Thursday, October 9, 2008

Browser Hijacking as a Defense in Legal Proceedings

Here is an excerpt from the article at Internet Law:

“Browser hijacking is a real phenomenon, which can become manifest through unwanted pop-ups, new ‘favorites’ that a user cannot delete, a new home page, and other forms of loss of control over one’s computer. At the same time, browser hijacking is not always responsible for the presence of unwanted spy ware and other malware. A common culprit for the transmission of these viruses is the downloading of otherwise innocent material such as games or news from disreputable Websites that infect users’ computers with spy ware and viruses, and that, in certain cases, direct users to illegal or sexually explicit Websites. “

As the article states this has been offered as a defense in cases involving contraband such as child pornography and also in wrongful termination cases involving surfing pornography while on the company computer.

The issue is that while it seems logical and should be apparent that this kind of thing can happen to the most innocent of users, juries have been decidedly less than receptive to this as a defense.

In order to mount this as a defense, it must first be established that a browser hijacker existed and was active at the time the images were downloaded. This can be difficult if the computer was subsequently cleaned up by anti-virus or anti-spy ware software. If the program doing the cleaning kept a log of what was cleaned and when, then clues can be obtained from those logs. Sadly, a lot of these programs do not keep a history of what they did.

The second and most effective challenge to this as a defense is the existence of Typed URLS. A moment to explain: The address that you type into the box at the top of your browser to go to a web site like is called a URL or Uniform Resource Locator. In common terms we call this the web site address. In truth it is a human language nickname for the real address of the web site. For instance, if I said I wanted to go see someone, I would say I was going to Bob Smith's home at 110 Cherry Lane. I can understand that and even get there if I know the way. But if I type that address into my GPS it does not see it as 110 Cherry Lane, it sees it as a set of Geographic Positioning Coordinates like, 4.567 , 123.444. The same thing happens when you type into your browser address box. The computer sees that as a string of numbers that is the real address of the server providing's web pages to you, such as (The real address for

Okay, now that you understand that what you type into the address box is a way for humans to remember web page addresses, (who would want to have to remember it is important that you understand a couple of other things. How does become

Out there in the world there are things called DNS servers. DNS stands for Domain Name Service. What the DNS server does is have a big table that matches names with actual addresses, so that when you type in, your browser (Internet Explorer or Safari or Mozilla, etc.) asks the DNS server to tell it where really is. The DNS server looks at its table, matches to the address and then tells the browser to ask that server for web pages. It works just like a giant phone book that matches Bob Smith with his phone number so you know what number to dial to talk to Bob.

Now, back to Typed URLs and why they are so pesky in this type of defense:

Just like the name implies, Typed URLs are the addresses that you the computer user types into that address box. Secretly in the background, Microsoft Windows records those in a place you can't see unless you know where to look.

When the computer hard drive is examined for evidence, that is one of the first places a forensics expert will look to see if the user was actually typing in addresses for bad sites.

But there is one way this can actually help you; if a Typed URL is a slight misspelling for a legitimate site that sent you to a porn site, then you have some evidence that can help you.

For a long time the address was a major porn site. There is no telling the number of innocent people who went there looking for (the real address for The White House). Who knows how many elementary school kids got an eyeful trying to research their homework.

Another common trick of the porn industry and insidious web sites that like to infect your computer is the old misspelling trick. A lot of these have been shut down now thankfully. For instance, if you wanted to go to but you are a poor typist like me and tend to type in, you would have gone to a porn trap site.

If these common misspellings or mis-addresses show up in your Typed URL records on the computer, you have some evidence that you did not intentionally go to a porn site.

Raising this as a defense is tricky and takes a considerable amount of skill to pull off. Not only technically, but also in front of a jury who will need a lot of verbal hand holding to understand it.

But no amount of skill or trickery will convince a jury of evidence you cannot prove. Like the Trojan Horse defense, this shifts the burden of proof from the prosecution and places it squarely on the shoulders of the defense.

There are other factors to consider as well in defending these cases, too many to go into here. But they all must be considered, weighed and presented to the defense attorney as part of the job of the forensics consultant.

No slight to attorneys in any way, but many of them are new to this type of evidence and the implications of same, and depend on the forensics consultant to make sure they understand what they have to work with and what the challenges will be in mounting such as defense from a technical standpoint. If there is one to mount at all.


  1. My name is Fima
    I live in Minneapolis, MN
    I came to US as political refugee on human rights violations in former USSR
    I am russian jew, and I got a lot of discrimination in USSR
    My parents are Holocaust survivors.
    But I got the worst thing in USA, never possible in communist country.
    I was set up with my computer, convicted as a s..x offender for computer p..rn.
    I would like to send you some links to publications about my criminal
    case. I was forced to confess to the
    possession of internet digital pictures of p..rn in deleted clusters
    of my computer hard drive. My browser was hijacked while I was
    browsing the web. I was redirected to illegal sites against my will.
    Some illegal pictures were found on my hard drive, recovering in
    unallocated clusters, without dates of file creation/download.

    I do not know how courts can widely press these charges on people to
    convict them, while the whole Internet is a mess.

    I was fired from many jobs, and I am out of job for 5 years.
    Also police watch me all the time naming me a predator,
    I am not a predator, I came here in hope to escape human rights violations,
    but I got copletely terrible violations by government.

    You can find all links to publications about my case here

  2. I read some of the news reports you linked to in your comment. Sadly, some of the "experts" actually gave wrong information in the articles. Saying that pictures cached by the browser will not be in unallocated space is incorrect. Many times, that is the only place from which they will be recovered.

    Sadly, without the benefit of an experienced and qualified expert on the defense, it is difficult to refute the claims made by the prosecution expert.

    I am not an attorney, but my understanding is that if you waived your right to an appeal when you accepted the plea bargin, you are pretty much out of luck for ever getting it changed.

    Only an attorney in your jurisdiction can answer that question as each state in the US has its own specific laws. If this was a state level case, that is.

    A lot of these types of cases get pled out for various reasons, mostly because the plea offer is far less severe than rolling the dice in a jury trial where the sentencing can be very harsh.

    I speak to a lot of attorneys in these types of cases where they opt to plea rather than go to court, simply because the possibility of getting 10 years in prison for is not worth the risk versus getting 18 months in jail, or several years probation.

    If you think it was bad when you were arrested, it is much worse now as penalties continue to get more severe and what qualifies for prosecution for child porn becomes broader every year.


I have moderated my comments due to spam.