W. Herbert Horner has worked in computers since 1966. He was Systems Software Engineer for General Dynamics, Operating Systems Internalist for Sperry Univac, and he has diagnosed and corrected mainframe operating systems for the U.S. Armed Forces, NSA, IRS, and various commercial interests.
He now operates his own consulting firm, Contemporary Computer Consultants, writes custom software for medical, municipal, business, and forensic applications. He also does network design, implementation, and administration. He also is a computer forensic examiner who was called as a defense expert witness in the Julie Amero case.
In an effort to dispel rumor and produce a more accurate understanding of the Amero case in the public, we have offered him a chance to offer his commentary. Tomorrow we hope to have commentary from Detective Mark Lounsbury, who testified for the prosecution at Ms. Amero’s trial.
We obtained a copy of the PC hard drive from Officer Lounsbury who was most cooperative and at our office we created several copies, preserving the original.
During the copy process we received several “Security Alerts!” from our antivirus program. We analyzed the activity log and noted that there were spyware/adware programs installed on the hard drive. We ran two other adware/spyware detection programs and more spyware/adware tracking cookie/programs were discovered. Out of the 42, 27 were accessed or modified days if not a month before October 19, 2004. We also noted that there was no firewall and there was an outdated antivirus program on the PC. The PC was being tracked before October 19, 2004 by adware and spyware.
We examined all internet related folders and files before October 19, 2004, during October 19, 2004 and after October 19, 2004. Most significantly, we noted freeze.com, screensaver.com, eharmony.com and zedo.com were being accessed regularly.
On October 19, 2004, around 8:00 A.M., Mr. Napp, the class’ regular teacher logged on to the PC because Julie Amero being a substitute teacher did not have her own id and password. It makes sense that Mr. Napp told Julie not to logoff or shut the computer off, for if she did she and the students would not have access to the computer. The initial user continued use of the PC and accessed Tickle.com, cookie.monster.com, addynamics.com, and adrevolver.com all between 8:06:14 – 8:08:03 AM. During the next few moments Julie retrieved her email through AOL.
http://www.hair-styles.org was accessed at 8:14:24 A.M., based upon the hair style images uploaded to the PC we were led to believe that there were students using the computer to search out hair styles. The user went to http://www.crayola.com at 8:35:27 A.M. The user continued accessing the original hair site and was directed to http://new-hair-styles.com. This site had pornographic links, pop-ups were then initiated by http://pagead2.googlesyndication.com. There were additional pop-ups by realmedia.com, cnentrport.net, and by 9:20:00 A.M., several java, aspx’s and html scripts were uploaded. A click on the curlyhairstyles.htm icon on the http://www.new-hair-styles.com site led to the execution of the curlyhairstyle script along with others that contained pornographic links and pop-ups. Once the aforementioned started, it would be very difficult even for an experienced user to extricate themselves from this situation of porn pop-ups and loops.
All of the jpg’s that we looked at in the internet cache folders were of the 5, 6 and 15 kB size, very small images indeed. Normally, when a person goes to a pornographic website they are interested in the larger pictures of greater resolution and those jpgs would be at least 35 kB and larger. We found no evidence of where this kind of surfing was exercised on October 19, 2004.
We asked the prosecution to arrange for the defense to have unfettered access to the internet so that we could reenact the events of October 19, 2004. It was not granted. I went to court with two laptops and a box full of reference material prepared to very clearly illustrate what happened to Julie Amero. But, the prosecution objected because they were not given “full disclosure” of my examination. I was allowed to illustrate two screens, that of the www.hair-styles.org , and www.new-hair-styles.com sites.
This was one of the most frustrating experiences of my career, knowing full well that the person is innocent and not being allowed to provide logical proof.
If there is an appeal and the defense is allowed to show the entire results of the forensic examination in front of experienced computer people, including a computer literate judge and prosecutor, Julie Amero will walk out the court room as a free person.
Let this experience stand as a warning to all that use computers in an environment where minors are present. The aforementioned situation can happen to anyone without fail and without notice if there is not adequate firewall, antispyware, antiadware and antivirus protection. That was not provided by the school administration where Julie Amero taught.
Technorati Tags: Julie+Amero Connecticut+Schoolteacher Spyware Connecticut+Justice+System Law Network+Security