Friday, September 12, 2008

Julie Amero - Wow, just Wow.

I have been following this case for a little while, and I am happy that she has been granted a new trial. I have to say that from what I have read about the forensics work in this case, it is frightening.

First, a quick refresher on the case itself:

Connecticut Teacher Gets New Trial on Web-Porn Charges

And just to get you up to speed a little further:

Commentary by the defense expert

Commentary by the prosecution expert.

Things that jump out at me as a forensic examiner:

The prosecution apparently never made a copy of the original hard drive, or the defense did not request those copies from law enforcement. Based on the tool used for the forensic "analysis" by the prosecution, it is possible they did not make a forensic image of the hard drive, but instead, worked off the original evidence. Not a best practice.

The tool used by the prosecution: Computer Cop Professional

Based on the information on the web site:

"How ComputerCOP Works: Simply drop the CD into a suspect's computer, choose to search for words/phrases from 21 categories of crime and/or search for images by type or header and scan."

So this tool requires the same level of expertise that you would need to run a virus scan on your computer?

While I suppose it is a forensic tool and it is useful for quickly examining a computer, I would hesitate to call it forensic analysis.

The defense expert used Norton Ghost to make a copy of the original hard drive. Now, while I know that you can make a bit-stream copy of a hard drive using Ghost, if you know how, why would you if you had real forensic tools at your disposal?

I am curious as to what forensic tools he used to do his analysis as well, if any.

While the main thrust of the prosecution's argument was that the Typed URLs proved that the Julei Amero was actively typing in the urls of porn sites, the defense expert makes no mention of typed urls in his commentary. I wonder why?

Of course, finding Typed URLs in the Windows resgistry is one thing, putting a person at the keyboard when they are typed is another.

It is going to be interesting to see what comes up in her new trial.

I, for one, will be interested in seeing if the forensic work gets any better. For her sake, I hope it does.

1 comment:

  1. I don't recall what os it is that was being used but if it is XP it would be interesting to see what the last write times in some of the registry settings are. Also Restore point registry analysis might help/hinder as well. This is one area that there really are not to many tools to do a good analysis/timeline of the data.

    Mark

    ReplyDelete

I have moderated my comments due to spam.