.
Technorati Tags:

,

7 Responses to The Strange Case of Ms. Julie Amero: Commentary by Detective Mark Lounsbury

  1. era January 25, 2007 at 12:12 pm #

    So just for the record, am I just unfair in reading between the lines that this officer is convinced that you have to visit a porn site in order to have HTTP-borne malware / pop-ups appear on your computer?

  2. WEHooper January 29, 2007 at 4:17 pm #

    Lounsbury has stated that Julie Amero must have done something to “get the ball rolling”. In other words, for the porn popups to start Julie must have had to visit a bad site.
    In this article Detective Lounsbury says “I ask this rhetorical question: Where does objectionable material come from – a site like Disney.com or the pornographic dot coms? Where do abusive JavaScript and Web Attacker kits reside?”
    Take a look and see what can happen if you simply mistype
    “Disneyland” or “Disneychannel”
    http://research.microsoft.com/Typo-Patrol/screenshots.htm

  3. Rich Kasson February 16, 2007 at 2:22 pm #

    I have to ask what the ComputerCop Pro software logs. My filter logs will log every hit on a webpage. If there are popups, it logs each one as if it were clicked on and unless you pay attention to the timing, you would never know it was a popup. I watched an individual hit sites from my server one morning. When I checked the logs, he had visited 785 porn sites that morning (about 1 hour) and over 1500 in about the same amount of time in 2 evenings. He had been tracking the activity of a user and got caught up in some porn storms. I’ve also had Win 98 machines get porn stormed without the browser even being opened. My filter caught and baned access to virtually all of them. But, there are some that will manage to get through any filter.
    I’m sorry, but I don’t buy the fact that this lady intentionally visited these sites. She may not have done everything in her power to protect the students, but as a novice user she probably panicked. Poor crisis management skill does not show negligence nor intent.
    You need to investigate why the administration and school board allowed the school to be out of CIPA compliance when there are several free server/firewall solutions with content filtering that are as good as any pay service on the market.

  4. Morichalion March 4, 2007 at 2:57 am #

    I read the white paper for ComputerCOP. The document was located here:
    http://www.computercop.com/public/p3wp.pdf
    The tool provides everything you said is did, however, I couldn’t call any of it ‘conclusive’ for your investigation. I’ll define each term for those who don’t want to read the white paper…
    “Audit Trail”
    Documentation of every action performed by ComputerCOP.
    “Evidence Log”
    Documentation about each piece of evidence, as well as ‘specific details’ about each piece of evidence.
    The white paper did not go into details about what the phrase ‘specific details’ means.
    “Evidence”
    The actual evidence, including images, text, and documents taken from hidden and deleted folders and sectors on the drive.
    Strangely, the white paper did not mention a “web content log” or “visited sites log”.
    From what I read of the white paper, it should be impossible for anyone to be convicted solely because of evidence obtained from ComputerCop.
    Detective, please tell me you used more programs in your investigation? Either that, or tell me I’m wrong about the capabilities of ComputerCOP?
    Either one, I’ll be much happier.

  5. drowsy March 14, 2007 at 3:35 pm #

    The formatting makes it hard for me on Safari to make out how much of the article is from Lounsbury and how much is commentary.
    Thanks for the article.

  6. Brian Boyko March 15, 2007 at 5:20 pm #

    Unfortunately we don’t have a Mac to test on.
    The commentary begins with the paragraph that starts with “Generally Speaking,”

  7. Chris Falter June 8, 2007 at 3:52 pm #

    While I do not question Mr. Lounsbury’s sincerity, his training and expertise appear to be abysmal:
    1. How can he possibly say that the only way to reach a p*rn site is by intention? That is completely 100% not credible.
    2. The defense expert searched the history and actually investigated the behavior of pages visited. We see no evidence, none, zippo, in Mr. Lounsbury’s account that he performed any comparable analysis. He appears to have stopped his investigation once he saw that p*rn had been viewed because of his a priori belief that if p*rn was accessed, it had to be intentional.
    3. The students’ accounts of Ms. Amero’s behavior is completely consistent with the defense contention that Ms. Amero was attempting to halt a runaway p*rn loop. I.e., she was pushing them away because she didn’t want them to see the trash; she was scrolling through the pages and bringing stuff into view because she was trying to identify everything that needed to be closed, and to close it.