Monday, January 5, 2015

THE TRUTH ABOUT THE PORN?

** disclaimer ---  I am not a computer techie,  but I am a good researcher.  This is all out there on the web.  I just put it in one place....


 PORN SITES WERE MALICIOUS SITES 


Travis Alexander had Spybot  on his computer since 2005.  Spybot has an "immunization'  feature in it.  This feature works by adding the names of malicious sites to the windows hosts files and attaches the computers IPS addresss to them.  This prevents a connection to the site. Skybot has a few 1000 malicious sites recorded for this immunization feature.

New malicious sites are popping up everyday.   Because of this, Spybot has a team monitoring the internet 24/7 to catch these malicious sites as they are created so they can provide  updates. These  updates are sent to the user and then added to the hosts file "do not connect" list.  The idea to prevent a connection with the malicious site because all it takes is the initial connection to cause an infection.

Certain sites suggestive of porn were discovered on Travis Alexander's computer.   These sites were listed within the motion with dates starting on May 28, 2008. All of those cites are malicious sites and are in the lists of Spywares immunization host files.    The defense team attempted to list the first two sites as child porn.  However, they are not.  They are listed as malicious sites and have nothing to do with child porn.


childrenvilla.com
The truth - this is from Spybots S&D host list of block sites
Blacklisted by Shalla Secure Services as Spyware domain

onlysex.ws<<only-virgins.com
The truth - this is from Spybots S&D host list of block sites
Malicious website that contains malware

Other sites were listed to suggest Travis looked at lots of porn on a regular basis.  However, once again,  these are malicious sites which are used to spread computer infections.  Every single site is within the list of  Spybot's malicious sites to block, and some contain the Coolwebsearch infection.


Sinpussy.com
The truth - this is from Spybot's S&D host list of block sites

Girls4rent.com
The truth - this is from Spybot's S&D host list of block sites
Blacklisted by Shalla Secure Services as Spyware domain

Pussyharem.com
The truth - this is from Spybot's S&D host list of block sites
Blacklisted by Shalla Secure Services as Spyware domain
Listed in OpenDNS's block tool
Known site to spread malware and spam on the computer

Dietpussy.com
The truth - this is from Spybot's S&D host list of block sites
Known to distribute the Cool Websearch Spyware (CWS)
Blacklisted by Shalla Secure Services as Spyware domain

Steamycock.com
The truth - this is from Spybot's S&D host list of block sites 
Known to distrubute the cool websearch spyware

Inserthiscock.com
The truth - this is from Spybot's S&D host list of block sites
Known to distribute the CWS spyware
supercocklol.com
The truth - this is from Spybot's S&D host list of block sites
 part of an infection which places the site in the PC's hosts file as a redirect when it visits websites

onlycunt.com
The truth - this is from Spybot's S&D host list of block sites
Distrubutes the CWS spyware

sexpicsporn.com
The truth - this is from Spybot's S&D host list of block sites
A malicious website that includes Malware

PornXXXfilm.com
The truth - this is from Spybots S&D host list of block sites
Listed on Marwareinfo.org
Blacklisted by Shalla Secure Services as Spyware domain

The fact every site noted is listed as malicious and access is blocked by Spybot supports the fact these sites were not visited by Travis.  It supports they were the result of an infectious process attempting to link to the site.   If the immunization option was in effect, Spybot would not have allowed the sites to connect via warning Travis the site was malicious. If he was trying to view porn, there would be no reason for Travis to try to access a site more than once if he could not connect. Especially given the amount of legitimate porn sites out there.  However, most of these malicious sites were "accessed"  multiple times,  including after Travis's death.  This is the act of an infection,  not a man.   BN confirmed viruses can ping porn sites on their own.  Even though he misidentified it as a virus,  it was the ZLOB trojan he was talking about when he made the statement.

Skybot has a few 1000 sites on the malicious file list.  Many of these are sites suggestive of porn.  It is very possible that some of those 1000's of porn term hits BN referred too are all Skybot related.   However,  unless the full list of suspect sites is available,  they is no way to tell which are real porn sites and which are malicious sites.   

ZLOB

BN stated Travis had 44 viruses (infections?) and 250 malware programs on his computer.  He named one of the viruses as ZLOB and described it as a virus caused by a player.  However,  ZLOB is not a virus.  It is a backdoor trojan.   BN stated  a person gets this "virus"  from porn sites by attempting to download a player to view porn.  Not necessarily true.

METHOD OF INFECTION

Even though BN attempted to make it sound like it comes from porn,  ZLOB is not necessarily from watching porn.  It can be obtained from an attempt to watch any video online,  not just porn.  Prior  testimony supported Travis  used his laptop to watch videos on line.  He was doing so the day Jodi killed him.   It brings great concern about Bryan's credibility and  his level of expertise  when his testimony is tailored to make it sound like Travis got ZLOB from porn.  Especially when he mistakes  a trojan for a virus.  

The usual method of infection is when a person attempts to watch a video online.  Again, this can be any video and is not only related to porn.  When the user attempts to watch the video he receives a prompt that a  special codec is needed to view the video. An offer to download is provided.  The user agrees and  thinks he is installing the codec,  but what he is really installing is ZLOB.    ZLOB infections can come from being careless and naive,  not necessarily perverted.

ZLOB can also come hidden within legitimate program bundles.  A person selects "standard installation"  and then boom,  ZLOB is installed.   

ACTION OF INFECTION

Once it is installed, ZLOB hides itself well.  It will start automatically with every Windows start-up and has the ability to execute programs without user interface.   ZLOB can control the entire system from behind the scenes.  ZLOB can give remote access to a computer for hackers.  It hijacks the browser and will ping to porn sites without the user's consent.  Additionally, it can cause lots of adware to pop-up.  

After the adware pops-up,  ZLOB can trick the user into downloading more variations of itself along with other infections.   It posts fake window security warnings informing the user the system is infected.  Along with the fake warnings,  a link to download the "appropriate"  anti-virus program is provided.  The user is aware of the recent pop-up attack and the fake warning looks official so he responds by downloading the anti-virus program to fix the problem.   However, it's not an anti-virus program;  it's either another variation of ZLOB or some other infectious process.


TREATMENT AND SIDE EFFECTS
Once ZLOB is detected on a computer, a user is faced with the problem of how to remove it.  The best choice would be to have it professionally done, but professionals can be costly.  To save expense many users choose to try to remove it on their own using one of many free programs.   However, ZLOB is difficult to remove.   Back in 2008,  it was even harder to remove and many of the common removal tools were insufficient.  They incompletely removed ZLOB and when the computer was restarted,  ZLOB would reinstall.   The reinstallation of ZLOB led to downloading different removal programs.  Some of these programs were infections in disguise.  The result would be more viruses, trojans, and malware.  With more infections comes the need for more removal programs.




  Testimony states Travis had 44 viruses (infections),  250 malware,  and 23 removal programs on his computer.  The 23 programs were a combination of spyware scanners, anti-viruses, and scrubbers. The quantity of each was not shared.  However, the presence of the spyware scanners indicates Travis was looking for infections.  The presence of the anti-viruses shows he was trying to prevent more infections. And the presence of the scrubbers show he was trying to forever rid himself of persistent infections  This is not an attempt to hide his tracks,  it signifies he had multiple infections in his computer and lacked the knowledge of how to manually remove them himself.

SMITFRAUD 
Smitfraud was another one of the malware programs noted to be installed on Travis's computer. One gets it from downloading a fake codec which is claimed to be needed to use a video player.   Again,  this can be any video that prompts it.  It is not necessarily porn.  
Once in,  Smitfraud starts to present pop-ups that look like legitimate infection warnings.  Smitfraud redirects the user to a fake site in which a fake anti-virus program can be purchased.    Smitfraud gives one reason why Travis's computer had so many anti-virus programs on it.   He was tricked into purchasing fake ones and went on to purchase real ones in an attempt to remove the virus.  


COOL WEB SEARCH SPYWARE

Some of the sites listed  in Nurmi's motion are auto download sites for the CoolWebSearch Spyware infection.  CWS Spyware may possibly be one of those '44 viruses/ 250 malware'  BN described. It's likely if Travis's computer connected with any of those sties before they were listed in Spybot's "do not allow access"  list,  the computer became infected with CWS.   All it takes is ZLOB causing the computer to connect with a CWS Spyware auto-download site and the computer is infected.

CWS spyware is a browser hijacker which also can redirect the user to other websites against his will. Often these websites are pornographic or commercial.   A person might type in their bank website"wamu.com",  and end up at "sexpicsporn.com" through no action of their own.   It's what CWS spyware does.


MODE OF INFECTION

There are many ways in which a person can get infected with CWS spyware.  One such way is innocently following a link to an infected website.   When the website connects,  CWS is downloaded and the user does not even know it.  This is called drive-by installation.  Or, it could be the result of another virus redirecting the user to the infected site.  IE - ZLOB purposely pings an infected CWS site and when contact is made - boom,  infected.  

Like ZLOB,  CWS spyware also comes hidden within other freeware.   It can disguise itself as a legitimate search engine that is bundled with the freeware.   It hides within the suggested standard install for the freeware. When the user says yes to the 'recommended'  standard install option,  the infected file is installed.

A third means of infection occurs while  a person is browsing the internet. Similar to the ZLOB method, an advertisement pops up while the person is browsing. It either alerts the user their computer is infected or that they need a unique plug-in to continue.  The user foolishly accepts the prompt and downloads CWS Spyware.

One of the most common ways CWS spyware infects a computer is via an email attachment. Sometimes the attachment is from a fake email address of an unknown individual.  But even friends, coworkers, and family might unsuspectingly infect another's computer by forwarding a file.  And sometimes they do it purposefully.  


SYMPTOMS

Once infected,  CWS spyware causes a lot of havoc on a computer.
1. It can change the system registry settings to activate itself upon windows start-up.

2. It can modify the browser setting and hijack Chrome, Explorer, or Firefox

3. It replaces the current search engine and home page.

4. It records activities and credit card data

5. It can introduce other threats such as Trojans, Spyware, and malware

6. It causes the browser to run slowly and can make the internet connection freeze up.


If CWS spyware changed the system registry,  it can automatically go to work from behind the scenes as soon as the computer is started up.   There needs to be no user action for CWS to work besides starting the computer.  Then when the user goes online,  CWS will hijack the browser and link to multiple pop-up ads.    These pop-ups have little to do with the site they are on and many times will involve either pornography or commercial sales.  

CWS not only can cause porn pop-ups to harass the user,  but some variants can place direct links to pornography to appear on the user's desktop,  in IE bookmarks,  and in IE history.   This can occur without any action via the user.   The user might not even know the porn links are present behind the scenes.  

A person who has a CWS infection may not immediately know it,  but they soon will. Part of CWS actions are to install multiple other threats such as Trojans, spyware, and malware onto the computer without the user's knowledge.   As  more and more infections are installed,  more and more computer problems appear.    The high amount of infections makes it impossible for the user to ignore the problem.  The computer starts running slow,  freezes up,  and the porn is obvious to the user.  This can result in multiple viruses and multiple programs to remove those viruses being found on a computer.  


TREATMENT AND SIDE EFFECTS

Like ZLOB,  CWS spyware was also a  difficult infection to remove for the novice user in 2008.  It used many different methods to avoid detection and removal.  And, common removal programs were  insufficient. CWS spyware would hide within the programs it was downloaded with.  If those programs were not removed first,  CWS spyware would come back.  The return of CWS spyware would prompt the user to download another program and risk downloading another infection disguised as a removal tool.


There was no report CWS was on Travis's computer.   However,  it does not matter.  Most likely one of the 44 "viruses" (malware)   BN discussed behaves in very similar ways as CWS.   It means it would take just one email attachment sent to Travis to infect his computer.  He recognizes the sender,  he opens it, and boom,  infected.    It's a malicious act a jilted obsessive lover might make.


THE TRUTH ABOUT THE PORN

As stated  and explained previously,  all the porn sites named in Nurmi's motion are related to a virus pinging them.  That list of porn sites are the only ones the public has seen and they all turned out to be ones Travis could not have visited on a daily basis as suggested by the motion.   Skybot would have blocked him because they are all malicous websites.  With so many more porn sites he could go to,  Travis would not have continued to return to ones which blocked him.  There are over 1 million porn sites out there which he could have easily connected to.  


One of the Spybot blocked sites is Insertthiscock.com.  It was visited daily from 5/28 - 6/2 with an additional visit on June 10th.   BN stated the June 10th visit was virus related.   He said it because he knew it would have been impossible for Travis to have accessed it.  However, if the virus pinged it on June 10th,  it pinged it on the other days as well.

On June 4th at 1:45 pm Travis was naked in bed with Jodi and participating in a photo shoot. At 1:44 pm Skybot was accessed on Travis's Computer and BN said it was because Travis was using the computer at the time.   The photographic time stamped evidence indicates it was not possible, which means it was infectious activity on June 4th which caused Skybot to be accessed.  BN could not tell the difference.  This supports that BN may not fully understand how the ZLOB trojan or one of the other infections work and appear in the data stream.  And if he does not understand how they work,  how can he tell the difference between user access,  remote access, or malware access?  


BN testified there were porn sites in the history of the computer.  He implied this indicated user activity and not virus activity.   However, according to the research on CWS,  it has the ability to cause direct links to porn appear in IE history.  IF CWS can do it,  it is likely one of the 44 malware infections could do it too.   The end result is depending on the history is not helpful in determining malware pinging from user access.


Additionally,  BN testified  because porn sites were in the registry,  it indicated a user actively punched them in.   This is not true.  Perry Smith, a real forensic computer expert, stated "The registry is not an indication that the user sat down and actually accessed the site."  The following web link  supports what Smith stated is true: 

https://www.malwarebytes.org/regassassin/
"Erases malware placed registry keys. Malware often deposits parasitic registry keys into your system registry, exposing your computer to infection and corruption."


BN referred to 100's of 1000's of urls of porn.  Many of these could be Skybot block sites.  Skybot stores the blocked sites with the proper URL but maps it to the IP address of the computer.  If the URL is pinged,  the ping goes nowhere.  Many of those "urls" could be virus redirect as well.  When it comes down to it,  there is no direct evidence which supports the porn sites assessed were related to Travis doing it.

BN showed a poor understanding of how virus works in computers.   He stated a virus could not place links in the history or the registry.  Perry Smith and research have proved him wrong.  BN could not even tell the difference between a virus and a trojan.  He continued to use the term "virus"  instead of 'malware"  when discussing malicious programs.  It's the mistake of a layman -- someone who is not well versed in the subject.   It demonstrated BN's lack of knowledge about the way malware works.  And if he doesn't know, how can he tell the difference between malware activity and user?

Further interviews exposed BN for what he was:  An audio/visual forensic expert pretending to be a computer expert.   In an interview,  BN admitted he gathered all the information he testified from via a report he read from a member of his team and was relaying what was discovered.   However,  being able to read and relay from a report does not mean one understands it or is even reporting it correctly.  And he did neither. In fact,  BN started to refer Martinez's tough questions back to one of his team who studied the computer.   If BN lacks understanding of computers,  how the hell can he definitely state the porn came from direct searches?    He can't.

BN was basing his testimony on his assumptions and what he thought those reports meant.   BN's ignorance to malware played a role too.    He believed Travis must have gotten the  ZLOB trojan from porn. " It’s called Z-Lob and comes mostly from porn sites."  It is an assumption BN was not able to make because there are other ways of getting ZLOB as previously discussed.  "When you have programs like Z-lob, it pinged porn sites. It’s a virus.(NO...It's NOT) You get it from the porn sites–by trying to download the player.  Z-lob virus is a player. You have to download a viewer to view a porn video."   The fact that BN is calling this trojan a virus over and over again shows that he does not understand how it functions.   And if he does not understand the subject,  his testimony is not valid.

Because BN decided the ZLOB must have come from porn,  he concluded Travis was looking at porn when he got it.  It is how he tied all those alleged searches to Travis.  It was his assumption saying so, not the evidence.  BN was showing his bias as an expert witness.  Whoever pays,  wins.  The real truth was he had no direct evidence,  only his assumption.   And what does it mean to assume....... ass-u-me.....
Additionally,  can BN really tell who searched for what on those days?   ZLOB is called a backdoor trojan for reason.   It allows a remote user access to an infected computer via downloading a rootkit tool against the user's will.   More on ZLOB action and remote users from paretologic.com:

  
A downloader Trojan downloads other malware applications without the user's consent. It has a list of file names and locations of malware programs to be downloaded. These pieces of information are stored in an encrypted block within the program. The Downloader Zlob JBE Trojan application downloads unsolicited files to the affected computer. It can also download other worms or Trojan applications without the owner's consent. Spyware and adware applications may also be downloaded. 

This Trojan application may also download and install a rootkit tool. The remote server may use the rootkit tool to allow the intruder to act as a system administrator. This may allow the remote user to steal sensitive information stored in the system. Rootkit tools may also enable the Downloader Zlob JBE Trojan program to hide itself from the Task Manager. This may allow the application to function undetected. The remote user can command the program to perform a number of actions such as file addition, deletion and modification. The application may also gather contact list stored in the computer. It may also allow the remote user to collect private information saved on the computer's database.

Travis also had multiple people with access to his computer.  He had roommates who had friend's coming and going all the time.   Jodi went over there to use his internet frequently.  However, the Defense team tried to distract from that fact.  They pointed out days she 'couldn't be there' and listed multiple porn sites which were hit.  Their attempt at distraction backfired.  All the sites they listed were malicious malware pages that are noted on Spybot's "block this"  tool.    Travis could not make a connection if he tried because Spyware would have redirected to a dummy IPS.   The fact the sites were hit daily for 5-6 days indicates a non-thinking entity was making the attempt to connect,  i.e a malicious computer program.    Add on top of these facts the chance of a remote user in the system due to the ZLOB trojan,  and there really is no way to link Travis to the porn found on his computer.  

The defense team knows this.   They have been nothing but difficult in providing the requested information Juan Maritnez has requested.  It took them over three weeks to provide the image Juan Martinez  requested.  And,  it is still not clear if they ever did or if they ever even made one.  

The defense team has also been non-compliant with providing access to the witnesses whose findings BN was reporting on.   JM asked for an interview but was informed there would be no need.  The techs would not be called to testify.  The Defense changed their minds at the last minute and added them in.   However,  they claimed BN would testify first.    During his interview,  JW assured JM that BN would be testifying first.   Then,  at the 11th hour,  the DT pulled the old switcharoo and placed the masked tech as first.  It left JM unprepared for the testimony,  and thus another delay occurred.

The question is,  if BN is only an A/V guy and the other fellows are the ones with the experience,  why have him present.  Cate Ellington Ellington has presented a good theory based on fact.   BN stated he had no knowledge of the incinerator being used.   Additionally,  he claimed that the image Juan Martinez wanted was encrypted.  These are two techniques a true forensic investigator would never have used in their forensic investigation.   They are considered counter forensics because the intent is to hide data,  not bring it to light.    Cate has suggested that BN was presented as a witness because the other two lack forensic backgrounds.   The impression would be since BN was a forensic examiner,  all would be on the up and up.  However, due to his lack of knowledge on the subject, all failed.  For more information on counter- forensic measures see:
http://en.m.wikipedia.org/wiki/Anti-computer_forensics

The defense's tactic, thus far, has been creating smokescreens, withholding evidence, and delays.  I am sure if the State behaved in such a way,  her supporters would be all over that fact and crying "foul play,  mistrial."  Nonetheless,  the defense's actions are a strong indicator that they have something to hide.  But what?  It could be that the porn was only found after an intense examination beyond the industry guidelines were used.  They needed to hide the proof of it to support their claim the State knew it was there.  It would be the only way to get that mistrial because they had access to the same information.   Or, it could be a far worse reason. 

MISSED PORN?
The state was truly puzzled when BN found porn on the hard drive which neither the state nor the defense could find before.   Because of this,  the State considered many different reasons.   Arias supporters claim this action by the State is an indication of guilt.  They are wrong; it only reflects the State's confusion as to how the situation could have possibly occurred.


Lonnie Dworkin holds the key to understanding why the porn was not found.  He was the one who inspected the "overtly obvious porn-filled hard drive"  and found none.  BN verified LD's copy of the hard drive included the porn too.   So, if the porn was present,  why not call Lonnie to the stand to corroborate BN's testimony?   After all,  Lonnie Dworkin was a highly skilled expert in computer forensics.  He had 11 plus years in the field and had worked for major computer companies such as Intel and IEEE Computer Society.  He held computer forensic certifications such as ACE,  NSA-IAM,  and CCE.  The man knows his computer forensics.  So why not call him?   He was their witness, after all.  

Because the truth would have came out and clearly shown porn,  if it was there,  was not overtly obvious like BN claimed. Without it being obvious,  the defense does not have a leg to stand on.  During his investigation,   Dworkin stated he used the same tools the MPD used:  "I have always made it a point to use the same tools local state and federal law enforcement uses - EnCase".    Law enforcement follows a certain set of guidelines to ensure the evidence remains intact.  These guidelines indicate they are to  utilize certain programs----  ie EnCase.  As long as the State follows the guidelines,  they are not mandated to dig deeper.

BN's team used different methods and programs which were not industry standard. It is most likely why the computer was returned damaged beyond use. BN stated "EnCase is simple.  EnCase is not enough.  Most of the time, you write your own code for finding something that was deleted."  BN stated he used Autopsy and FTK.   He also admitted he had to remove viruses to get to the porn underneath.  And it is likely he used even more as well. 

  EnCase was the industry standard guideline for computer inspection.

  If the porn was really there and it was missed using the accepted standard program,  the State did no wrong.  The fault lies with the defense expert for not digging deeper.  The time for the DT to dig deeper was during the guilt phase.   Their expert had the opportunity to do so,  but chose not to.   That is no fault of the state and it is a situation which will not win Arias another trial even if child porn was found on the computer.  The defense dropped the ball and they knew it.  It is why they had fought so strongly to attempt to show the state was aware of the porn.  And the DT loses that fight too because Dworkin did not find porn either.  End of story.  


BUT,  IS THERE MORE TO THE STORY?


JM knows the DT has lost their battle because Dworkin found no porn.   Dworkin is an expert 10X that of the computer forensic trained detective Melendez.  Dworkin's failure to find porn on the hard drive is all the evidence Juan needs to support the State was not aware of porn being on Travis's computer.  If someone as highly trained as Dworkin missed the porn,  how can it be said a computer trained detective should have seen it?  It can't.  Additionally,  the timing of the alleged destruction of evidence was at a time when sex had no link to the case.  Finally,  during the 12 minutes the evidence was allegedly destroyed,  defense council was in the same room as the State and viewing the computer.   All these factors show no misconduct.  End of Story.  State wins.  

So,  why does JM keep at it?  It is because he wants to get to the bottom of how the porn got there.   It is because he suspects the DT is playing dirty and he wants to expose them.   JM is personally offended that Kirk Nurmi had the audacity to allege the prosecutor would stoop so low to destroy evidence.  It's been an ongoing trend and JM wants to expose the defense council for the tricksters there are. 

 And it all starts with Bryan Neumeister's actions.


BN specifically stated his team did not write their own code to uncover the porn.  However,  was that true?  Or did they use code and then some?    An incinerator program was used on the computer to remove evidence of something.  Using an incinerator is considered and anti-forensic approach and the only reason to do it is to hide one's tracks.  The computer was in the hands of the DT when that incinerator was placed on and used on the computer.   An incinerator completely removes the selected file and whatever was in that space can no longer be seen.  There is no reason to do this in a forensic exam of the computer.
The below example shows this total destruction of evidence.  If the purpose is to uncover things hidden under an overwritten file, why use an incinerator?


So,  what could have been removed?  Perhaps signs a more intense program had to be used to find that porn.  Perhaps evidence all the porn was from malware activity.  Or,  perhaps dates where changed on the computer and then the evidence incinerated.

It is possible to go into the history of a computer and change the date/ time stamp of when a file was created:

http://www.techrepublic.com/article/build-your-skills-learn-to-manipulate-file-time-stamps-in-windows/

However,  doing so would leave some sort of residual trail....  but what if that trial could be incinerated?

Is it possible to:
download porn in 2014
Change the date of the file to 2008.
Use the incinerator program to hide any signs the date of the file was changed
And "Wallah"  -- all that is left is a file saying porn was downloaded in 2008.

"  If you’re a programmer, you can write your own code to modify file time stamps"

"
some users change time stamps for unethical or illegal reasons in order to, for example, make it appear to an employer that work was done earlier than it really was or thwart a criminal investigation. In some cases, investigators will be able to use forensics methods to determine that the time stamps have been modified"  --- But, what if an incinerator program was used?  


We really need to know for sure if the underlying information on the State's hard drive really matches the image Bryan Nuemeister made prior to doing his work.  But he won't give that up,  will he?




UPDATE 1/08/2015

I hope to put together a more complete update if time allows.  You know - work and life kind of gets in the way at times.  However,  I did want to touch on a few things right now.   This is just a temporary update.

"JS"  stated he found a website using the "Alexa" search engine to go to porn sites.  The "Alexa"  search engine,  ie toolbar,  is a piece of Spyware that keeps track of user movement.   It often comes bundled in downloads of legitimate programs.   Would a malware author use it to encourage infections?  I do not know.

"JS"  names two URL's -  cute girl BJ  and Hot girl fights with BD.    Both URLS are linked to legitimate porn sites.  However,  WOT information states those sites are loaded with ads that link to malicious software.   Would a virus redirect to said sites?  I do not know.

Finally,  and now the big "Uh OH"  for "JS".   He stated viruses (malware) do not put URLs in the registry.  He also stated that he could "tell"  an user URL from a virus(malware).  Not necessarily.   


From  
http://crucialsecurityblog.harris.com/2011/03/14/typedurls-part-1/     (link to part 2 as well)

"Forensic examiners many times rely on the TypedURLs Registry key in order to ascertain certain user-based web browsing activity."
 "If a system is compromised and the malware can invoke the Windows API call RegSetValueEx, specific values can be set in the TypedURLs
 key.  There are many adware samples in the wild that write specific values to this Registry key, so that the user’s address bar is populated with entries chosen by the malware authors."


Basically,  what Mr. Nichols is stating in his blog is that Malware CAN,  and DOES,  put URL's in the registry.    Now,  is this what happened in the case of Travis's computer?  I do not know.  However,  I think it is important that a person has the full amount of information..   

Who really needs to be called as a rebuttal witness is a malware expert to testify as to the characteristics of each program.  A malware expert can testify if one of the malware programs found on TA's computer has the ability to put those keys in the registry.  

38 comments:

  1. Great work Debbie, so very informative! You helped to make this very, confusing issue, a little less so. For me, "Porngate," is a non-issue. Nurmi failed to establish any prosecutorial misconduct. He established nothing, at ALL! So much so, that when it came down to his closing argument, he didn't bother to argue the alleged misconduct, he wailed about everything but his original assertions. If JSS had ANY reason to find fault with the prosecution, she would have halted this trial, right away, and not attempted to steam away, into the late hours, as she did. However, alleging misconduct against the prosecutor is VERY serious and Juan Martinez has the RIGHT to face his accusers and decimate them!! CRUSH that notion, completely!! We see that when BN went face-to-face with Martinez, he caved completely! No longer a "computer expert," he became the Audio/.Visual nerd! He then preceded to pass the buck on EVERY item, to "Pseudonym" or "Sue." Now, I'm certain that Sue showed up today, KNOWING his surprise testimony would throw the day, away. What he probably didn't think through, was that if he was THERE, and was prepared to testify all DAY, there would be no EXCUSE or reason, why he couldn't spend the day, CHATTING with JUAN MARTINEZ!! I hope that Juan snatched him up by his pocket protector, and he is STILL chatting the night away with Juan Martinez!! GET him, Juan!!!!

    ReplyDelete
    Replies
    1. "Snatched him up by his pocket protector".... love it, simply love it! : . I didn't think about the whole " talk to me now". Her lawyers shouldn't even have an excuse bcuz they were supposed to be there the day too.

      Delete
    2. Hi Debbie; You never cease to amaze me. I check daily sometimes 2 to 3 times to see if you have added to your blog. I agree Nurmi knows JM has defeated him with the alleged misconduct claim and I believe that is one of the reasons he quickly filed his new motions. So JA is now claiming the media is stopping her from a fair sentencing? Says the her and her supporters are recieving death threats and Nurmi and Willmott are claiming same. JA is the reason the media was so extensive in this case to begin with. The media is so involved because she invited them, TV, Twitter, etc. It was JA who was giving interviews to the media during the trial and directly after the trial and relished the idea, like a pig in shit.
      There is NO reason this trial cannot move on, for it is NOT the media, nor this court or the State's fault. In fact, JA, HERSELF, CHOSE (despite her DT advisement not to) to go on a media TOUR before, during and immediately after the verdict.
      If she were really afraid, she would NOT have done the Media tour. How can she be afraid when she is safely locked up in a County Jail doing her handstands.

      Delete
  2. Best article so far on the computer,Thanks for all the detail ,I had the same ones years ago and what a mess finally had to reformat the whole computer ,I remember back then it was a mess I stated that earlier about what it can do to a computer ,and if you have remote access or sending a virus ,,,Thanks so much

    ReplyDelete
    Replies
    1. Thanks. I don't know a lot about computers but its all research out there on the web. And I am pretty good at research. A person can really learn anything if they just research and ask questions.
      Back in the day I opened the "I love you" email virus going around..... Stupidly. The thing was, the now-ex warned me to not open attachments from unknown ppl.... My curiosity got the best of me. I did.... And oops... Bad move, lol. Its that gosh darn curious mind I have

      Delete
    2. I think part of Nurmis plan was he was banking on the techie stuff being so confusing JSS would be tricked into believing his assertions. Well, it backfired bcuz JSS does understand. hence her calling BN out on his changing story about the image he wasn't giving up. She was the one who asked for the audio of the interview which tells me JSS was seeing thru the BS the DT was peddling. DT plan backfired and now they r playing fast n loose w/ motions to distract. I am hoping JM stays at it like a bulldog .... I think he will. Guessing he doesn't appreciate the allegations being tossed his way. He

      Delete
    3. I agree with Nurmi's "baffle with BS" plan-that seems like his only strategy. And I echo the above comments-this is the best explanation I have read about this issue. The only thing I an still wondering about is why the prosecution didn't see all this when they examined it...

      Delete
    4. Thanks for your awesome question. I was in a hurry to get this up as it has been sitting in my "to finish box" for a bit so I posted without editing. I have edited it some and added in a section explaining why I think the State never found the porn. It could be as simple as the program used to find it. If so, BN basically lied about the porn being obvious and the incinerator was used to hide codes they wrote to find it.
      OR, it could be r/t going in and changing file dates and then incinerating the evidence of those changes.

      Delete
    5. I recognize you put a lot of research and time into your posts. You are correct that there is a ton of information available. That, to me, makes this issue even more confusing. To say that Neumeister "basically lied" is to say that he's willing to basically throw away his decades long career to help the defense. If you read Nurmi's motions regarding the accusations, they are pretty specific. Nurmi could also be disbarred if his evidence is not strong. I suspect Juan will use one of his courtroom techniques and continue to try to muddy the waters to obscure the bottom line on all this. Just as he did with his motion that included the interview of Neumeister as a deliberate, under-handed effort to question his credibility and make him look evasive. His passive aggressive swipe at Nurmi by calling him Laurence shows to me that Juan is further losing it by giving in to his feelings about Nurmi.

      To be clear, I don't believe Travis deserved to die because of porn or for anything other than a deadly fight where Jodi had to kill or be killed.

      I believe if it is proven that porn was either deliberately or accidentally removed from the hard drive that Jodi's defense was incomplete, and that Jodi's defense team, including her first public defenders, could not present a defense based on all of the exculpatory evidence. Therefore, she deserves a new trial or other remedy.

      True justice for all should be untainted and fair, even for unlikable defendants. Juan Martinez, imo, exploited the Alexander's tragedy by pushing the death penalty. No one could have known what would happen, or how the multiple TV cameras would affect all parties involved. But, imo, it did. It made a farce out of a tragedy and has so far subverted justice for all.

      Delete
    6. The only person I see being evasive is Nurmi.

      To be clear, Travis had 29 stab wounds, slit throat and a gunshot to the head. JA basically came out unscathed other than a bent finger that was caused from her rage while butchering Travis. "Jodi had to kill or be killed"???? No, Jodi had to kill. A premeditated killing.
      The defense is well aware porn on the computer would NOT be considered exculpatory evidence. So, they have attempted to make a suggestion child porn was on the computer.
      JA alleges; “I caught Travis masturbating to a picture of a little boy.” JA SUBMITS; “So, I finally called him back, and we made arrangements to meet that night to talk about it. Then I went home and fell asleep. We met up later that night and talked. He explained he didn't like that deviant side of himself and felt normal when he had sex with women. I wanted to help him, so we had anal sex that night."
      JA alleged Travis was masturbating to a pic of a young boy, which would tell me he would have preferred young boys.
      So she had "ANAL" sex with him????. It does not make sense for JA to have "ANAL" sex with Travis if she was wanting to help him to feel normal, being that "ANAL" sex is the only way to have sex with both sexes being male.
      (copied & pasted from Debbie Maran’s blog) and I agree that;

      ACTIONS DON'T SUPPORT THE CLAIMS

      Jodi alleges Travis was a sexually interested in children. She stated she continued to have sex with him because she wanted to help him feel normal. She claimed she made a deal with him to not stay the night at a home where children lived. Her alleged deal would indicate she had a fear of him acting out his urges. If her allegation was true, why is she enticing him with images of children and sex to elicit a sexual response? A month after she claimed to have caught him masturbating to the image of a child Jodi sent him an unsolicited text. It read; "Yes, I want to fuck you like a dirty horny little school girl."
      It's not reasonable she would send such a text to someone who she claimed was a pedophile and had fear might act out his desires. It's not reasonable, and it does not make sense. And if it doesn't make sense, most likely it's not true. If the pedophilia incident is not true, there was no reason for "escalation" of abuse. With or without the pedophilia claim, there are signs the abuse incidents are lies that stand alone.
      -------
      So JA is now claiming the media is stopping her from a fair sentencing? JA is the reason the media was so extensive in this case to begin with. The media is so involved because she invited them, TV, Twitter, etc. It was JA who was giving interviews to the media during the trial and directly after the trial and relished the idea, like a pig in shit.
      There is NO reason this trial cannot move on, for it is NOT the media, nor this court or the State's fault. In fact, JA, HERSELF, CHOSE (despite her DT advisement not to) to go on a media TOUR before, during and immediately after the verdict.
      There is no threat, if she were really afraid, she would NOT have done that.
      She is safely locked up in a County Jail doing her handstands.

      Delete
    7. Sandra - you are not acknowledging one big problem -- Lonne Dwokin looked at the hard drive. Lonnie Dworkin had years of experience beyond what Melendez and BN had. It means it the porn was the "aircraft carrier in the room", LD would have seen it. Lonnie Dwokin found no porn on T's computer. It's obvious he was looking for something because he found the penis picture on Jodi's computer. If tons of porn showed up as "an aircraft carrier in the room" LD would have included it in his report. In fact, he was directly asked if there was any porn and he said NO.

      That "NO" and BN's claim of the porn being overtly obvious in the room is end of story for Jodi Arias on the porn in the computer-- even if they were to ever verify child porn on the computer -- which they have not. LD's experience far outweighs Melndez and BN's. If he did not see it, it can only mean three things - BN lied, the porn was not obvious, or LD saw it and ignored it because JA was claiming intruders in 2009. The last still does not release her. She has a due diligence to seek out the evidence which could exonerate her. She doesn't have to, but her failure to do so cannot later be used for an appeal. When she changed her claim she needed to go back and ask her computer witness "My defense changed, it now involves pedophilia and sexual deviance. Did you find any evidence of that in your computer search?" Either she didn't ask the question, or she did and was told no. Remember - it was an "aircraft carrier in the room" according to BN. If Jodi didn't ask the question, she failed to practice due diligence in securing the information and now it is too late .

      The defense knows this and it's why they tried to make it look like the State "hid the information" by playing fast and loose w/ the facts.

      Nurmi cannot be disbarred because of the way he has presented his claims. All he needs to express is that per his view, it is what it looked like. Per his view -- all he knew is the computer was erased on a day it was taken out by Flores from evidence "OH! I wasn't aware defense council was there too".... Look at the way he presented the "time period" on his motion: "Between the times 13:56 and 16:51 1000's of files were erased." It's an example of his "fast and loose" with the truth. Those are the times Flores had the puter out of evidence. At the time Nurmi wrote the motion, he knew the time period was only 12 minutes the computer was on. So, why not say "over 12 minutes 1000's of files were erased?" Because he already knew it was a virus, he already knew DT was there, and he already knew the State did not do it. .... But prove he knew. It can't be done. So, he is 'safe" from being disbarred.


      Delete
    8. Michael Kiefer ‏@michaelbkiefer 10m10 minutes ago

      Nurmi got "Smith" to say that Mesa PD made two images of computer, one in 2008, one in 2009. Gave altered 2009 image to defense.

      Steve Krafft ‏@SKrafftFox10 11m11 minutes ago Phoenix, AZ

      Defense computer expert says Mesa Police mishandled computer evidence.

      Michael Kiefer ‏@michaelbkiefer 6m6 minutes ago

      Smith breaks the news about the porn to the jury.

      Delete
    9. Hello Sandra, thank you for the input. I am a little confused about what your little re-reporting of Kiefer's twitter is supposed to mean. I am not a journalist but I prefer to do what most good journalist would do and hear the both sides of the testimony, do my own investigation - such as learning the Alexa search engine has been linked to malware -- and then report the findings. Anything else is just telling part of the story.

      Delete
    10. I will say one thing -- who needs to be called as a rebuttal witness is a malware expert from an company such as Norton, McCafe, Avira, etc. to testify to the actions of malware. It bother's me that this new "expert" keeps using virus to classify the whole lot.

      Delete
    11. Steve Krafft @SKrafftFox10 · 3h 3 hours ago

      Porn on Travis Alexander's computer was put there by humans, not some computer-generated virus, defense expert says #jodiarias

      Delete
    12. Sandra Webber is the one who heads up the JA support sites, is in close ties w/JA herself. She does believe TA got what he deserved. She's written it everywhere!

      Delete
    13. That is not even close to being true. I "head up" nothing. I write a blog. I've been researching and writing on this case and trial for two years. I've never written what you just wrote.

      Delete
    14. Sandra, Sorry dear, but rumor has it that you are at the top of the chain of the JA supporters and believe her to be innocent. Why are you on Debbie's blog?

      Delete
    15. This comment has been removed by the author.

      Delete
    16. Sandra; Googled your blog and as soon as I read your statement Feb. 15, 2014; "Travis Alexander fits all the behavior traits of a man with narcissistic personality disorder. Google it. It explains a lot, and even supports that his loosing his temper over what seems to most an innocent act of dropping a camera fits perfectly, especially in the context of his other behaviors relayed by his friends without their realizing the full implications, I think, of what they were describing. Does that, by itself, mean Travis deserved to die? Absolutely not! But attacking Jodi or anyone else to the point where that person felt their own life was at stake, makes him a fitting candidate to be killed in self-defense. The motive of jealousy by Jodi is supported by no concrete evidence of any kind. Stalking? Show me. Slashing? Show me. Hacking into accounts? Show me. Writing that creepy Mormonesque e-mail? Show me. Yeah, Patrick, putting Travis on a pedestal may end up being his downfall in the end. The higher one climbs, the harder one bounces? Or something like that."
      So, Sandra, you believe JA killed Travis in self defense. Let me remind you that; JA was fully clothed, Travis was completely naked in the shower. JA stabbed him 29 times, slit his throat to nearly decapitating him and shot him in the head. JA ended up with bent finger from the knife she used to butcher him. She used sex to to keep him off guard to she could carry out her plan. There was no altercation over the camera, those are JA's words. Travis was in the shower wallowing over the sex they just had, he would be in a great mood, until he saw the knife! Your opinions are all based on JA's words and nothing else.

      Delete
  3. thanks so much for posting this....i am not real computer savvy and your post cleared up some things for me...mainly that there is something funny (and not funny haha either) going on with this porn thing. BN ducked a lot of the questions with his "go ask Sue" routine. Will we find out who "Sue" is? stay tuned i guess. again thanks for this easy to understand explanation.

    ReplyDelete
    Replies
    1. The thing is, I am not either. i learned thru research. However, BN was offered as a computer tech
      . As soon as he started calling the trojan a virus I knew he was f.o.s. about his 'expertise'. Calling them all 'viruses' is a layman's term for malware. I did not know diddly but I knew that. And if I knew that, an experienced tech like BN initially was presented as should have known it. I just can't imagine someone in the know making a look layman's mistake because someone in the know understands viruses and Trojans act different and have to be dealt w/ differently. Pretty much as soon as BN opened his mouth and stated "I am just repeating Sue's findings his testimony flies out the window. Anyone can read another's report and repeat what it says but understanding and explaining it is a different story.

      Delete
  4. I am not computer savvy or facile in any way but intuitively I 'knew' that BN was f.o.s. - mostly from his over-the-top belligerence during the evidentiary hearing. Your exemplary work has provided me with the facts that I've wanted so that I could understand this complex issue. Excellent article, Debbie. A million thanks!

    ReplyDelete
  5. Very factual and informative, Debbie. I wish we could get this to Juan Martinez! BN wanted to support Hodi & Co., since they were paying his tab (from the great state of AZ). Too bad he's a maroon........... we need justice, not side-shows from people who don't know what a mitigating factor is.

    ReplyDelete
    Replies
    1. Yeildcurve, that's what I keep wishing too! :)

      Delete
  6. Replies
    1. Msybe JM should be sent a link to this article. It will surely help him with is cross examination of all these jack asses.
      Thanks Debbie for enlightening all of us who are interested in getting justice for travis. May his dear soul rest in Peace. He surely must be rolling in his grave with the way this Evil woman is killing him a fourth time by dragging his good name through the mud.She needs to rot in Prison for the rest of her life. The death penalty is an easy way out for her. She need's to suffer each second in Prison knowing what she did to a beautiful soul.

      Delete
  7. Great info. Thanks for your hard work!

    ReplyDelete
  8. Excellent research and explanations! Thank you for posting.

    ReplyDelete
  9. Defense is grabbing at straws, like they've always done!!

    ReplyDelete
  10. Hi Debbie; I believe JSS ordered Nurmi to give up the Oct. 2014 image, that he was so reluctant in doing so. That was before Christmas break. If Juan has received it I have no doubt he spent his holidays going over that image.

    ReplyDelete
  11. Hi Debbie; Can you enlightened us to what this all means today (Court Jan. 8/2014) Today there was just talk of porn, no child porn though. Will you be able to retrieve JA's secret testimony and if so will you be posting it. I rewally don't like the idea that the jurors are hearing from Smith about porn on Travis's computer, it's like there saying Travis is bad for having porn. Good lord, I have had porn on my computer but that does not make me a sexual deviant. Their painting Travis as such.Thirdly what would you do if you were Juan? I sincerely respect your opinion your thoughts on the matter.

    ReplyDelete
  12. One more thing, JA had access to Travis's computer she had is password. Whose to say she did not look up porn on TA's computer. I know Juan is trying to clear his name with the alleged misconduct, but at the same time I wish he would put that out there, The JA had access to his computer. Also, when JA became her own Lawyer and hired the PI would they have had access to the image in question?

    ReplyDelete
  13. Hi Debbie; I guess you already heard of Nurmi's motion to preclude the state from eliciting testimony regarding "work drives". I have said all along that there was something very suspicious about JA acting as her own lawyer and hiring a PI, followed by re-instating Nurmi as her lawyer shortly thereafter, where Nurmi then further investigated his image and used an incinerator program. First he was very reluctant to give up that copy to Juan and Juan had asked him times until JSS finally order him to do so. Now he does not want Juan to use his findings as evidence. Am I totally off base, missing something? Not to allow Juan to defend himself with the alleged prosecutional misconduct would be devastating and I believe if he is not able to Nurmi's next move is JA did not have a fair trial. Move to acquit? Your opinion means a lot, thanks Debbie. https://drive.google.com/viewerng/viewer?url=http%3A%2F%2Fcourtchatter.tv%2Fdocuments%2Farias%2Fjamotioninlimine010715.pdf

    ReplyDelete
  14. Hi Debbie; Looking further I found the court minutes for Jan. 8, 2014. JSS has denied Nurmi's motion, Re: "work drives". This is good news. So my next question (I hope your not tired of hearing from me) would an expert be able to find out if dates, times were altered on Nurmi's image even though an incinerator program was used? Court minutes attached http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.courtminutes.maricopa.gov%2Fdocs%2FCriminal%2F012015%2Fm6644902.pdf&h=UAQHe7KlE

    ReplyDelete
  15. Hi Debbie; It's me again. Read Paul Sanders latest perspective/summary of court on Jan. 8, 2014. You may have read it already, however, Excellent read. My favorite part was "One of my favorite description Paul Sanders gave was; "JUAN MARTINEZ SPOKE AS LOUDLY AS TRAVIS ALEXANDER WOULD HAVE HAD HE BEEN IN THE SAME SHOES. IT ALL SEEMED SO FAR FROM THE TRUTH UNTIL THIS VOICE SUCKED THE WIND OUT OF THE COURTROOM IN A MATTER OF SECONDS. FINALLY, TRAVIS ALEXANDER WAS IN THE ROOM" Know this or not Debbie, but Travis Alexander speaks through you too, and I am thankful I found your blog. Found Paul Sanders summary on: https://www.facebook.com/485866588137167/photos/a.490373611019798.110789.485866588137167/850022248388264/?type=1

    ReplyDelete
  16. This comment has been removed by a blog administrator.

    ReplyDelete
  17. This comment has been removed by the author.

    ReplyDelete

Note: Only a member of this blog may post a comment.