A friend and I discussed the idea of working for the "dark side" by reviewing digital forensic evidence on behalf of the defense. The pay is tempting, but I just can’t bring myself to do it. I still see myself as "team cop” and couldn't testify against the right side.

But there are a lot of cops doing some pretty bad investigations, he said. Yes, I can’t disagree with that.

There is plenty of flawed “forensics” out there. This has become more prevalent with the rise of “push button forensics” – you know, connect the device and push start the button, and turn the 300-page PDF report over to the prosecution without additional consideration.

The technology itself isn’t the problem; actually, it’s too advanced. It allows almost anyone to connect a device and generate a full examination report. The user doesn’t need any knowledge of formal forensic procedures, how the forensic tool functions, or even the target device’s operating system. All they have to do is connect a USB cable and press the start button.

It's really not that bad. I mean, they go through one week of “training” to get a piece of paper that says they're good. So hey, they are not just anyone.

But ask them questions about the order of volatility, the Android operating system's file system tree, or what a Plist is – and things quickly go downhill. Slack space? Never heard of it!

If I were an attorney, I would ask, “By the way... you’ve testified about SQL databases multiple times, is it SQL or Sequel?”

Again, this isn’t an attack on Magnet, Oxygen, Cellebrite, or other digital device forensic tools—they are genuinely excellent. Revolutionary, in fact, especially for those of us who once held an iPhone 3, asking, "What do we do with this?"

And most offer excellent training courses on how to use their tools.

The issue lies with complacent cops who simply press a button and record the examination report as “forensic” evidence. From there, things decline further because the system is dominated by prosecutors lacking technical education or training, overburdened and frustrated defense attorneys, and judges who mainly use technology to check their wealth portfolios or find their way to the country club. Of course, there are exceptions to each of these points.

And it’s not just an issue with digital device forensics. Ask the investigator to explain how an IP address is broken down into a binary format, how the router tracks which device is using which Internet service, or how mobile devices are handed over from one tower to another as they move down a highway.

You just testified to it... But can you explain it? And not the clichéd “well an IP address is a number used by a computer so it can talk to other devices on the Internet.” NO!

Over the next few weeks, we will examine how defense attorneys challenge digital evidence in a case, and how investigators should structure their investigations to address these objections when they arise effectively.

Certainly, the most effective approach is for the investigator to familiarize themselves with forensic principles and gain a thorough understanding of the technology they utilized while collecting and examining the evidence. It's not sufficient to merely know how it functions; understanding why it functions that way is equally important.

If you’re going to testify about it, you better know it.

And cybersecurity professionals and bank investigators should not tune out for the next few weeks. You might very well be sitting in the witness stand or at the deposition table. The quality of your investigations is just as important, if not more so, in certain situations.

The News…

We’ll see if this turns into a trend. Senior leaders at Australian airline Qantas had their annual bonuses cut by 15% after a cyberattack in July that caused various problems for the company. https://therecord.media/qantas-airline-reduces-bonuses-executives-data-breach

Digital tools are speeding up financial crimes, especially crypto scams and AI-based fraud, which challenge authorities' ability to respond. Criminals are exploiting technologies such as blockchain, encrypted communication, and AI to launder money and avoid detection, while governments face challenges from fragmented rules and outdated infrastructure. Nonetheless, efforts are increasing to modernize cross-border payments and boost transparency with initiatives like the FATF’s travel rule and machine learning for anomaly detection. https://www.imf.org/en/Publications/fandd/issues/2025/09/fighting-tech-fueled-crime-chady-el-khoury

A Maryland man has admitted to orchestrating a large-scale fraud scheme involving stolen identities of medical doctors to produce thousands of illegal prescriptions. The man obtained personal information from licensed physicians and used it to create fake identities, perform illegal SIM swaps, and open fraudulent e-prescribing accounts. He and his co-conspirators issued over 5,600 prescriptions for controlled substances, which were filled at pharmacies nationwide and later sold for profit. https://ktla.com/news/nationworld/man-pleads-guilty-in-doctor-identity-theft-scheme-involving-thousands-of-fake-prescriptions/

Flare makes the claim that “the ransomware economy runs on stealer logs”. https://flare.io/learn/resources/blog/cybercrime-economy-businesses/

Fud on FUD

I’ve noticed a lot of talk about “fully undetectable” (FUD) links. The phrase implies that a malicious link can bypass every security measure and stay hidden from defenders. In truth, that’s more marketing hype than reality.

A FUD link often employs tactics like URL shorteners, look-alike domains, redirect chains, or conditional delivery to conceal its malicious nature from automated scanners. To the victim, it may appear as a regular link. However, calling it “undetectable” is inaccurate.

Security systems and analysts continually enhance their filters, threat intelligence, and behavioral monitoring. A link that bypasses a scanner today might be detected tomorrow once its patterns are recognized. Even if the link appears harmless, other indicators such as unusual DNS activity, suspicious SSL certificates, or the site's behavior after visiting will eventually trigger alerts.

The label “FUD” simply means detection hasn’t caught up yet. It doesn’t mean a link is immune from scrutiny forever.

Anyways, relying solely on technology to block bad links is insufficient. Security tools are a must, but layered defenses such as user awareness, threat intelligence, network monitoring, and incident response are equally important.

Cool Job

Director of Strategic Security Programs, The National Football League. https://job-boards.greenhouse.io/nflcareers/jobs/4905817008

Director of Asset Protection and Safety, The Giant Company. https://thegiantcompany.careerswithus.com/job/Asset%20Protection/Director-Asset-Protection-%26-Safety/Carlisle-PA/giantcompanyrms/453535_external_USA-PA-Carlisle

Cool Tool

Not necessarily the coolest tool, but I’m often asked for the best source to identify the Internet Service Provider custodian an IP address. My go-to is Maxmind. I’ve been using them for years without any complaints. As with any IP search tool, the geolocation can sometimes be inaccurate, but I’ve never had them mislead me about the ISP. And that’s what really matters. They allow 25 free searches per day. https://www.maxmind.com/en/geoip-web-services-demo

DFIR

An excellent write-up on the USN Journal and why it’s important to your device investigations. https://andreafortuna.org/2025/09/06/usn-journal

Irrelevant

How to not lose your job to AI. https://80000hours.org/agi/guide/skills-ai-makes-valuable/

Sign Off

This week, I came across a LinkedIn profile with a headline claiming “Number 1 female cybersecurity speaker in 2025”. It made me stop and think about how silly such a claim is. Thousands of people work in cybersecurity, and hundreds speak publicly each year. So, what exactly does being Number 1 mean? How do you achieve the title? And who decides this? Is there an official organization governing these titles? Or maybe it’s based on the number of speeches, like a punchcard system? Is there a title for the Number 1 Male Cybersecurity Speaker? I’d like to apply.

Of course, I guess making a fruitless claim that your number one is still better than those who figuratively compare their anti-fraud and cybersecurity efforts to that of a warrior, soldier, or some other associate of our armed forces.

Oh, Matt, you're such a curmudgeon.

Thanks for reading. See you next week.

Matt

Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.

Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.