Why is testifying and/or writing a report such a critical part of the computer forensics experts job?

In your opinion, which one is more important — testifying or writing a report?

The most critical part of the computer forensics expert’s job is the writing of the report that will be used in a court of law.  Performing their job successfully a digital forensic examiner “must write forensic reports that are both technically accurate and easy to read.  A great investigation can be rendered largely ineffective if the resulting report is poor” (Maher, 2004).  The expert who does testify using the original examiner’s report needs to have a document that they can stand up during a cross examination (Nelson, Philips, & Steuart, 2010).  The testimony of a digital forensic expert is another critical part of their job.  The expert presents the evaluation of the evidence reports to the court and substantiates that the facts through their experience and position as an expert witness are correct.  The forensic expert must prepare for testifying by creating additional exhibits for the court; “the single most important function of the expert is the development of graphics and exhibits for presentation of technical subjects to lay individuals” (Burrows, 2011).

The reason that I feel that the report and not the testifying is the most important part of a digital forensic expert’s job is because “the time taken to present any incriminating evidence in a court of law is as many as three to five years and sometimes even longer” (UMUC Mod4, 2011).  The fact that the original examiner may not be around to testify demonstrates the importance of the investigative report.  Having a standard process for writing a digital forensic technical report is important as it ensures a repeatable consistent report by the forensic analyst; which is important because “a report that is disorganized and poorly written may actually hinder their case” (Maher, 2004).

Burrows, R. (2011). Judicial Confusion and the Digital Drug Dog Sniff: Programatic Solutions Permitting Warrantless Hashing of Known Illegal Files. George Mason Law Review, 19(1), 255-290.

Maher, M. (2004, August 9). Becoming a Forensic Investigator. Retrieved March 3, 2014, from SANS Institute: InfoSec Reading Room:

Nelson, B., Philips, A., & Steuart, C. (2010). Expert Testimony in High-Tech Investigations. In B. Nelson, A. Philips, & C. Steuart, Guide to Computer Forensics and Investigations (Fourth ed., pp. 541-574). Boston, MA: Course Technology.

UMUC Mod4. (2011). CSEC 650 Module 4: Data Acquisition and Analysis. Retrieved February 3, 2014, from UMUC Cybercrime Investigation and Digital Forensics:

Provide two examples of how you could present a technical term to a nontechnical courtroom audience.

You may choose two different technical areas or provide two different examples for the same technical item.

Two examples of methods on how I could present a technical term to a nontechnical courtroom audience are the use of PowerPoint presentations and animated graphics.  Today’s jurors are part of the digital age and nearly all have seen a PowerPoint presentation using technology; this familiarity with a PowerPoint presentation removes the distraction of being introduced to new technology and a new concept.  Knowing the age group and general educational level of the audience helps when creating the presentation and the analogies used to express a technical concept.  “Explain technical terminology by demonstrating what is meant using everyday examples” (Olson, 2010).  Email can be explained using the analogy of the US Postal Service in a PowerPoint or animation presentation to an audience by comparing the Email Server to the Post Office and the Client machines as the Postal Carrier delivering the mail to the user and showing the email going from the Server to the user’s computer screen.  Using a laptop computer connected to a monitor displayed to the jury can show “illustrative aids by combining an exhibit with enhancements that make the content of the exhibit easier to understand or by producing bullet lists, charts, graphs, and diagrams” (Siemer, 2001, p. 8).

Casey (2009) provides an example using the word “image” and how the term can be used by a forensic examiner, an IT manager, and a lawyer each with a different interpretation.  One way to express the forensic examiner concept of the word “image” is through a PowerPoint presentation showing two disks with a line of ones and zeros from one disk marked as “Original” and the other marked as “Copy A” followed by a second slide showing both drives with an equal sign between them and the text “When you image a drive you are making an exact copy” of the ones and zeros that make up the evidence.  A technical term can be explained to a nontechnical courtroom audience through the use of illustrations and visual aids that bring the concept into their life experiences.

Casey, E. (2009). Handbook of Digital Forensics and Investigation. (E. Casey, Ed.) London, England: Elsevier Science, Kindle Edition.

Olson, B. A. (2010). Technology: Engage the Jury: Presenting Electronic and Computer Evidence at Trial. Wisconsin Lawyer, 83(2), 2029.

Siemer, D. C. (2001). Efective Use of Courtroom Technology: A Judge’s Guide to Pretrial and Trial. Boulder, Colorado: National Institute for Trial Advocacy.



Selection one option from below and complete the discussion question.

Discuss/describe the port scanning and/or enumeration techniques (attacks) not covered in Module 2. How can the attacks you have described be detected and prevented?
Enhance and elaborate on the port scanning and/or enumeration techniques (attacks) covered in Module 2. Share any additional thoughts you may have on them and explain how they can be detected and/or prevented.

B. Enhance and elaborate on the port scanning and/or enumeration techniques (attacks) covered in Module 2. Share any additional thoughts you may have on them and explain how they can be detected and/or prevented.
In last week’s module titled The Preattack Phases, several methods were discussed regarding how Nmap scans a network to determine if ports are open. One of the methods known as the SYN stealth scan involves sending a packet to a host and then failing to respond to the host’s SYN/ACK. This scan is also known as a half-open scan and is considered stealthy because a connection is never established (UMUC, 2012). Since a connection never occurs, this type of scan is less likely to be logged and detected. The process of establishing half-open connections to detect open ports can also be used against a host to cause a Denial of Service (DoS). A SYN flood attack causes a DoS by flooding a network device with SYN requests and not responding to the host’s SYN/ACK response. The objective for performing this type of DoS attack commonly involves extortion, espionage, or protesting (Dambala, 2011). According to Prolexic’s Quarterly Global DDoS Attack Report (2013), SYN floods comprise approximately one-third of all reported DoS attacks. This level of SYN flood attacks represents the highest volume for any single attack type since Prolexic began publishing its Quarterly Report.
Denial of service attacks such as SYN floods are a common disruptive technique that many organizations experience today. The organizations that are affected by these types of attacks vary across a spectrum of industries that include financial, retail, healthcare, and media. The following actions are some countermeasures that organizations can employ to mitigate this type of attack:


Decrease the connection-established timeout period
Increase the size of the connection queue in the IP stack
Install vendor-specific patches, where available, to deal with SYN attacks
Employ a network-based IDS to watch for this type of activity
Install a firewall to watch for these types of attacks and alert the administrator to cut off the connection (Harris, 2008, p. 1012).
Damballa. (2011). Understanding the modern DDoS threat [White Paper]. Retrieved from


Harris, S. (2008). CISSP all-in-one exam guide (4th ed). New York, NY: McGraw-Hill.


Prolexic. (2013). Prolexic quarterly global DDoS attack report [Q2 2013]. Retrieved from


UMUC. (2012). Module 2: The preattack phases. Retrieved from

Discuss/describe one or more LAN based attacks (also known as layer 2 attacks or lower layer attacks) which are not covered in the Module 3, or share any additional thoughts you may have on LAN based attacks covered in Module 3.
Discuss the security measures or methods used to prevent or mitigate the LAN based attacks you presented in Question A.

Local area network (LAN) based attacks can be divided into two arenas; wired or wireless network attacks. In addition to the LAN based attacks discussed in Module 3 (Media Access Control (MAC) & Address Resolution Protocol (ARP) Attacks), other LAN based attacks on wired networks include content address (CAM) table exhaustion, dynamic host configuration protocol (DHCP) starvation attacks, and virtual LAN (VLAN) hopping (University of Maryland University College, 2012). Wireless network attacks on the LAN include hidden node attacks, deauth attacks, and fake access point (FakeAP) attacks. Since the world is constantly moving towards a more mobile infrastructure, discussion of wireless LAN based attacks seems appropriate.


Part A

FakeAP attacks spoof the 802.11 beacon frame advertising an access point. To begin with, the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standard refers to the wireless local area network (WLAN) MAC and physical layer specifications (IEEE Standards Association, 2012). Beacons, in this setup, are designed to transmit the presence of an access point; the more beacons available, the more responsive the association and roaming process is (Geier, 2001). FakeAP attacks generate counterfeit access points by spoofing the beacon frame advertising an access point and exploit a network via the generated beacons (Oconnor, 2010).

There are at least two tools in use that exploit the 802.11 beacon, Black Alchemy and KaraMetaSploit. Black Alchemy generates thousands of counterfeit 802.11 access points, causing problems with wireless network mapping (Oconnor, 2010). KaraMetaSploit takes Black Alchemy many steps further, by generating, advertising and integrating 802.11 beacons to launch automatic attacks against an unsuspecting user (Oconner, 2010). Like an ARP Protocol, beacons do not have the ability to check an identity and authenticate real access points from fake access points, easily allowing an intruder to find and gain access to a network (Chomsiri, 2008).



Part B

Detecting the FakeAP tool is fairly simple. Between increases in overhead assets, decrease in throughput, and out of order timestamp data intrusion detection and prevention systems (IDPS) are able to be designed around detecting these anomalies.

Since FakeAP attacks rely on increasing the number of beacons, exponentially, to make the association and roaming process very responsive, the network reacts by incurring additional overhead, using a great deal more power, thus decreasing throughput (Geier, 2001). This fluctuation in power and throughput is easily detectable. Moreover, as beacons must use the 802.11 carrier sense multiple access/collision avoidance (CSMA/CA) algorithm, pinpointing the fluctuation is also easily detectable (Geier, 2001).

Additionally, since time is linear factor on Earth, random timestamps are also an easily detectable error used by the FakeAP tools. Timestamps grow incrementally when clients attempt to sync with an access point; fakeAP tools, however, spoof random timestamp information (Oconner, 2010). This randomization is also easily detectable. As both tools are easily identifiable when in use IDPS are able to alert and prevent these actions from continuing.




Chomsiri, T. (2008). Sniffing packets on LAN without ARP spoofing. Retrieved from:

Geier, J. (2001). 802.11 Beacons Revealed. Retrieved from

IEEE Standards Association. (2012). IEEE 802.11. Retrieved from:

Oconnor, T. (2010). Detecting and responding to data link layer attacks. Retrieved from the SANS Institute InfoSec Reading Room:,d.dmg

University of Maryland University College. (2012). Switching and routing vulnerabilities, CSEC 640 – Module 3. Retrieved from



Open chat
💬 Need help?
Hey there! 👋
Need help with this assignment?
Or any other?
PM us on WhatsApp.