Why is testifying and/or writing a report such a critical part of the computer forensics experts job

Why is testifying and/or writing a report such a critical part of the computer forensics experts job?

In your opinion, which one is more important testifying or writing a report?

The most critical part of the computer forensics expert’s job is the writing of the report that will be used in a court of law. Performing their job successfully a digital forensic examiner œmust write forensic reports that are both technically accurate and easy to read. A great investigation can be rendered largely ineffective if the resulting report is poor (Maher, 2004). The expert who does testify using the original examiner’s report needs to have a document that they can stand up during a cross examination (Nelson, Philips, & Steuart, 2010). The testimony of a digital forensic expert is another critical part of their job. The expert presents the evaluation of the evidence reports to the court and substantiates that the facts through their experience and position as an expert witness are correct. The forensic expert must prepare for testifying by creating additional exhibits for the court; œthe single most important function of the expert is the development of graphics and exhibits for presentation of technical subjects to lay individuals (Burrows, 2011).



The reason that I feel that the report and not the testifying is the most important part of a digital forensic expert’s job is because œthe time taken to present any incriminating evidence in a court of law is as many as three to five years and sometimes even longer (UMUC Mod4, 2011). The fact that the original examiner may not be around to testify demonstrates the importance of the investigative report. Having a standard process for writing a digital forensic technical report is important as it ensures a repeatable consistent report by the forensic analyst; which is important because œa report that is disorganized and poorly written may actually hinder their case (Maher, 2004).

Burrows, R. (2011). Judicial Confusion and the Digital Drug Dog Sniff: Programatic Solutions Permitting Warrantless Hashing of Known Illegal Files. George Mason Law Review, 19(1), 255-290.

Maher, M. (2004, August 9). Becoming a Forensic Investigator. Retrieved March 3, 2014, from SANS Institute: InfoSec Reading Room: https://www.sans.org/reading-room/whitepapers/forensics/forensic-investigator-1453

Nelson, B., Philips, A., & Steuart, C. (2010). Expert Testimony in High-Tech Investigations. In B. Nelson, A. Philips, & C. Steuart, Guide to Computer Forensics and Investigations (Fourth ed., pp. 541-574). Boston, MA: Course Technology.

UMUC Mod4. (2011). CSEC 650 Module 4: Data Acquisition and Analysis. Retrieved February 3, 2014, from UMUC Cybercrime Investigation and Digital Forensics: http://tychousa11.umuc.edu

Provide two examples of how you could present a technical term to a nontechnical courtroom audience.

You may choose two different technical areas or provide two different examples for the same technical item.

Two examples of methods on how I could present a technical term to a nontechnical courtroom audience are the use of PowerPoint presentations and animated graphics. Today’s jurors are part of the digital age and nearly all have seen a PowerPoint presentation using technology; this familiarity with a PowerPoint presentation removes the distraction of being introduced to new technology and a new concept. Knowing the age group and general educational level of the audience helps when creating the presentation and the analogies used to express a technical concept. œExplain technical terminology by demonstrating what is meant using everyday examples (Olson, 2010). Email can be explained using the analogy of the US Postal Service in a PowerPoint or animation presentation to an audience by comparing the Email Server to the Post Office and the Client machines as the Postal Carrier delivering the mail to the user and showing the email going from the Server to the user’s computer screen. Using a laptop computer connected to a monitor displayed to the jury can show œillustrative aids by combining an exhibit with enhancements that make the content of the exhibit easier to understand or by producing bullet lists, charts, graphs, and diagrams (Siemer, 2001, p. 8).



Casey (2009) provides an example using the word œimage and how the term can be used by a forensic examiner, an IT manager, and a lawyer each with a different interpretation. One way to express the forensic examiner concept of the word œimage is through a PowerPoint presentation showing two disks with a line of ones and zeros from one disk marked as œOriginal and the other marked as œCopy A followed by a second slide showing both drives with an equal sign between them and the text œWhen you image a drive you are making an exact copy of the ones and zeros that make up the evidence. A technical term can be explained to a nontechnical courtroom audience through the use of illustrations and visual aids that bring the concept into their life experiences.

Casey, E. (2009). Handbook of Digital Forensics and Investigation. (E. Casey, Ed.) London, England: Elsevier Science, Kindle Edition.

Olson, B. A. (2010). Technology: Engage the Jury: Presenting Electronic and Computer Evidence at Trial. Wisconsin Lawyer, 83(2), 2029.

Siemer, D. C. (2001). Efective Use of Courtroom Technology: A Judge’s Guide to Pretrial and Trial. Boulder, Colorado: National Institute for Trial Advocacy.