A bumbled forensic defense?
The PC in the classroom – like many school computers – was running Windows 98 and the browser was Internet Explorer 5. There was no evidence that either browser or OS had been, in any significant degree, updated, and neither the PC nor the network itself apparently had any kind of firewall. Win 98 is no longer even patchable and is not supported by its creator. None of this is unusual. Finally, the PC was reportedly riddled with spyware, much of which predated Julie Amero's use of the computer.
A defense forensic expert prepared a report contained the following chronology of events based upon his forensic examination.
On October 19, 2004, around 8:00 A.M., Mr Napp, the class' regular teacher logged on to the PC because Julie Amero being a substitute teacher did not have her own id and password. It makes sense that Mr Napp told Julie not to logoff or shut the computer off, for if she did she and the students would not have access to the computer. The initial user continued use of the PC and accessed Tickle.com, cookie.monster.com, addynamics.com, and adrevolver.com all between 8:06:14 - 8:08:03 AM. During the next few moments Julie retrieved her email through AOL.
Amazingly, despite having two laptops filled with forensic evidence, the defense expert, for reasons discussed below, reportedly was only able to present two powerpoint slides in Amero's defense. Not noted in the forensic examiner's report is the fact that those sites are all strongly linked to adware and automated popups. Of course, addynamnics.com and adrevolver.com are adware sites, and despite the forensic examiner's conclusion that "the initial user...accessed" these sites, a more accurate assessment would be that these sites were accessed while the initial user was logged in – consistent with adware with pornographic pop-ups. For example, Ad Dynamics is a Canadian company that advertises that it will "Manage, deliver and track banner [sic] of any size, pop-ups, text ads and many different types of rich media ads". Similarly, they are listed as known domains for spyware and popup adware. The forensic report continues:
http://www.hair-styles.org was accessed at 8:14:24 A.M., based upon the hair style images uploaded to the PC we were led to believe that there were students using the computer to search out hair styles. The user went to http://www.crayola.com at 8:35:27 A.M. The user continued accessing the original hair site and was directed to http://new-hair-styles.com. This site had pornographic links, pop-ups were then initiated by http://pagead2.googlesyndication.com. There were additional pop-ups by realmedia.com, cnentrport.net, and by 9:20:00 A.M., several java, aspx's and html scripts were uploaded. A click on the curlyhairstyles.htm icon on the http://www.new-hair-styles.com site led to the execution of the curlyhairstyle script along with others that contained pornographic links and pop-ups. Once the aforementioned started, it would be very difficult even for an experienced user to extricate themselves from this situation of porn pop-ups and loops.All of the jpgs that we looked at in the internet cache folders were of the 5, 6 and 15 kB size, very small images indeed. Normally, when a person goes to a pornographic website they are interested in the larger pictures of greater resolution and those jpgs would be at least 35kB and larger. We found no evidence of where this kind of surfing was exercised on October 19, 2004.
Now you probably don't want to retrace the clicks of the seventh grade class noted in the forensic report – well, not unless you want a bit of porn yourself. Even a cursory review of these sites three years later shows that these are not hair design sites, they are fronts for porn or penis-enlargement sites in Russia and the Ukraine. Looking behind the site itself the style sheet for these sites is named "images/sex_style.css" and the background image lives at "http://sex.sweetmeet.ru/". If you scroll down the page far enough, you get to a penis enlargement ad that is a fixed component of the page. The ">>>" images beside the links on the left of the page link to "sweetmeat.ru" the porn site that Amero was convicted of visiting. And guess what else? There is a javascript on called "function popUP(url,h,w,resizable,scrollbars)" – to open pop-ups.
Oh, and many of the hairstyle pictures are of women wearing little or no clothing (long hair covers their chest). All this, coupled with the fact that the seventh grade girls were apparently looking for information about hair styles which might be of interest to 12-year-old girls, and not so much for 40-year-old women, one can reasonably ask what is a more reasonable explanation for the pornographic pop-ups – a 12-year-old surfing for hair styles, or a 40-year-old faculty member surfing porn from a borrowed account in the presence of 29 curious pre-teens, hoping none of them would notice?
So let's get this straight. The machine's internet history showed that a previous user had been accessing the kind of sites likely to plant pornographic malware, such as dubious dating sites. The forensic examination also showed a host of adware and spyware on the machine, much of which had been in place and operating well before the porn incident - including one designed to hijack and redirect the browser. And on this evidence, she was convicted?