Most defense attorneys are non-technical, but they know the jury is also unfamiliar with technical jargon. Therefore, all they need to do is throw out a lot of techno-mumbo jumbo to confuse the jury completely.

The defense plans to leverage the technology to cause confusion, aiming for the jury to dismiss your testimony because they either don’t grasp the technological concepts or can’t assess who is truthful due to their lack of basic understanding.

Lay witnesses can only testify about facts—such as what I did, what I saw, or the process I followed. Expert witnesses are permitted to testify about their analysis and opinions because they possess knowledge beyond that of an average person and can draw conclusions based on observations and evidence analysis. Most prosecutors will bring in an expert witness for cases that go to trial, but not always.

The defense tactic used to attack the credibility of a witness, whether expert or lay, who testifies about a technical procedure is the same: to cloud the issue by making the technology seem more complicated than it is and to exploit most people's lack of knowledge and fear of technology.

The attorney will repeatedly highlight the most technical parts of the technology, emphasizing how hard they are for most people to grasp. At the same time, they suggest that the investigator lacks proper training, asking, “Do you really think this simple cop understands this technology?” Even people with Master’s degrees from MIT find this technology challenging; do you really believe this cop, after just a two-week class, suddenly becomes an expert?

You can handle these tactics by breaking each action into simple steps and explaining them clearly. Use the ELIF technique – Explain Like I’m Five. Find the most technically inexperienced person in your organization and customize your explanation so they can understand. This approach begins with your report. Write it as if your children need to understand it.

ELIF starts with the initial report.

Consider everyone who will read your report – supervisors, prosecutors, defense attorneys, and the expert hired by the defense. You can avoid many problems by writing the report as clearly and completely as possible, yet simply enough for everyone to understand. Make it clear so the defense attorney knows exactly what you did and why. Document every step thoroughly so the defense expert can follow and verify your workflow.

Which version is more impactful:

A RAM capture tool was used to parse the non-persistence data from the NTFS file system. This allowed an examination of the binary executables and DLLs. The results were negative.

or

The device operated Microsoft Windows 10. Windows features two primary data storage types: the hard drive for long-term data retention and RAM (Random Access Memory), also known as Memory. RAM temporarily holds data and programs in use, enabling quick access for the processor. Since RAM is volatile, it loses its data when the device powers down. Forensic analysis of memory can reveal details about active processes, network connections, and potential malware or unauthorized actions.

Magnet Forensics' RAM Capture tool was used to acquire and analyze the memory. This process involved examining the loaded binary executables and Dynamic Link Libraries (DLLs) present during capture. Analyzing these running processes and DLLs helps identify suspicious or malicious code.

No suspicious code was observed.

But Matt - I don’t have time to write all that! Ok, whatever your career can handle.

Your process and report should leave the defense expert with only one possible response – “yes, it appears this was done completely and accurately.”

The defense is much more likely to accept a plea deal if they believe there is no option to challenge the evidence.

Hello, bank investigators and E-Discovery colleagues—this message is also for you. The source of evidence is the first place a defense attorney examines to challenge, and if you're the source, you're the target. When collecting evidence, whether at the request of law enforcement or your legal team, adhere to the ELIF principle. Anyone in your organization, even the CISO, should be able to review your report and easily understand what actions you took and the reasons behind them.

Oh, and everyone should keep their personal opinions out of the report. If you are later called as an expert, opine away. Otherwise, stick to straightforward investigative documentation—covering Who, What, Where, When, and How. The Why (motive) might be identified and included later, but it doesn’t need to be part of your forensic investigative reports.

Feedback

“Matt, I take exception to the complacent cops comment. I'm the only examiner in my 100 plus agency, I have 37 devices in the queue, and the SRO just called me about collecting three more. Complacency isn't the problem, it's exhaustion.” (See issue 251 for reference)

My apologies, Don. No offense was meant by that comment. Well, at least not to the examiners in the lab. I probably did intend to offend the cops who take the report, quickly review it in the PDF reader tool, cherry-pick a few messages or images that support their case, and then call it a day.

I also intended, probably, to offend the leadership that believes having one examiner for an agency of 100, 200, 500, or an entire county is appropriate. And by the way, conducting examinations without anyone to perform analysis is equally problematic.

But again, this isn’t the fault of those in the mines.

Schools

I know there are several of you out there working in education!

Are we allowed to consider students as Insider Threats?

This report discusses the rising issue of insider threats in schools, where students are increasingly involved in cyber attacks and data breaches. This Analysis of 215 breach reports in the UK from 2022 to 2024 reveals that students, often motivated by curiosity, dares, or peer pressure, are hacking into school systems, sometimes using online tools or hacker forums.

https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/09/insider-threat-of-students-leading-to-increasing-number-of-cyber-attacks-in-schools/

Share Threats Without Borders

Some News…

FinCEN Director Andrea Gacki has called to modernize anti-money laundering (AML) and counter-terrorism financing (CFT) systems to address rising cyber-enabled fraud and evolving threats from illicit financial networks. https://www.pymnts.com/aml/2025/fincen-director-cites-urgent-need-modernize-aml-amid-new-threats/

An audit by the Department of Homeland Security (DHS) inspector general found that the Cybersecurity and Infrastructure Security Agency (CISA) mismanaged a $138 million program intended to retain cybersecurity workers. CISA did not properly design, implement, or track the program, leading to questionable payments of $1.4 million to 348 employees, some of whom lacked critical cybersecurity skills. https://www.oig.dhs.gov/sites/default/files/assets/2025-09/OIG-25-38-Sep25.pdf

Paraben looks at drone forensics. https://paraben.com/the-silent-witness-in-the-sky-a-deep-dive-into-drone-forensics-for-criminal-investigations/

FinCEN issues a Notice to help financial institutions detect and disrupt financially motivated sextortion. The crime, particularly targeting minors, has dramatically increased, with the FBI receiving nearly 55,000 reports in 2024, resulting in $33.5 million in losses and, most unfortunately, suicides. https://www.fincen.gov/news/news-releases/fincen-issues-notice-financially-motivated-sextortion

Passkeys, passkeys, passkeys! The cool kids all shout. Well, maybe they aren’t as secure as they thought. A recent study by SquareX reveals that passkeys, often seen as more secure than traditional passwords, can be vulnerable to hacking through malicious browser extensions. The attack leverages the browser's role as a middleman in the passkey setup process, enabling an attacker to intercept and manipulate the communication, potentially stealing passkeys. While passkeys are designed to be resistant to phishing, this new research highlights a critical weakness—the browser itself—which can be compromised if not properly secured. https://www.forbes.com/sites/zakdoffman/2025/08/28/yes-your-passkeys-can-be-hacked-new-attack-breaks-the-myth/

Cool Tool

Monolith Forensics offers a notes app designed for digital forensic investigators. Everything you need is free. https://www.monolithforensics.com/free-tools

Cool Job

Ransomware Intelligence Analyst, Halcyon. https://job-boards.greenhouse.io/halcyon/jobs/5620788004

Training and Education

The Human Crime Specialist program from The Knoble is accepting applications for inclusion in its Spring 2026 cohort. https://humancrimespecialist.com/

Irrelevant

I use the em dash - a lot. Seeing the punctuation in writing doesn’t mean it’s the work of AI. Brian Phillips explains why the em dash is useful and why everyone should stop accusing users of pushing AI slop. https://www.theringer.com/2025/08/20/pop-culture/em-dash-use-ai-artificial-intelligence-chatgpt-google-gemini

Sign Off

I hope that most of you read my Friday email announcing the slight shift to a paid subscription model. If you missed it, find the email sent last Friday and learn about the updates. As mentioned, the Tuesday edition of Threats Without Borders will stay unchanged. It will remain free every Tuesday, just as it has for the past 252 weeks. An extra newsletter will be sent each Friday to those who choose a premium subscription.

What will the new issue include? I don’t know yet; I guess we’ll find out this Friday morning.

Thank you, and I’ll see some of you in a few days, the rest of you in a week.

Matt

Rest in peace, Charlie. You made a difference.

Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.

Legal: Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.

cybersecurity cybercrime fraud financial investigations dfir aml osint cyber