Loading ...
Sorry, an error occurred while loading the content.

Digital Evidence.....

Expand Messages
  • Ricky Gurley
    I am seeing more and more cases where digital evidence is used in court. It would seem that investigators for the prosecution and prosecutors are enjoying the
    Message 1 of 13 , Mar 6, 2007
    • 0 Attachment
      I am seeing more and more cases where digital evidence is used in
      court. It would seem that investigators for the prosecution and
      prosecutors are enjoying the ability to gather evidence from various
      digital hardware and mediums.

      Here is a statement made by Jim Christy, Director of the Future
      Explorations unit of the Department of Defense's Cyber Crime
      Center: "I think digital evidence is more powerful than DNA
      evidence," Christy said. "It can answer who, what, where, why and
      how; DNA can only tell you who."

      One of the problems that I am finding here is that while the digital
      evidence is certainly there, and can sometimes mount up to volumes
      and volumes of information; it is largely up for interpretation in
      most cases. In my opinion the "what, why, and how" that is derived
      from digital evidence is up for interpretation. I believe this is
      exactly why the prosecution likes this kind of evidence; because the
      prosecution can "spin" it anyway it wants to. Chat messages are "non-
      tonal"; so it is easy to show that someone had written something in a
      chat conversation, and even harder for that person who had written it
      to prove that they were joking when they had written it.

      While I might agree that this is something that perhaps should not
      concern an investigator that is responsible for doing the
      examination, I am not sure that this is altogether "fair". Google
      searches for "gunshot wounds" should not necessarily imply that a
      person shot someone two weeks after these searches, nor should
      someone typing in "my career as a drug dealer wasn't working out; so
      I decided to become a cop" necessarily imply that a Law Enforcement
      Officer used to be a "drug dealer"; yet I see this type of evidence
      presented in this fashion more and more all of the time.

      Has anyone here had any experiences like this in court? I would
      imagine this is very common-place. And I acknowledge that this can
      work just as well for the defense as for the prosecution. I
      personally; am just not comfortable with interpretations of evidence
      without some kind of a basis for the interpretation.

      Would love to hear other viewpoints on this.

      Take care, all.



      Rick.



      Risk Management Research & Investments, Inc.
      "He Who Forgets, Will Be Destined To Remember"

      MAIL BOX: 2101 W. Broadway PMB 326, Columbia, MO. 65203
      OFFICE ADDRESS: 607 N. Providence, Columbia, MO. 65203

      Phone: (888) 571-0958
      Fax: (877) 795-9800
      Cell: (573) 529-0808

      Email
      RMRI-Inc@...

      Webpage
      http://www.rmriinc.com

      Blogs
      http://rmriincspace.spaces.live.com/
      http://rmriinc.blogspot.com/
    • Jim Parker
      Digital evidence, like most any other evidence, is often subject to interpretation. This is nothing new. If someone is accused of killing his wife with
      Message 2 of 13 , Mar 6, 2007
      • 0 Attachment
        Digital evidence, like most any other evidence, is often subject to
        interpretation. This is nothing new.

        If someone is accused of killing his wife with Arsenic, and digital evidence
        shows a pattern of searches (prior to the murder) for "where to buy Arsenic"
        and "how to kill someone with poisons and not get caught", that's a very
        good indication that the husband killed his wife. It's not an absolute, but
        if his wife was shot, and it's discovered that the gun she was shot with is
        registered to her husband, that's not absolute evidence that he shot his
        wife either.

        I guess I don't really get what the problem is, or I'm missing the specific
        question you're asking.

        Jim



        -----Original Message-----
        From: infoguys-list@yahoogroups.com [mailto:infoguys-list@yahoogroups.com]
        On Behalf Of Ricky Gurley
        Sent: Tuesday, March 06, 2007 1:45 PM
        To: infoguys-list@yahoogroups.com
        Subject: [infoguys-list] Digital Evidence.....


        I am seeing more and more cases where digital evidence is used in court. It
        would seem that investigators for the prosecution and prosecutors are
        enjoying the ability to gather evidence from various digital hardware and
        mediums.

        Here is a statement made by Jim Christy, Director of the Future Explorations
        unit of the Department of Defense's Cyber Crime
        Center: "I think digital evidence is more powerful than DNA evidence,"
        Christy said. "It can answer who, what, where, why and how; DNA can only
        tell you who."

        One of the problems that I am finding here is that while the digital
        evidence is certainly there, and can sometimes mount up to volumes and
        volumes of information; it is largely up for interpretation in most cases.
        In my opinion the "what, why, and how" that is derived from digital evidence
        is up for interpretation. I believe this is exactly why the prosecution
        likes this kind of evidence; because the prosecution can "spin" it anyway it
        wants to. Chat messages are "non- tonal"; so it is easy to show that someone
        had written something in a chat conversation, and even harder for that
        person who had written it to prove that they were joking when they had
        written it.

        While I might agree that this is something that perhaps should not concern
        an investigator that is responsible for doing the examination, I am not sure
        that this is altogether "fair". Google searches for "gunshot wounds" should
        not necessarily imply that a person shot someone two weeks after these
        searches, nor should someone typing in "my career as a drug dealer wasn't
        working out; so I decided to become a cop" necessarily imply that a Law
        Enforcement Officer used to be a "drug dealer"; yet I see this type of
        evidence presented in this fashion more and more all of the time.

        Has anyone here had any experiences like this in court? I would imagine this
        is very common-place. And I acknowledge that this can work just as well for
        the defense as for the prosecution. I personally; am just not comfortable
        with interpretations of evidence without some kind of a basis for the
        interpretation.

        Would love to hear other viewpoints on this.

        Take care, all.

        Rick.

        Risk Management Research & Investments, Inc.
        "He Who Forgets, Will Be Destined To Remember"

        MAIL BOX: 2101 W. Broadway PMB 326, Columbia, MO. 65203 OFFICE ADDRESS: 607
        N. Providence, Columbia, MO. 65203

        Phone: (888) 571-0958
        Fax: (877) 795-9800
        Cell: (573) 529-0808

        Email
        RMRI-Inc@... <mailto:RMRI-Inc%40mchsi.com>

        Webpage
        http://www.rmriinc.com <http://www.rmriinc.com>

        Blogs
        http://rmriincspace.spaces.live.com/ <http://rmriincspace.spaces.live.com/>
        http://rmriinc.blogspot.com/ <http://rmriinc.blogspot.com/>
      • Jim Parker
        I guess I should have mentioned: Civil cases rely on the preponderance of evidence. Criminal cases call for guilt beyond a reasonable doubt Neither of these
        Message 3 of 13 , Mar 6, 2007
        • 0 Attachment
          I guess I should have mentioned:

          Civil cases rely on the preponderance of evidence.

          Criminal cases call for "guilt beyond a reasonable doubt"

          Neither of these are absolutes (it's not "guilt beyond any possible doubt"),
          so it's not necessary that digital or any other evidence does not have the
          possibility of being interpreted in some manner.

          Jim


          -----Original Message-----
          From: infoguys-list@yahoogroups.com [mailto:infoguys-list@yahoogroups.com]
          On Behalf Of Jim Parker
          Sent: Tuesday, March 06, 2007 2:15 PM
          To: infoguys-list@yahoogroups.com
          Subject: RE: [infoguys-list] Digital Evidence.....

          Digital evidence, like most any other evidence, is often subject to
          interpretation. This is nothing new.

          If someone is accused of killing his wife with Arsenic, and digital evidence
          shows a pattern of searches (prior to the murder) for "where to buy Arsenic"
          and "how to kill someone with poisons and not get caught", that's a very
          good indication that the husband killed his wife. It's not an absolute, but
          if his wife was shot, and it's discovered that the gun she was shot with is
          registered to her husband, that's not absolute evidence that he shot his
          wife either.

          I guess I don't really get what the problem is, or I'm missing the specific
          question you're asking.

          Jim

          -----Original Message-----
          From: infoguys-list@yahoogroups.com <mailto:infoguys-list%40yahoogroups.com>
          [mailto:infoguys-list@yahoogroups.com
          <mailto:infoguys-list%40yahoogroups.com> ] On Behalf Of Ricky Gurley
          Sent: Tuesday, March 06, 2007 1:45 PM
          To: infoguys-list@yahoogroups.com <mailto:infoguys-list%40yahoogroups.com>
          Subject: [infoguys-list] Digital Evidence.....

          I am seeing more and more cases where digital evidence is used in court. It
          would seem that investigators for the prosecution and prosecutors are
          enjoying the ability to gather evidence from various digital hardware and
          mediums.

          Here is a statement made by Jim Christy, Director of the Future Explorations
          unit of the Department of Defense's Cyber Crime
          Center: "I think digital evidence is more powerful than DNA evidence,"
          Christy said. "It can answer who, what, where, why and how; DNA can only
          tell you who."

          One of the problems that I am finding here is that while the digital
          evidence is certainly there, and can sometimes mount up to volumes and
          volumes of information; it is largely up for interpretation in most cases.
          In my opinion the "what, why, and how" that is derived from digital evidence
          is up for interpretation. I believe this is exactly why the prosecution
          likes this kind of evidence; because the prosecution can "spin" it anyway it
          wants to. Chat messages are "non- tonal"; so it is easy to show that someone
          had written something in a chat conversation, and even harder for that
          person who had written it to prove that they were joking when they had
          written it.

          While I might agree that this is something that perhaps should not concern
          an investigator that is responsible for doing the examination, I am not sure
          that this is altogether "fair". Google searches for "gunshot wounds" should
          not necessarily imply that a person shot someone two weeks after these
          searches, nor should someone typing in "my career as a drug dealer wasn't
          working out; so I decided to become a cop" necessarily imply that a Law
          Enforcement Officer used to be a "drug dealer"; yet I see this type of
          evidence presented in this fashion more and more all of the time.

          Has anyone here had any experiences like this in court? I would imagine this
          is very common-place. And I acknowledge that this can work just as well for
          the defense as for the prosecution. I personally; am just not comfortable
          with interpretations of evidence without some kind of a basis for the
          interpretation.

          Would love to hear other viewpoints on this.

          Take care, all.

          Rick.

          Risk Management Research & Investments, Inc.
          "He Who Forgets, Will Be Destined To Remember"

          MAIL BOX: 2101 W. Broadway PMB 326, Columbia, MO. 65203 OFFICE ADDRESS: 607
          N. Providence, Columbia, MO. 65203

          Phone: (888) 571-0958
          Fax: (877) 795-9800
          Cell: (573) 529-0808

          Email
          RMRI-Inc@... <mailto:RMRI-Inc%40mchsi.com>
          <mailto:RMRI-Inc%40mchsi.com>

          Webpage
          http://www.rmriinc.com <http://www.rmriinc.com> <http://www.rmriinc.com
          <http://www.rmriinc.com> >

          Blogs
          http://rmriincspace.spaces.live.com/ <http://rmriincspace.spaces.live.com/>
          <http://rmriincspace.spaces.live.com/ <http://rmriincspace.spaces.live.com/>
          > http://rmriinc.blogspot.com/ <http://rmriinc.blogspot.com/>
          <http://rmriinc.blogspot.com/ <http://rmriinc.blogspot.com/> >
        • Thomas Eskridge
          Pulling a number out of the air, but probably not far off, I would venture that over 90% of the people convicted (and rightly so) are convicted based on a
          Message 4 of 13 , Mar 6, 2007
          • 0 Attachment
            Pulling a number out of the air, but probably not far off, I would venture
            that over 90% of the people convicted (and rightly so) are convicted based
            on a preponderance of circumstantial evidence. There is nothing new, nor
            unusual about this. Personally, as an investigator, I would rather have
            multiple pieces of circumstances pointing towards a conclusion than a single
            eyewitness telling me how something happened. For example..investigating a
            traffic accident scene.more often than not the witness statements are all
            over the map (most people do very poorly under pressure).but if you examine
            tire skid marks, debris patterns, damage to involved cars and property, a
            trained investigator can tell you exactly what happened. The witness
            statements are "direct evidence" while the observations made by the
            investigator would all be circumstantial.



            So, why is computer forensics so important..because people do the stupidest
            things..case I worked.off duty cop rapes girl.I examine his hard drive (no
            pun) and find NO porn (rather unusual).but I do find over 100 rape fantasy
            stories he had downloaded, more than a few that had the suspect as a
            cop.circumstantial as hell...but when this discovery was dropped on the
            defense attorney the case (which had been a he said she said) pled out.
            Circumstantial evidence that tended to heavily support the direct evidence
            testimony of the victim.



            Just wondering Rick, what are you going to do with all your forensic
            equipment if you win your argument? Celebrate that more prosecutors are
            learning about the evidence on computers. This is going to force more
            private attorneys to hire you to validate the findings of the State.



            Without regard to the type of evidence, prosecutors "spin" for the people,
            defense attorneys "spin" for the defendant and the judge or jury are
            supposed to figure it out. That's the way its always been.seems to work
            pretty well all in all.



            Tom Eskridge, Chief Operations Officer

            High Tech Crime Institute

            28100 US Hwy 19 N, suite 204

            Clearwater Florida 33761

            727-499-7215

            888-300-9789

            www.gohtci.com



            _____

            From: infoguys-list@yahoogroups.com [mailto:infoguys-list@yahoogroups.com]
            On Behalf Of Jim Parker
            Sent: Tuesday, March 06, 2007 2:22 PM
            To: infoguys-list@yahoogroups.com
            Subject: RE: [infoguys-list] Digital Evidence.....



            I guess I should have mentioned:

            Civil cases rely on the preponderance of evidence.

            Criminal cases call for "guilt beyond a reasonable doubt"

            Neither of these are absolutes (it's not "guilt beyond any possible doubt"),
            so it's not necessary that digital or any other evidence does not have the
            possibility of being interpreted in some manner.

            Jim


            -----Original Message-----
            From: infoguys-list@ <mailto:infoguys-list%40yahoogroups.com>
            yahoogroups.com [mailto:infoguys-list@
            <mailto:infoguys-list%40yahoogroups.com> yahoogroups.com]
            On Behalf Of Jim Parker
            Sent: Tuesday, March 06, 2007 2:15 PM
            To: infoguys-list@ <mailto:infoguys-list%40yahoogroups.com> yahoogroups.com
            Subject: RE: [infoguys-list] Digital Evidence.....

            Digital evidence, like most any other evidence, is often subject to
            interpretation. This is nothing new.

            If someone is accused of killing his wife with Arsenic, and digital evidence
            shows a pattern of searches (prior to the murder) for "where to buy Arsenic"
            and "how to kill someone with poisons and not get caught", that's a very
            good indication that the husband killed his wife. It's not an absolute, but
            if his wife was shot, and it's discovered that the gun she was shot with is
            registered to her husband, that's not absolute evidence that he shot his
            wife either.

            I guess I don't really get what the problem is, or I'm missing the specific
            question you're asking.

            Jim

            -----Original Message-----
            From: infoguys-list@ <mailto:infoguys-list%40yahoogroups.com>
            yahoogroups.com <mailto:infoguys-list%40yahoogroups.com>
            [mailto:infoguys-list@ <mailto:infoguys-list%40yahoogroups.com>
            yahoogroups.com
            <mailto:infoguys-list%40yahoogroups.com> ] On Behalf Of Ricky Gurley
            Sent: Tuesday, March 06, 2007 1:45 PM
            To: infoguys-list@ <mailto:infoguys-list%40yahoogroups.com> yahoogroups.com
            <mailto:infoguys-list%40yahoogroups.com>
            Subject: [infoguys-list] Digital Evidence.....

            I am seeing more and more cases where digital evidence is used in court. It
            would seem that investigators for the prosecution and prosecutors are
            enjoying the ability to gather evidence from various digital hardware and
            mediums.

            Here is a statement made by Jim Christy, Director of the Future Explorations
            unit of the Department of Defense's Cyber Crime
            Center: "I think digital evidence is more powerful than DNA evidence,"
            Christy said. "It can answer who, what, where, why and how; DNA can only
            tell you who."

            One of the problems that I am finding here is that while the digital
            evidence is certainly there, and can sometimes mount up to volumes and
            volumes of information; it is largely up for interpretation in most cases.
            In my opinion the "what, why, and how" that is derived from digital evidence
            is up for interpretation. I believe this is exactly why the prosecution
            likes this kind of evidence; because the prosecution can "spin" it anyway it
            wants to. Chat messages are "non- tonal"; so it is easy to show that someone
            had written something in a chat conversation, and even harder for that
            person who had written it to prove that they were joking when they had
            written it.

            While I might agree that this is something that perhaps should not concern
            an investigator that is responsible for doing the examination, I am not sure
            that this is altogether "fair". Google searches for "gunshot wounds" should
            not necessarily imply that a person shot someone two weeks after these
            searches, nor should someone typing in "my career as a drug dealer wasn't
            working out; so I decided to become a cop" necessarily imply that a Law
            Enforcement Officer used to be a "drug dealer"; yet I see this type of
            evidence presented in this fashion more and more all of the time.

            Has anyone here had any experiences like this in court? I would imagine this
            is very common-place. And I acknowledge that this can work just as well for
            the defense as for the prosecution. I personally; am just not comfortable
            with interpretations of evidence without some kind of a basis for the
            interpretation.

            Would love to hear other viewpoints on this.

            Take care, all.

            Rick.

            Risk Management Research & Investments, Inc.
            "He Who Forgets, Will Be Destined To Remember"

            MAIL BOX: 2101 W. Broadway PMB 326, Columbia, MO. 65203 OFFICE ADDRESS: 607
            N. Providence, Columbia, MO. 65203

            Phone: (888) 571-0958
            Fax: (877) 795-9800
            Cell: (573) 529-0808

            Email
            RMRI-Inc@mchsi. <mailto:RMRI-Inc%40mchsi.com> com
            <mailto:RMRI-Inc%40mchsi.com>
            <mailto:RMRI-Inc%40mchsi.com>

            Webpage
            http://www.rmriinc. <http://www.rmriinc.com> com <http://www.rmriinc.
            <http://www.rmriinc.com> com> <http://www.rmriinc. <http://www.rmriinc.com>
            com
            <http://www.rmriinc. <http://www.rmriinc.com> com> >

            Blogs
            http://rmriincspace <http://rmriincspace.spaces.live.com/> .spaces.live.com/
            <http://rmriincspace <http://rmriincspace.spaces.live.com/>
            .spaces.live.com/>
            <http://rmriincspace <http://rmriincspace.spaces.live.com/>
            .spaces.live.com/ <http://rmriincspace
            <http://rmriincspace.spaces.live.com/> .spaces.live.com/>
            > http://rmriinc. <http://rmriinc.blogspot.com/> blogspot.com/
            <http://rmriinc. <http://rmriinc.blogspot.com/> blogspot.com/>
            <http://rmriinc. <http://rmriinc.blogspot.com/> blogspot.com/
            <http://rmriinc. <http://rmriinc.blogspot.com/> blogspot.com/> >





            [Non-text portions of this message have been removed]
          • Ricky Gurley
            Thomas Eskridge asks: Just wondering Rick, what are you going to do with all your forensic equipment if you win your argument? Celebrate that more prosecutors
            Message 5 of 13 , Mar 6, 2007
            • 0 Attachment
              Thomas Eskridge asks:

              "Just wondering Rick, what are you going to do with all your forensic equipment if you win your argument? Celebrate that more prosecutors are learning about the evidence on computers. This is going to force more private attorneys to hire you to validate the findings of the State."

              I could always sell it buy Barber Equipment and open up a Barber Shop! Just a joke. ;o)

              I never indicated that Digital Evidence should not be allowed in the court room... I think there is a great need for this line of evidence gathering. My concern is with Prosecutors using it to interpret a person's intentions and/or actions wrongly. Case in point listed below:


              --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
              http://www.cnn.com/2007/LAW/02/13/teacher.porn.ap/index.html

              "WINDHAM, Connecticut (AP) -- Until recently, Julie Amero says, she lived the quiet life of a small-town substitute teacher, with little knowledge of computers and even less about porn.

              Now she is in the middle of a criminal case that hinges on the intricacies of both, and it could put her behind bars for up to 40 years.

              She was convicted last month of exposing seventh-grade students to pornography on her classroom computer.

              She contended the images were inadvertently thrust onto the screen by pornographers' unseen spyware and adware programs.

              Prosecutors dispute that. But her argument has made her a cause celebre among some technology experts, who say what happened to her could happen to anyone.

              "I'm scared," the 40-year-old Amero said. "I'm just beside myself over something I didn't do."
              It all began in October 2004. Amero was assigned to a class at Kelly Middle School in Norwich, a city of around 37,000 people about 40 miles east of Hartford.

              Amero says that before her class started, a teacher allowed her to e-mail her husband. She says she used the computer and went to the bathroom, returning to find the permanent teacher gone and two students viewing a Web site on hair styles.

              Amero says she chased the students away and started class. But later, she says, pornographic images started popping up on the computer screen by themselves. She says she tried to click the images off, but they kept returning, and she was under strict orders not to shut the computer off.

              "I did everything I possibly could to keep them from seeing anything," she says.

              Prosecutor David Smith contended at Amero's three-day trial that she actually clicked on graphic Web sites.

              Several students testified that they saw pictures of naked men and women, including at least one image a couple having oral sex.

              Computer consultant Herb Horner testified for the defense that the children had gone to an innocent Web site on hair styles and were redirected to another hairstyle site that had pornographic links. "It can happen to anybody," Horner said.

              The defense argued that the images were caused by adware and spyware -- programs that are often secretly planted on computers by Internet businesses to track users' browsing habits. They can generate pop-up ads -- in some cases, pornographic ones.

              "It's absolutely plausible," Ari Schwartz, deputy director of the Center for Democracy and Technology, said of Amero's case. "It's a huge problem."
              But many remain skeptical, including Mark Steinmetz, who served on Amero's jury.

              "So many kids noticed this going on," Steinmetz said. "It was truly uncalled for. I would not want my child in her classroom. All she had to do was throw a coat over it or unplug it. We figured even if there were pop-ups, would you sit there?"

              The Federal Trade Commission has been cracking down on companies accused of spreading malicious spyware to millions of computer users worldwide. And pop-up blockers that can prevent so-called porn storms are now in wide use.

              Amero and her supporters say the old computer lacked firewall or antispyware protections to prevent inappropriate pop-ups.

              "What is extraordinary is the prosecution admitted there was no search made for spyware -- an incredible blunder akin to not checking for fingerprints at a crime scene," Alex Eckelberry, president of a Florida software company, wrote recently in the local newspaper. "When a pop-up occurs on a computer, it will get shown as a visited Web site, and no 'physical click' is necessary."

              Smith, the prosecutor, would not say what he plans to recommend when Amero is sentenced March 2. John Newsone, a defense attorney in Norwich familiar with the case, said Amero might be spared prison or face perhaps a year to 18 months.

              Principal Scott Fain said the computer lacked the latest firewall protection because a vendor's bill had gone unpaid. "I was shocked to see what made it through," he said.

              But Fain also said Amero was the only one to report such a problem: "We've never had a problem with pop-ups before or since."
              --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

              This is an example of what I believe to be the prosecution interpreting the evidence the way it wants to; and quite possibly causing an innocent person a lot of grief. In my humble opinion this lady was not intentionally viewing porn, nor was she allowing her students to view porn; she was just not computer savvy enough to understand how "pop ups" work and how to protect her students from them. Not to mention that; again in my humble opinion; the school also had a duty to make sure their computers were updated and used some type of a program to defend against malware (Windows Defender, Spybot, Pop Up Blockers), a long list of options; so that this very incident would not be likely to occur.

              The case listed above is the types of case I am referring to in my previous post.



              Rick.





              Risk Management Research & Investments, Inc.
              "He Who Forgets, Will Be Destined To Remember"

              MAILING ADDRESS: 2101 W. Broadway PMB 326, Columbia, MO. 65203
              OFFICE ADDRESS: 607 N. Providence, Columbia, MO. 65203

              Phone: (888) 571-0958
              Fax: (877) 795-9800
              Cell: (573) 529-0808

              Email
              RMRI-Inc@...

              RMRI, Inc. Blogs
              http://rmriinc.blogspot.com/
              http://rmriincspace.spaces.live.com/blog/

              Webpage
              http://www.rmriinc.com



              ____________________________________________________________________________________
              Food fight? Enjoy some healthy debate
              in the Yahoo! Answers Food & Drink Q&A.
              http://answers.yahoo.com/dir/?link=list&sid=396545367

              [Non-text portions of this message have been removed]
            • Jim Parker
              I think it s a better example of a
              Message 6 of 13 , Mar 6, 2007
              • 0 Attachment
                <<<< This is an example of what I believe to be the prosecution
                interpreting the evidence the way it wants to >>>

                I think it's a better example of a thoroughly abysmal defense team.

                I failed to note anywhere in the article where any forensic analysis of the
                computer was conducted at all. Even a half decent forensic examination of
                the hard drive would have uncovered exactly what malicious scripts and
                programs were installed on the system, exactly when they were installed, and
                precisely what they do.

                A cache analysis would have shown the timeline of what happened on the
                computer when the kids were allegedly visiting hair styles web sites and
                source code analysis of the hair style sites would also demonstrate any
                malicious coding in the sites that would, or at least could, cause malicious
                ad-ware to be installed on the system.

                Hell, a good forensic examiner could likely have mounted an image of the
                drive, sat their system in front of the jury where they could watch the
                pop-ups bounce all over the screen for themselves, with no user input.

                Seems to be a lot of prosecutor saying "she did this", and the defense
                coming up with nothing better than "yeah, but maybe this or that happened"
                with nothing whatsoever to support it.

                Not a good defense strategy to instill reasonable doubt in a jury.

                Jim



                -----Original Message-----
                From: infoguys-list@yahoogroups.com [mailto:infoguys-list@yahoogroups.com]
                On Behalf Of Ricky Gurley
                Sent: Wednesday, March 07, 2007 12:03 AM
                To: infoguys-list@yahoogroups.com
                Subject: Re: [infoguys-list] Digital Evidence.....

                Thomas Eskridge asks:

                "Just wondering Rick, what are you going to do with all your forensic
                equipment if you win your argument? Celebrate that more prosecutors are
                learning about the evidence on computers. This is going to force more
                private attorneys to hire you to validate the findings of the State."

                I could always sell it buy Barber Equipment and open up a Barber Shop! Just
                a joke. ;o)

                I never indicated that Digital Evidence should not be allowed in the court
                room... I think there is a great need for this line of evidence gathering.
                My concern is with Prosecutors using it to interpret a person's intentions
                and/or actions wrongly. Case in point listed below:

                ----------------------------------------------------------
                http://www.cnn.com/2007/LAW/02/13/teacher.porn.ap/index.html
                <http://www.cnn.com/2007/LAW/02/13/teacher.porn.ap/index.html>

                "WINDHAM, Connecticut (AP) -- Until recently, Julie Amero says, she lived
                the quiet life of a small-town substitute teacher, with little knowledge of
                computers and even less about porn.

                Now she is in the middle of a criminal case that hinges on the intricacies
                of both, and it could put her behind bars for up to 40 years.

                She was convicted last month of exposing seventh-grade students to
                pornography on her classroom computer.

                She contended the images were inadvertently thrust onto the screen by
                pornographers' unseen spyware and adware programs.

                Prosecutors dispute that. But her argument has made her a cause celebre
                among some technology experts, who say what happened to her could happen to
                anyone.

                "I'm scared," the 40-year-old Amero said. "I'm just beside myself over
                something I didn't do."
                It all began in October 2004. Amero was assigned to a class at Kelly Middle
                School in Norwich, a city of around 37,000 people about 40 miles east of
                Hartford.

                Amero says that before her class started, a teacher allowed her to e-mail
                her husband. She says she used the computer and went to the bathroom,
                returning to find the permanent teacher gone and two students viewing a Web
                site on hair styles.

                Amero says she chased the students away and started class. But later, she
                says, pornographic images started popping up on the computer screen by
                themselves. She says she tried to click the images off, but they kept
                returning, and she was under strict orders not to shut the computer off.

                "I did everything I possibly could to keep them from seeing anything," she
                says.

                Prosecutor David Smith contended at Amero's three-day trial that she
                actually clicked on graphic Web sites.

                Several students testified that they saw pictures of naked men and women,
                including at least one image a couple having oral sex.

                Computer consultant Herb Horner testified for the defense that the children
                had gone to an innocent Web site on hair styles and were redirected to
                another hairstyle site that had pornographic links. "It can happen to
                anybody," Horner said.

                The defense argued that the images were caused by adware and spyware --
                programs that are often secretly planted on computers by Internet businesses
                to track users' browsing habits. They can generate pop-up ads -- in some
                cases, pornographic ones.

                "It's absolutely plausible," Ari Schwartz, deputy director of the Center for
                Democracy and Technology, said of Amero's case. "It's a huge problem."
                But many remain skeptical, including Mark Steinmetz, who served on Amero's
                jury.

                "So many kids noticed this going on," Steinmetz said. "It was truly uncalled
                for. I would not want my child in her classroom. All she had to do was throw
                a coat over it or unplug it. We figured even if there were pop-ups, would
                you sit there?"

                The Federal Trade Commission has been cracking down on companies accused of
                spreading malicious spyware to millions of computer users worldwide. And
                pop-up blockers that can prevent so-called porn storms are now in wide use.

                Amero and her supporters say the old computer lacked firewall or antispyware
                protections to prevent inappropriate pop-ups.

                "What is extraordinary is the prosecution admitted there was no search made
                for spyware -- an incredible blunder akin to not checking for fingerprints
                at a crime scene," Alex Eckelberry, president of a Florida software company,
                wrote recently in the local newspaper. "When a pop-up occurs on a computer,
                it will get shown as a visited Web site, and no 'physical click' is
                necessary."

                Smith, the prosecutor, would not say what he plans to recommend when Amero
                is sentenced March 2. John Newsone, a defense attorney in Norwich familiar
                with the case, said Amero might be spared prison or face perhaps a year to
                18 months.

                Principal Scott Fain said the computer lacked the latest firewall protection
                because a vendor's bill had gone unpaid. "I was shocked to see what made it
                through," he said.

                But Fain also said Amero was the only one to report such a problem: "We've
                never had a problem with pop-ups before or since."
                ----------------------------------------------------------

                This is an example of what I believe to be the prosecution interpreting the
                evidence the way it wants to; and quite possibly causing an innocent person
                a lot of grief. In my humble opinion this lady was not intentionally viewing
                porn, nor was she allowing her students to view porn; she was just not
                computer savvy enough to understand how "pop ups" work and how to protect
                her students from them. Not to mention that; again in my humble opinion; the
                school also had a duty to make sure their computers were updated and used
                some type of a program to defend against malware (Windows Defender, Spybot,
                Pop Up Blockers), a long list of options; so that this very incident would
                not be likely to occur.

                The case listed above is the types of case I am referring to in my previous
                post.

                Rick.

                Risk Management Research & Investments, Inc.
                "He Who Forgets, Will Be Destined To Remember"

                MAILING ADDRESS: 2101 W. Broadway PMB 326, Columbia, MO. 65203 OFFICE
                ADDRESS: 607 N. Providence, Columbia, MO. 65203

                Phone: (888) 571-0958
                Fax: (877) 795-9800
                Cell: (573) 529-0808

                Email
                RMRI-Inc@... <mailto:RMRI-Inc%40mchsi.com>

                RMRI, Inc. Blogs
                http://rmriinc.blogspot.com/ <http://rmriinc.blogspot.com/>
                http://rmriincspace.spaces.live.com/blog/
                <http://rmriincspace.spaces.live.com/blog/>

                Webpage
                http://www.rmriinc.com <http://www.rmriinc.com>

                __________________________________________________________
                Food fight? Enjoy some healthy debate
                in the Yahoo! Answers Food & Drink Q&A.
                http://answers.yahoo.com/dir/?link=list&sid=396545367
                <http://answers.yahoo.com/dir/?link=list&sid=396545367>

                [Non-text portions of this message have been removed]
              • Ricky Gurley
                ... analysis of the ... examination of ... and ... installed, and ... the ... sites and ... any ... malicious ... of the ... the ... input. ... defense ...
                Message 7 of 13 , Mar 7, 2007
                • 0 Attachment
                  --- In infoguys-list@yahoogroups.com, "Jim Parker" <Jim@...> wrote:
                  >
                  > <<<< This is an example of what I believe to be the prosecution
                  > interpreting the evidence the way it wants to >>>
                  >
                  > I think it's a better example of a thoroughly abysmal defense team.
                  >
                  > I failed to note anywhere in the article where any forensic
                  analysis of the
                  > computer was conducted at all. Even a half decent forensic
                  examination of
                  > the hard drive would have uncovered exactly what malicious scripts
                  and
                  > programs were installed on the system, exactly when they were
                  installed, and
                  > precisely what they do.
                  >
                  > A cache analysis would have shown the timeline of what happened on
                  the
                  > computer when the kids were allegedly visiting hair styles web
                  sites and
                  > source code analysis of the hair style sites would also demonstrate
                  any
                  > malicious coding in the sites that would, or at least could, cause
                  malicious
                  > ad-ware to be installed on the system.
                  >
                  > Hell, a good forensic examiner could likely have mounted an image
                  of the
                  > drive, sat their system in front of the jury where they could watch
                  the
                  > pop-ups bounce all over the screen for themselves, with no user
                  input.
                  >
                  > Seems to be a lot of prosecutor saying "she did this", and the
                  defense
                  > coming up with nothing better than "yeah, but maybe this or that
                  happened"
                  > with nothing whatsoever to support it.
                  >
                  > Not a good defense strategy to instill reasonable doubt in a jury.
                  >
                  > Jim


                  No... Not really... I'll concede that I did not give you the full
                  story; it was just a summary article. So, I understand you did not
                  have all of the details in when you replied, Jim.

                  Here is the story from the Forensic Examiner:

                  http://www.networkperformancedaily.com/2007/01/the_strange_case_of_ms_
                  julie_a_1.html
                  ---------------------------------------------------------------------
                  The Strange Case of Ms. Julie Amero: Commentary by Mr. Herb Horner


                  Post a comment
                  W. Herbert Horner has worked in computers since 1966. He was Systems
                  Software Engineer for General Dynamics, Operating Systems Internalist
                  for Sperry Univac, and he has diagnosed and corrected mainframe
                  operating systems for the U.S. Armed Forces, NSA, IRS, and various
                  commercial interests.

                  He now operates his own consulting firm, Contemporary Computer
                  Consultants, writes custom software for medical, municipal, business,
                  and forensic applications. He also does network design,
                  implementation, and administration. He also is a computer forensic
                  examiner who was called as a defense expert witness in the Julie
                  Amero case.

                  In an effort to dispel rumor and produce a more accurate
                  understanding of the Amero case in the public, we have offered him a
                  chance to offer his commentary. Tomorrow we hope to have commentary
                  from Detective Mark Lounsbury, who testified for the prosecution at
                  Ms. Amero's trial.

                  The Forensic Examination of the computer assigned to Julie Amero
                  We obtained a copy of the PC hard drive from Officer Lounsbury who
                  was most cooperative and at our office we created several copies,
                  preserving the original.

                  During the copy process we received several "Security Alerts!" from
                  our antivirus program. We analyzed the activity log and noted that
                  there were spyware/adware programs installed on the hard drive. We
                  ran two other adware/spyware detection programs and more
                  spyware/adware tracking cookie/programs were discovered. Out of the
                  42, 27 were accessed or modified days if not a month before October
                  19, 2004. We also noted that there was no firewall and there was an
                  outdated antivirus program on the PC. The PC was being tracked before
                  October 19, 2004 by adware and spyware.

                  (Continued...)

                  We examined all internet related folders and files before October 19,
                  2004, during October 19, 2004 and after October 19, 2004. Most
                  significantly, we noted freeze.com, screensaver.com, eharmony.com and
                  zedo.com were being accessed regularly.

                  On October 19, 2004, around 8:00 A.M., Mr. Napp, the class' regular
                  teacher logged on to the PC because Julie Amero being a substitute
                  teacher did not have her own id and password. It makes sense that Mr.
                  Napp told Julie not to logoff or shut the computer off, for if she
                  did she and the students would not have access to the computer. The
                  initial user continued use of the PC and accessed Tickle.com,
                  cookie.monster.com, addynamics.com, and adrevolver.com all between
                  8:06:14 - 8:08:03 AM. During the next few moments Julie retrieved her
                  email through AOL.

                  http://www.hair-styles.org was accessed at 8:14:24 A.M., based upon
                  the hair style images uploaded to the PC we were led to believe that
                  there were students using the computer to search out hair styles. The
                  user went to http://www.crayola.com at 8:35:27 A.M. The user
                  continued accessing the original hair site and was directed to
                  http://new-hair-styles.com. This site had pornographic links, pop-ups
                  were then initiated by http://pagead2.googlesyndication.com. There
                  were additional pop-ups by realmedia.com, cnentrport.net, and by
                  9:20:00 A.M., several java, aspx's and html scripts were uploaded. A
                  click on the curlyhairstyles.htm icon on the http://www.new-hair-
                  styles.com site led to the execution of the curlyhairstyle script
                  along with others that contained pornographic links and pop-ups. Once
                  the aforementioned started, it would be very difficult even for an
                  experienced user to extricate themselves from this situation of porn
                  pop-ups and loops.

                  All of the jpg's that we looked at in the internet cache folders were
                  of the 5, 6 and 15 kB size, very small images indeed. Normally, when
                  a person goes to a pornographic website they are interested in the
                  larger pictures of greater resolution and those jpgs would be at
                  least 35 kB and larger. We found no evidence of where this kind of
                  surfing was exercised on October 19, 2004.

                  Testimony and Trial
                  We asked the prosecution to arrange for the defense to have
                  unfettered access to the internet so that we could reenact the events
                  of October 19, 2004. It was not granted. I went to court with two
                  laptops and a box full of reference material prepared to very clearly
                  illustrate what happened to Julie Amero. But, the prosecution
                  objected because they were not given "full disclosure" of my
                  examination. I was allowed to illustrate two screens, that of the
                  www.hair-styles.org , and www.new-hair-styles.com sites.

                  Conclusion
                  This was one of the most frustrating experiences of my career,
                  knowing full well that the person is innocent and not being allowed
                  to provide logical proof.

                  If there is an appeal and the defense is allowed to show the entire
                  results of the forensic examination in front of experienced computer
                  people, including a computer literate judge and prosecutor, Julie
                  Amero will walk out the court room as a free person.

                  Let this experience stand as a warning to all that use computers in
                  an environment where minors are present. The aforementioned situation
                  can happen to anyone without fail and without notice if there is not
                  adequate firewall, antispyware, antiadware and antivirus protection.
                  That was not provided by the school administration where Julie Amero
                  taught.
                  ----------------------------------------------------------------------

                  Looks like he did just about everything you suggested, Jim. The
                  prosecution just "did not want to hear it"....


                  Rick.



                  Risk Management Research & Investments, Inc.
                  "He Who Forgets, Will Be Destined To Remember"

                  MAIL BOX: 2101 W. Broadway PMB 326, Columbia, MO. 65203
                  OFFICE ADDRESS: 607 N. Providence, Columbia, MO. 65203

                  Phone: (888) 571-0958
                  Fax: (877) 795-9800
                  Cell: (573) 529-0808

                  Email
                  RMRI-Inc@...

                  Webpage
                  http://www.rmriinc.com

                  Blogs
                  http://rmriincspace.spaces.live.com/
                  http://rmriinc.blogspot.com/
                • Thomas Eskridge
                  Gosh help me.but I gotta agree with jim.the teachers best defense on appeal is going to be incompetent representation.again goes to my point.pass this article
                  Message 8 of 13 , Mar 7, 2007
                  • 0 Attachment
                    Gosh help me.but I gotta agree with jim.the teachers best defense on appeal
                    is going to be incompetent representation.again goes to my point.pass this
                    article on to all your criminal defense attorneys.they have to learn that
                    they need to hire peops like you in these cases.if not they a) look
                    stupid...b) risk a lawsuit for inadequate representation..there have already
                    been many opinions by judges that the failure to use computer forensics
                    experts is tantamount to misconduct on the part of attorneys.god bless those
                    opinions.:-)



                    Tom Eskridge, Chief Operations Officer

                    High Tech Crime Institute

                    28100 US Hwy 19 N, suite 204

                    Clearwater Florida 33761

                    727-499-7215

                    888-300-9789

                    www.gohtci.com



                    _____

                    From: infoguys-list@yahoogroups.com [mailto:infoguys-list@yahoogroups.com]
                    On Behalf Of Jim Parker
                    Sent: Wednesday, March 07, 2007 1:15 AM
                    To: infoguys-list@yahoogroups.com
                    Subject: RE: [infoguys-list] Digital Evidence.....



                    <<<< This is an example of what I believe to be the prosecution
                    interpreting the evidence the way it wants to >>>

                    I think it's a better example of a thoroughly abysmal defense team.

                    I failed to note anywhere in the article where any forensic analysis of the
                    computer was conducted at all. Even a half decent forensic examination of
                    the hard drive would have uncovered exactly what malicious scripts and
                    programs were installed on the system, exactly when they were installed, and
                    precisely what they do.

                    A cache analysis would have shown the timeline of what happened on the
                    computer when the kids were allegedly visiting hair styles web sites and
                    source code analysis of the hair style sites would also demonstrate any
                    malicious coding in the sites that would, or at least could, cause malicious
                    ad-ware to be installed on the system.

                    Hell, a good forensic examiner could likely have mounted an image of the
                    drive, sat their system in front of the jury where they could watch the
                    pop-ups bounce all over the screen for themselves, with no user input.

                    Seems to be a lot of prosecutor saying "she did this", and the defense
                    coming up with nothing better than "yeah, but maybe this or that happened"
                    with nothing whatsoever to support it.

                    Not a good defense strategy to instill reasonable doubt in a jury.

                    Jim

                    -----Original Message-----
                    From: infoguys-list@ <mailto:infoguys-list%40yahoogroups.com>
                    yahoogroups.com [mailto:infoguys-list@
                    <mailto:infoguys-list%40yahoogroups.com> yahoogroups.com]
                    On Behalf Of Ricky Gurley
                    Sent: Wednesday, March 07, 2007 12:03 AM
                    To: infoguys-list@ <mailto:infoguys-list%40yahoogroups.com> yahoogroups.com
                    Subject: Re: [infoguys-list] Digital Evidence.....

                    Thomas Eskridge asks:

                    "Just wondering Rick, what are you going to do with all your forensic
                    equipment if you win your argument? Celebrate that more prosecutors are
                    learning about the evidence on computers. This is going to force more
                    private attorneys to hire you to validate the findings of the State."

                    I could always sell it buy Barber Equipment and open up a Barber Shop! Just
                    a joke. ;o)

                    I never indicated that Digital Evidence should not be allowed in the court
                    room... I think there is a great need for this line of evidence gathering.
                    My concern is with Prosecutors using it to interpret a person's intentions
                    and/or actions wrongly. Case in point listed below:

                    ----------------------------------------------------------
                    http://www.cnn.
                    <http://www.cnn.com/2007/LAW/02/13/teacher.porn.ap/index.html>
                    com/2007/LAW/02/13/teacher.porn.ap/index.html
                    <http://www.cnn.
                    <http://www.cnn.com/2007/LAW/02/13/teacher.porn.ap/index.html>
                    com/2007/LAW/02/13/teacher.porn.ap/index.html>

                    "WINDHAM, Connecticut (AP) -- Until recently, Julie Amero says, she lived
                    the quiet life of a small-town substitute teacher, with little knowledge of
                    computers and even less about porn.

                    Now she is in the middle of a criminal case that hinges on the intricacies
                    of both, and it could put her behind bars for up to 40 years.

                    She was convicted last month of exposing seventh-grade students to
                    pornography on her classroom computer.

                    She contended the images were inadvertently thrust onto the screen by
                    pornographers' unseen spyware and adware programs.

                    Prosecutors dispute that. But her argument has made her a cause celebre
                    among some technology experts, who say what happened to her could happen to
                    anyone.

                    "I'm scared," the 40-year-old Amero said. "I'm just beside myself over
                    something I didn't do."
                    It all began in October 2004. Amero was assigned to a class at Kelly Middle
                    School in Norwich, a city of around 37,000 people about 40 miles east of
                    Hartford.

                    Amero says that before her class started, a teacher allowed her to e-mail
                    her husband. She says she used the computer and went to the bathroom,
                    returning to find the permanent teacher gone and two students viewing a Web
                    site on hair styles.

                    Amero says she chased the students away and started class. But later, she
                    says, pornographic images started popping up on the computer screen by
                    themselves. She says she tried to click the images off, but they kept
                    returning, and she was under strict orders not to shut the computer off.

                    "I did everything I possibly could to keep them from seeing anything," she
                    says.

                    Prosecutor David Smith contended at Amero's three-day trial that she
                    actually clicked on graphic Web sites.

                    Several students testified that they saw pictures of naked men and women,
                    including at least one image a couple having oral sex.

                    Computer consultant Herb Horner testified for the defense that the children
                    had gone to an innocent Web site on hair styles and were redirected to
                    another hairstyle site that had pornographic links. "It can happen to
                    anybody," Horner said.

                    The defense argued that the images were caused by adware and spyware --
                    programs that are often secretly planted on computers by Internet businesses
                    to track users' browsing habits. They can generate pop-up ads -- in some
                    cases, pornographic ones.

                    "It's absolutely plausible," Ari Schwartz, deputy director of the Center for
                    Democracy and Technology, said of Amero's case. "It's a huge problem."
                    But many remain skeptical, including Mark Steinmetz, who served on Amero's
                    jury.

                    "So many kids noticed this going on," Steinmetz said. "It was truly uncalled
                    for. I would not want my child in her classroom. All she had to do was throw
                    a coat over it or unplug it. We figured even if there were pop-ups, would
                    you sit there?"

                    The Federal Trade Commission has been cracking down on companies accused of
                    spreading malicious spyware to millions of computer users worldwide. And
                    pop-up blockers that can prevent so-called porn storms are now in wide use.

                    Amero and her supporters say the old computer lacked firewall or antispyware
                    protections to prevent inappropriate pop-ups.

                    "What is extraordinary is the prosecution admitted there was no search made
                    for spyware -- an incredible blunder akin to not checking for fingerprints
                    at a crime scene," Alex Eckelberry, president of a Florida software company,
                    wrote recently in the local newspaper. "When a pop-up occurs on a computer,
                    it will get shown as a visited Web site, and no 'physical click' is
                    necessary."

                    Smith, the prosecutor, would not say what he plans to recommend when Amero
                    is sentenced March 2. John Newsone, a defense attorney in Norwich familiar
                    with the case, said Amero might be spared prison or face perhaps a year to
                    18 months.

                    Principal Scott Fain said the computer lacked the latest firewall protection
                    because a vendor's bill had gone unpaid. "I was shocked to see what made it
                    through," he said.

                    But Fain also said Amero was the only one to report such a problem: "We've
                    never had a problem with pop-ups before or since."
                    ----------------------------------------------------------

                    This is an example of what I believe to be the prosecution interpreting the
                    evidence the way it wants to; and quite possibly causing an innocent person
                    a lot of grief. In my humble opinion this lady was not intentionally viewing
                    porn, nor was she allowing her students to view porn; she was just not
                    computer savvy enough to understand how "pop ups" work and how to protect
                    her students from them. Not to mention that; again in my humble opinion; the
                    school also had a duty to make sure their computers were updated and used
                    some type of a program to defend against malware (Windows Defender, Spybot,
                    Pop Up Blockers), a long list of options; so that this very incident would
                    not be likely to occur.

                    The case listed above is the types of case I am referring to in my previous
                    post.

                    Rick.

                    Risk Management Research & Investments, Inc.
                    "He Who Forgets, Will Be Destined To Remember"

                    MAILING ADDRESS: 2101 W. Broadway PMB 326, Columbia, MO. 65203 OFFICE
                    ADDRESS: 607 N. Providence, Columbia, MO. 65203

                    Phone: (888) 571-0958
                    Fax: (877) 795-9800
                    Cell: (573) 529-0808

                    Email
                    RMRI-Inc@mchsi. <mailto:RMRI-Inc%40mchsi.com> com
                    <mailto:RMRI-Inc%40mchsi.com>

                    RMRI, Inc. Blogs
                    http://rmriinc. <http://rmriinc.blogspot.com/> blogspot.com/
                    <http://rmriinc. <http://rmriinc.blogspot.com/> blogspot.com/>
                    http://rmriincspace <http://rmriincspace.spaces.live.com/blog/>
                    .spaces.live.com/blog/
                    <http://rmriincspace <http://rmriincspace.spaces.live.com/blog/>
                    .spaces.live.com/blog/>

                    Webpage
                    http://www.rmriinc. <http://www.rmriinc.com> com <http://www.rmriinc.
                    <http://www.rmriinc.com> com>

                    __________________________________________________________
                    Food fight? Enjoy some healthy debate
                    in the Yahoo! Answers Food & Drink Q&A.
                    http://answers. <http://answers.yahoo.com/dir/?link=list&sid=396545367>
                    yahoo.com/dir/?link=list&sid=396545367
                    <http://answers. <http://answers.yahoo.com/dir/?link=list&sid=396545367>
                    yahoo.com/dir/?link=list&sid=396545367>

                    [Non-text portions of this message have been removed]





                    [Non-text portions of this message have been removed]
                  • Jim Cobb
                    Don t know if the case was discussed previously or not but this discussion brought to mind the case of Matt Bandy. http://www.justice4matt.com/MattsStory.html
                    Message 9 of 13 , Mar 7, 2007
                    • 0 Attachment
                      Don't know if the case was discussed previously or not but this
                      discussion brought to mind the case of Matt Bandy.

                      http://www.justice4matt.com/MattsStory.html

                      --
                      Thanks,

                      Jim
                      _______________________________________________________________________
                      Hrodey & Associates Established 1977
                      Post Office Box 366
                      Woodstock, IL 60098-0366
                      Licensed in IL & WI (815) 337-4636 Voice 337-4638 Fax
                      e-mail: jcobb@...
                      Illinois License 115-000783 Wisconsin 8045-063
                      Director and Team Member - MissingKIN.com
                    • Jim Parker
                      I agree; and the judge didn t want
                      Message 10 of 13 , Mar 7, 2007
                      • 0 Attachment
                        <<<< Looks like he did just about everything you suggested, Jim. The
                        prosecution just "did not want to hear it".... >>>>

                        I agree; and the judge didn't want to hear it and the jury didn't get an
                        opportunity to hear it.

                        It's a shame, that in today's technologically driven society, we still have
                        judges deciding cases which rely heavily on an understanding of that
                        technology, but who wouldn't know was a CPU was if they found one in their
                        soup.

                        Jim



                        -----Original Message-----
                        From: infoguys-list@yahoogroups.com [mailto:infoguys-list@yahoogroups.com]
                        On Behalf Of Ricky Gurley
                        Sent: Wednesday, March 07, 2007 6:07 AM
                        To: infoguys-list@yahoogroups.com
                        Subject: [infoguys-list] Re: Digital Evidence.....

                        --- In infoguys-list@yahoogroups.com
                        <mailto:infoguys-list%40yahoogroups.com> , "Jim Parker" <Jim@...> wrote:
                        >
                        > <<<< This is an example of what I believe to be the prosecution
                        > interpreting the evidence the way it wants to >>>
                        >
                        > I think it's a better example of a thoroughly abysmal defense team.
                        >
                        > I failed to note anywhere in the article where any forensic
                        analysis of the
                        > computer was conducted at all. Even a half decent forensic
                        examination of
                        > the hard drive would have uncovered exactly what malicious scripts
                        and
                        > programs were installed on the system, exactly when they were
                        installed, and
                        > precisely what they do.
                        >
                        > A cache analysis would have shown the timeline of what happened on
                        the
                        > computer when the kids were allegedly visiting hair styles web
                        sites and
                        > source code analysis of the hair style sites would also demonstrate
                        any
                        > malicious coding in the sites that would, or at least could, cause
                        malicious
                        > ad-ware to be installed on the system.
                        >
                        > Hell, a good forensic examiner could likely have mounted an image
                        of the
                        > drive, sat their system in front of the jury where they could watch
                        the
                        > pop-ups bounce all over the screen for themselves, with no user
                        input.
                        >
                        > Seems to be a lot of prosecutor saying "she did this", and the
                        defense
                        > coming up with nothing better than "yeah, but maybe this or that
                        happened"
                        > with nothing whatsoever to support it.
                        >
                        > Not a good defense strategy to instill reasonable doubt in a jury.
                        >
                        > Jim

                        No... Not really... I'll concede that I did not give you the full story; it
                        was just a summary article. So, I understand you did not have all of the
                        details in when you replied, Jim.

                        Here is the story from the Forensic Examiner:

                        http://www.networkperformancedaily.com/2007/01/the_strange_case_of_ms_
                        <http://www.networkperformancedaily.com/2007/01/the_strange_case_of_ms_>
                        julie_a_1.html
                        ----------------------------------------------------------
                        The Strange Case of Ms. Julie Amero: Commentary by Mr. Herb Horner

                        Post a comment
                        W. Herbert Horner has worked in computers since 1966. He was Systems
                        Software Engineer for General Dynamics, Operating Systems Internalist for
                        Sperry Univac, and he has diagnosed and corrected mainframe operating
                        systems for the U.S. Armed Forces, NSA, IRS, and various commercial
                        interests.

                        He now operates his own consulting firm, Contemporary Computer Consultants,
                        writes custom software for medical, municipal, business, and forensic
                        applications. He also does network design, implementation, and
                        administration. He also is a computer forensic examiner who was called as a
                        defense expert witness in the Julie Amero case.

                        In an effort to dispel rumor and produce a more accurate understanding of
                        the Amero case in the public, we have offered him a chance to offer his
                        commentary. Tomorrow we hope to have commentary from Detective Mark
                        Lounsbury, who testified for the prosecution at Ms. Amero's trial.

                        The Forensic Examination of the computer assigned to Julie Amero We obtained
                        a copy of the PC hard drive from Officer Lounsbury who was most cooperative
                        and at our office we created several copies, preserving the original.

                        During the copy process we received several "Security Alerts!" from our
                        antivirus program. We analyzed the activity log and noted that there were
                        spyware/adware programs installed on the hard drive. We ran two other
                        adware/spyware detection programs and more spyware/adware tracking
                        cookie/programs were discovered. Out of the 42, 27 were accessed or modified
                        days if not a month before October 19, 2004. We also noted that there was no
                        firewall and there was an outdated antivirus program on the PC. The PC was
                        being tracked before October 19, 2004 by adware and spyware.

                        (Continued...)

                        We examined all internet related folders and files before October 19, 2004,
                        during October 19, 2004 and after October 19, 2004. Most significantly, we
                        noted freeze.com, screensaver.com, eharmony.com and zedo.com were being
                        accessed regularly.

                        On October 19, 2004, around 8:00 A.M., Mr. Napp, the class' regular teacher
                        logged on to the PC because Julie Amero being a substitute teacher did not
                        have her own id and password. It makes sense that Mr.
                        Napp told Julie not to logoff or shut the computer off, for if she did she
                        and the students would not have access to the computer. The initial user
                        continued use of the PC and accessed Tickle.com, cookie.monster.com,
                        addynamics.com, and adrevolver.com all between
                        8:06:14 - 8:08:03 AM. During the next few moments Julie retrieved her email
                        through AOL.

                        http://www.hair-styles.org <http://www.hair-styles.org> was accessed at
                        8:14:24 A.M., based upon the hair style images uploaded to the PC we were
                        led to believe that there were students using the computer to search out
                        hair styles. The user went to http://www.crayola.com
                        <http://www.crayola.com> at 8:35:27 A.M. The user continued accessing the
                        original hair site and was directed to http://new-hair-styles.com.
                        <http://new-hair-styles.com.> This site had pornographic links, pop-ups
                        were then initiated by http://pagead2.googlesyndication.com.
                        <http://pagead2.googlesyndication.com.> There were additional pop-ups by
                        realmedia.com, cnentrport.net, and by 9:20:00 A.M., several java, aspx's and
                        html scripts were uploaded. A click on the curlyhairstyles.htm icon on the
                        http://www.new-hair- <http://www.new-hair-> styles.com site led to the
                        execution of the curlyhairstyle script along with others that contained
                        pornographic links and pop-ups. Once the aforementioned started, it would be
                        very difficult even for an experienced user to extricate themselves from
                        this situation of porn pop-ups and loops.

                        All of the jpg's that we looked at in the internet cache folders were of the
                        5, 6 and 15 kB size, very small images indeed. Normally, when a person goes
                        to a pornographic website they are interested in the larger pictures of
                        greater resolution and those jpgs would be at least 35 kB and larger. We
                        found no evidence of where this kind of surfing was exercised on October 19,
                        2004.

                        Testimony and Trial
                        We asked the prosecution to arrange for the defense to have unfettered
                        access to the internet so that we could reenact the events of October 19,
                        2004. It was not granted. I went to court with two laptops and a box full of
                        reference material prepared to very clearly illustrate what happened to
                        Julie Amero. But, the prosecution objected because they were not given "full
                        disclosure" of my examination. I was allowed to illustrate two screens, that
                        of the www.hair-styles.org , and www.new-hair-styles.com sites.

                        Conclusion
                        This was one of the most frustrating experiences of my career, knowing full
                        well that the person is innocent and not being allowed to provide logical
                        proof.

                        If there is an appeal and the defense is allowed to show the entire results
                        of the forensic examination in front of experienced computer people,
                        including a computer literate judge and prosecutor, Julie Amero will walk
                        out the court room as a free person.

                        Let this experience stand as a warning to all that use computers in an
                        environment where minors are present. The aforementioned situation can
                        happen to anyone without fail and without notice if there is not adequate
                        firewall, antispyware, antiadware and antivirus protection.
                        That was not provided by the school administration where Julie Amero taught.
                        ----------------------------------------------------------

                        Looks like he did just about everything you suggested, Jim. The prosecution
                        just "did not want to hear it"....

                        Rick.

                        Risk Management Research & Investments, Inc.
                        "He Who Forgets, Will Be Destined To Remember"

                        MAIL BOX: 2101 W. Broadway PMB 326, Columbia, MO. 65203 OFFICE ADDRESS: 607
                        N. Providence, Columbia, MO. 65203

                        Phone: (888) 571-0958
                        Fax: (877) 795-9800
                        Cell: (573) 529-0808

                        Email
                        RMRI-Inc@... <mailto:RMRI-Inc%40mchsi.com>

                        Webpage
                        http://www.rmriinc.com <http://www.rmriinc.com>

                        Blogs
                        http://rmriincspace.spaces.live.com/ <http://rmriincspace.spaces.live.com/>
                        http://rmriinc.blogspot.com/ <http://rmriinc.blogspot.com/>
                      • Ricky Gurley
                        That is an EXCELLENT article, Jim Cobb. The reporter did a very good job of illustrating not as much any questions I have; but a problem I am seeing with
                        Message 11 of 13 , Mar 7, 2007
                        • 0 Attachment
                          That is an EXCELLENT article, Jim Cobb. The reporter did a very good job of illustrating not as much any questions I have; but a "problem" I am seeing with digital evidence in the court room these days. My point mirrors Jim Parker's point; in my opinion if digital evidence is going to be presented in the court room it should at least be understood by the attorneys (Prosecutor and Defense Counsel), and the Presiding Judge. That is of course just my opinion though....

                          I had not seen that case before. Thank you for sharing, Jim Cobb.



                          Rick.


                          Risk Management Research & Investments, Inc.
                          "He Who Forgets, Will Be Destined To Remember"

                          MAILING ADDRESS: 2101 W. Broadway PMB 326, Columbia, MO. 65203
                          OFFICE ADDRESS: 607 N. Providence, Columbia, MO. 65203

                          Phone: (888) 571-0958
                          Fax: (877) 795-9800
                          Cell: (573) 529-0808

                          Email
                          RMRI-Inc@...

                          RMRI, Inc. Blogs
                          http://rmriinc.blogspot.com/
                          http://rmriincspace.spaces.live.com/blog/

                          Webpage
                          http://www.rmriinc.com




                          ----- Original Message ----
                          From: Jim Cobb <jcobb@...>
                          To: infoguys-list@yahoogroups.com
                          Sent: Wednesday, March 7, 2007 10:06:12 AM
                          Subject: Re: [infoguys-list] Re: Digital Evidence.....

                          Don't know if the case was discussed previously or not but this
                          discussion brought to mind the case of Matt Bandy.

                          http://www.justice4 matt.com/ MattsStory. html

                          --
                          Thanks,

                          Jim
                          ____________ _________ _________ _________ _________ _________ _
                          Hrodey & Associates Established 1977
                          Post Office Box 366
                          Woodstock, IL 60098-0366
                          Licensed in IL & WI (815) 337-4636 Voice 337-4638 Fax
                          e-mail: jcobb@hrodey. com
                          Illinois License 115-000783 Wisconsin 8045-063
                          Director and Team Member - MissingKIN.com






                          ____________________________________________________________________________________
                          No need to miss a message. Get email on-the-go
                          with Yahoo! Mail for Mobile. Get started.
                          http://mobile.yahoo.com/mail

                          [Non-text portions of this message have been removed]
                        • Jim Parker
                          Your job as a forensic expert for the
                          Message 12 of 13 , Mar 7, 2007
                          • 0 Attachment
                            <<<< it should at least be understood by the attorneys (Prosecutor and
                            Defense Counsel), and the Presiding Judge. >>>>

                            Your job as a forensic expert for the defense is to educate your client on
                            the findings of your analysis.

                            The prosecutor can and will do whatever they want, and as for judges...
                            don't get me started.

                            <<<< That is of course just my opinion though.... >>>>

                            It's more than your opinion; it should be common sense. Unfortunately
                            though, common sense doesn't seem to be much of a commodity in American
                            courthouses these days.

                            Jim


                            -----Original Message-----
                            From: infoguys-list@yahoogroups.com [mailto:infoguys-list@yahoogroups.com]
                            On Behalf Of Ricky Gurley
                            Sent: Wednesday, March 07, 2007 12:15 PM
                            To: infoguys-list@yahoogroups.com
                            Subject: Re: [infoguys-list] Re: Digital Evidence.....

                            That is an EXCELLENT article, Jim Cobb. The reporter did a very good job of
                            illustrating not as much any questions I have; but a "problem" I am seeing
                            with digital evidence in the court room these days. My point mirrors Jim
                            Parker's point; in my opinion if digital evidence is going to be presented
                            in the court room it should at least be understood by the attorneys
                            (Prosecutor and Defense Counsel), and the Presiding Judge. That is of course
                            just my opinion though....

                            I had not seen that case before. Thank you for sharing, Jim Cobb.

                            Rick.

                            Risk Management Research & Investments, Inc.
                            "He Who Forgets, Will Be Destined To Remember"

                            MAILING ADDRESS: 2101 W. Broadway PMB 326, Columbia, MO. 65203 OFFICE
                            ADDRESS: 607 N. Providence, Columbia, MO. 65203

                            Phone: (888) 571-0958
                            Fax: (877) 795-9800
                            Cell: (573) 529-0808

                            Email
                            RMRI-Inc@... <mailto:RMRI-Inc%40mchsi.com>

                            RMRI, Inc. Blogs
                            http://rmriinc.blogspot.com/ <http://rmriinc.blogspot.com/>
                            http://rmriincspace.spaces.live.com/blog/
                            <http://rmriincspace.spaces.live.com/blog/>

                            Webpage
                            http://www.rmriinc.com <http://www.rmriinc.com>

                            ----- Original Message ----
                            From: Jim Cobb <jcobb@... <mailto:jcobb%40hrodey.com> >
                            To: infoguys-list@yahoogroups.com <mailto:infoguys-list%40yahoogroups.com>
                            Sent: Wednesday, March 7, 2007 10:06:12 AM
                            Subject: Re: [infoguys-list] Re: Digital Evidence.....

                            Don't know if the case was discussed previously or not but this discussion
                            brought to mind the case of Matt Bandy.

                            http://www.justice4 matt.com/ MattsStory. html

                            --
                            Thanks,

                            Jim
                            ____________ _________ _________ _________ _________ _________ _ Hrodey &
                            Associates Established 1977 Post Office Box 366 Woodstock, IL 60098-0366
                            Licensed in IL & WI (815) 337-4636 Voice 337-4638 Fax
                            e-mail: jcobb@hrodey. com
                            Illinois License 115-000783 Wisconsin 8045-063 Director and Team Member -
                            MissingKIN.com

                            __________________________________________________________
                            No need to miss a message. Get email on-the-go with Yahoo! Mail for Mobile.
                            Get started.
                            http://mobile.yahoo.com/mail <http://mobile.yahoo.com/mail>

                            [Non-text portions of this message have been removed]
                          • suesarkis@aol.com
                            In a message dated 3/7/2007 10:14:07 A.M. Pacific Standard Time, Jim@FloridaDetectives.com writes: Unfortunately though, common sense doesn t seem to be much
                            Message 13 of 13 , Mar 7, 2007
                            • 0 Attachment
                              In a message dated 3/7/2007 10:14:07 A.M. Pacific Standard Time,
                              Jim@... writes:

                              Unfortunately
                              though, common sense doesn't seem to be much of a commodity in American
                              courthouses these days.



                              The courthouse does not stand alone on this one !! The entire country is
                              BANKRUPT !!!



                              Sincerely yours,
                              Sue
                              ________________________
                              Sue Sarkis
                              Sarkis Detective Agency

                              (est. 1976)
                              PI 6564
                              _www.sarkispi.com_ (http://www.sarkispi.com/)

                              1346 Ethel Street
                              Glendale, CA 91207-1826
                              818-242-2505
                              818-242-9824 FAX

                              "one Nation under God"

                              If you can read this, thank a teacher. If you can read it in English, thank
                              a military veteran !
                              <BR><BR><BR>**************************************<BR> AOL now offers free
                              email to everyone. Find out more about what's free from AOL at
                              http://www.aol.com


                              [Non-text portions of this message have been removed]
                            Your message has been successfully submitted and would be delivered to recipients shortly.