Department of Homeland Security Daily Open Source Infrastructure Report
During the pretrial examination we learned that there appeared to be sufficient basis to have excluded the forensic evidence yet that did not happen. Let us see what happened during the trial which allowed the forensic evidence for the prosecution to be presented to the court and considered by the jury during its deliberations which resulted in Julie Amero's conviction on all counts.
Before we do however, let us take a brief look at the community's perspective of the crime and how that might have influenced their deliberation to some degree. Unfortunately, the Norwich Bulletin has deleted virtually all of their entries regarding Julie. Some believe that is the result of change of ownership twice over and others suggest that it was intentional. You see, according to many reports the Norwich Bulletin tried and convicted Julie many times over. However, relative to the digital forensic evidence, that is not really germane.
On the other hand, an understanding of the community's perspective helps to understand how the jury could reach the conclusion that it did. According to Detective Mark Lounsbury, a computer crimes officer at the Norwich Police Department and testified as an expert witness for the prosecution, some of the parents whose children were exposed to the porn demanded aggressive police action. Generally speaking, the community was also in a bit of an uproar and became impatient as it took more than two years (26 months) to bring the case to trial. In the eyes of many, that was far too long.
The trial began on January 3, 2007 in a quite normal manner including a reduction in the number of charges from ten to four without explanation. In each charge she was accused of “willfully and unlawfully causing a child under the age of sixteen years to be placed in such a situation that the morals of said child were likely to be impaired”, Connecticut General Statute 53-21 (a)(1), which provides for a maximum period of imprisonment of 10 years for each charge or, the potential of 40 years in prison if convicted.
The first witness for the prosecution was Scott Fain, Principal of Kelly Middle School in Norwich Connecticut where the event occurred. While Mr. Fain is used by the prosecution to set the stage, his testimony is meaningless relative to the issue of forensics. In addition, upon close examination it becomes clear that he has nothing of value to contribute. Next was Matthew Napp, the teacher which Julie was substituting for. His testimony was of value only to the extent that he established that very few students could see his monitor from their seats. My one concern from a pure trial perspective and establishing reasonable doubt is the possibility that Mr. Fain in fact did view questionable images on occasion. The defense attorney never pursued that line of questioning. Clearly, the prosecutor anticipated it and tried to make it clear that Mr. Fain had not done so. None-the-less, an effective line of questioning by the defense might have raised a bit of a cloud of doubt.
The third witness was in the classroom for a portion of the day when the deaf student she assists was in class. During the period of time that she was present nothing unusual occurred. The next witness is Robert Hartz, information services manager for the Norwich Public School System. One would have expected to learn a lot more than they did from Mr. Hartz. It does appear that he is knowledgeable in the field of IT but it is clear that the prosecutor was not familiar with the IT arena and how to build a more effective foundation to his case. However, you might want to note that he establishes, or seems to establish that initial access to some sites of question occurred while the deaf student aide was present and she stated that Julie did not leave the room during that period and that student's did not access the teacher's computer during that time frame (9:00am-10:00am).
At this point it should be noted that at least two individuals have accessed the computer in question, one who should have known best that hard drive image preservation should have taken place before any examination. How do we know whether the system time was in fact in error and later corrected? Also note, that the references in the firewall log point to a much later time period. During cross examination it is established that he did not look for any adware or spyware. Also note through redirect it was established that more than likely the computer was not removed from service until some date after the 19th, more than likely the 21st, but perhaps the 22nd. This is one great chain of custody!
Now we get into the timely police investigation which commenced on October 27th, 2004, some 8 days past the date of purported criminal activity. Decision making is swift in Norwich. Is there any doubt as to why Julie could not get any assistance the day of the event? Ah, but those details come later during Julie's testimony. Let us review the testimony of Sergeant Michael Belair, Norwich Police Department. When all is said and done, Sergeant Belair seized the computer from the principal's office, spoke to the principal and a few others, obtained copies of the lists prepared by Mr. Hartz, viewed a few of the sites on a police computer and saw questionable images but did not recall what acts if any were being performed. From a forensic perspective all we have learned is that a “trusted” chain of custody began some eight days after the event.
We now hear from the first student. His testimony is marginal at best, not truly useful to anyone, and with his testimony the first day of trial ends.
Upon completion, what of value has been learned relative to a forensic investigation? The computer was used for at least one full day after the event and was accessed by the IT manager as well. It is very possible that it remained in use for two or more days and then secured in the principal's office not more than 3 days after the event. It was not secured by law enforcement until October 27th. Clearly, an effective defense could have established a basis for not allowing the forensic evidence to be entered into evidence. Was this done or attempted? More to come on day two of this three day trial.
Should you wish to read an alternative analysis you can read the
Fuzzy Thoughts web site or
download the copy I made in chronological order which I find much easier reading.
More...
01-27-2009
