Global Intelligence claims its Cybercheck technology can help cops find key evidence to nail a case. But a WIRED investigation reveals the smoking gun often appears far less solid.
In Colorado, questions about Mosher and Cybercheck preceded prosecutors’ dropping the charges and sealing the file against a defendant in what law enforcement said was a child sexual abuse material (CSAM) case. After learning that the local district attorney’s office planned to enter Cybercheck evidence at trial and call Mosher as an expert witness, defense attorney Eric Zale hired private investigators to look into Mosher’s background.
Mosher told the Boulder County court that he’d previously testified as an expert witness in two CSAM cases in Canada, according to Zale and an appeal brief filed by Malarcik for another client in which a Cybercheck report had been shared in discovery. But after being contacted by Zale’s investigator, the Canadian prosecutors in one of those cases contacted the prosecutor in Boulder County to say that Mosher had never been called to testify in any capacity. The defendant, who was related to Mosher, had pleaded guilty on the first day of the trial. A prosecutor familiar with the other Canadian case wrote to the court that no charges had ever been brought against the person whose trial Mosher had told a judge he testified at.
Zale alleges Mosher is “preying on this kind of holy grail of technology to sucker local law enforcement and judges and prosecutors, and frankly some defense counsel” into relying on Cybercheck’s technology.
Mosher did not respond to WIRED’s request to comment on Zale’s claims. Global Intelligence did not dispute that Mosher claimed to have testified as an expert in the two Canadian cases.
“Mr. Mosher felt at the time that he needed to relay all court participation activities including provision of statements regarding an investigation,” the unnamed Global Intelligence employee wrote. “Other prosecutors have reviewed this matter during other trial proceedings, finding this incident was more of a lost-in-translation issue as opposed to some sort of impropriety.”
WIRED requested the names of those prosecutors but did not receive a response.
No Receipts
The challenges in Ohio and Texas have hinged on an unusual aspect of Cybercheck that differentiates it from other digital forensics tools: The automated system doesn’t retain supporting evidence for its findings. As Mosher has testified under oath in multiple jurisdictions, Cybercheck doesn’t record where it sources its data, how it draws connections between various data points, or how it specifically calculates its accuracy rates.
In Mendoza’s case, for example, no one knows exactly how Cybercheck determined that the email address “[email protected]” belonged to Mendoza. Nor did Global Intelligence explain exactly how the system determined that Mendoza’s cyber profile had pinged the wireless devices near 1228 Fifth Avenue.
Mosher has testified that the only information Cybercheck retains during its search process is the data it deems relevant to the investigation, all of which is included in the reports it automatically generates for investigators. Anything else, including potentially contradictory information about who owns a particular email address or online alias, is supposedly processed by the algorithms and used to calculate the accuracy scores that Cybercheck includes in its reports but isn’t archived.
“When you’re asking, you know, do we preserve all the artifacts and all the data that we crawl—we couldn’t realistically do that because it’s zettabytes of data,” Mosher testified in the Texas Daubert hearing on January 19, 2024. A zettabyte is equivalent to more than 1 trillion gigabytes.
Mosher has testified that Cybercheck doesn’t need to show its work because its conclusions are derived from open source data that anyone with the proper open source intelligence (OSINT) training can find on the web.
“If you give that [Cybercheck] report to a skilled investigator that knows cyberspace and machine learning, they’re going to come up with the exact same results,” Mosher testified during the murder trial of Adarus Black, in Summit County.
Rob Lee is an OSINT expert and chief of research and faculty lead at the SANS Institute, a leading provider of cybersecurity and infosec training. According to Mosher’s résumé and court testimony, Mosher took more than a dozen SANS Institute training courses prior to founding Global Intelligence.
At WIRED’s request, Lee and a team of researchers at the SANS Institute reviewed Cybercheck reports and the descriptions of the system that Mosher has given under oath. They say it’s highly unlikely that some of the information in the reports can be gathered from publicly available sources.
Specifically, to determine when a particular device has pinged a wireless network, an analyst would need to either physically intercept the signal or have access to the device or the network’s logs, neither of which are open source, Lee says. That kind of access requires a search warrant.
Here's part 3
In Colorado, questions about Mosher and Cybercheck preceded prosecutors’ dropping the charges and sealing the file against a defendant in what law enforcement said was a child sexual abuse material (CSAM) case. After learning that the local district attorney’s office planned to enter Cybercheck evidence at trial and call Mosher as an expert witness, defense attorney Eric Zale hired private investigators to look into Mosher’s background.
Mosher told the Boulder County court that he’d previously testified as an expert witness in two CSAM cases in Canada, according to Zale and an appeal brief filed by Malarcik for another client in which a Cybercheck report had been shared in discovery. But after being contacted by Zale’s investigator, the Canadian prosecutors in one of those cases contacted the prosecutor in Boulder County to say that Mosher had never been called to testify in any capacity. The defendant, who was related to Mosher, had pleaded guilty on the first day of the trial. A prosecutor familiar with the other Canadian case wrote to the court that no charges had ever been brought against the person whose trial Mosher had told a judge he testified at.
Zale alleges Mosher is “preying on this kind of holy grail of technology to sucker local law enforcement and judges and prosecutors, and frankly some defense counsel” into relying on Cybercheck’s technology.
Mosher did not respond to WIRED’s request to comment on Zale’s claims. Global Intelligence did not dispute that Mosher claimed to have testified as an expert in the two Canadian cases.
“Mr. Mosher felt at the time that he needed to relay all court participation activities including provision of statements regarding an investigation,” the unnamed Global Intelligence employee wrote. “Other prosecutors have reviewed this matter during other trial proceedings, finding this incident was more of a lost-in-translation issue as opposed to some sort of impropriety.”
WIRED requested the names of those prosecutors but did not receive a response. No Receipts
The challenges in Ohio and Texas have hinged on an unusual aspect of Cybercheck that differentiates it from other digital forensics tools: The automated system doesn’t retain supporting evidence for its findings. As Mosher has testified under oath in multiple jurisdictions, Cybercheck doesn’t record where it sources its data, how it draws connections between various data points, or how it specifically calculates its accuracy rates.
In Mendoza’s case, for example, no one knows exactly how Cybercheck determined that the email address “[email protected]” belonged to Mendoza. Nor did Global Intelligence explain exactly how the system determined that Mendoza’s cyber profile had pinged the wireless devices near 1228 Fifth Avenue.
Mosher has testified that the only information Cybercheck retains during its search process is the data it deems relevant to the investigation, all of which is included in the reports it automatically generates for investigators. Anything else, including potentially contradictory information about who owns a particular email address or online alias, is supposedly processed by the algorithms and used to calculate the accuracy scores that Cybercheck includes in its reports but isn’t archived.
“When you’re asking, you know, do we preserve all the artifacts and all the data that we crawl—we couldn’t realistically do that because it’s zettabytes of data,” Mosher testified in the Texas Daubert hearing on January 19, 2024. A zettabyte is equivalent to more than 1 trillion gigabytes.
Mosher has testified that Cybercheck doesn’t need to show its work because its conclusions are derived from open source data that anyone with the proper open source intelligence (OSINT) training can find on the web.
“If you give that [Cybercheck] report to a skilled investigator that knows cyberspace and machine learning, they’re going to come up with the exact same results,” Mosher testified during the murder trial of Adarus Black, in Summit County.
Rob Lee is an OSINT expert and chief of research and faculty lead at the SANS Institute, a leading provider of cybersecurity and infosec training. According to Mosher’s résumé and court testimony, Mosher took more than a dozen SANS Institute training courses prior to founding Global Intelligence.
At WIRED’s request, Lee and a team of researchers at the SANS Institute reviewed Cybercheck reports and the descriptions of the system that Mosher has given under oath. They say it’s highly unlikely that some of the information in the reports can be gathered from publicly available sources.
Specifically, to determine when a particular device has pinged a wireless network, an analyst would need to either physically intercept the signal or have access to the device or the network’s logs, neither of which are open source, Lee says. That kind of access requires a search warrant.