Under normal circumstances, hearsay evidence is not permitted in courts, and the opinion of witnesses is distinctly prohibited. Expert witnesses and scientific experts, however, may provide opinion based on their extensive practice and research, provided it is restricted to the evidence presented. These privileged witnesses may share with the court any inferences they have made from the evidence they have observed, provided that it is within their sphere of expertise.

Forensic experts are expected to provide information that may help the court form its conclusion, and the expert's subjective opinion may be included. However, it is the court's obligation to form its own opinion or conclusion as to the guilt or innocence of the defendant based on the testimony provided. The forensic practitioner, when acting as a forensic expert, should do no more than provide scientific opinion about the information to help the court form judgmental opinions.

Experts must avoid providing final opinions themselves since sometimes, expert knowledge is not completely certain. Across a range of legal jurisdictions, courts expect forensic practitioners to possess sound understanding of computer technology for their testimony to have any credibility.

The United Kingdom's Civil Procedure Rules (1998) require compliance by all expert witnesses, and Part 35 stipulates that the expert (practitioner) has an overriding duty to help the court and maintain strict impartiality and not to support the engaging party. The rules stipulate that:

In 2008, the Council for the Regulation of Forensic Practitioners reiterated these stipulations and added further conditions expected of practitioners (Carroll and Notley 2005):

The United Kingdom's guidance booklet for experts, Disclosure: Experts' Evidence, Case Management and Unused Material, published in 2010 by the Crown Prosecution Service, emphasized the need for practitioners to ensure that due regard be given to any information that points away from, as well as toward, the defendant. The booklet stresses that practitioners must not give expert opinion beyond their area of expertise. The booklet also addresses the independence of the practitioner as well as reiterating the requirement to examine and share exculpatory evidence with the court and other parties.

Case prosecutors in the USA are required to disclose materials in their possession to the defense based on the Brady Rule (Brady versus Maryland, 1963). Under the Brady Rule, the prosecutor is required to disclose any evidence to the defense, including any evidence favorable to the accused (exculpatory evidence), notably "evidence that goes toward negating a defendant's guilt, that would reduce a defendant's potential sentence, or evidence going to the credibility of a witness."

If it were shown that the prosecution failed to disclose such exculpatory evidence under this rule, and prejudice ensued as a result, the evidence would be rejected and suppressed by the court, irrespective of whether the prosecution knew the evidence was in its possession or whether the withholding of the evidence was intentional or inadvertent. However, the defendant would have to prove that the undisclosed evidence was material and show that there was a reasonable prospect that there would be a difference in the outcome of the trial if the prosecutor had shared the evidence.

This is something the digital forensic practitioner must constantly be aware of and comply with during case examination and evidence presentation. Known factors detrimental to the disclosure of digital evidence include the knowledge of exculpatory evidence that would challenge the evidence of an inculpatory or incriminating nature. Practitioners may be employed by the prosecution or defense, but ultimately, they have an overriding duty to the courts to present all relevant facts for or against their clients. It may be a poor legal strategy to disclose information that hurts your own case, but the courts do expect an open and honest exchange of evidence between the parties involved.

Experts must resist common pressure from courts to provide opinion on the probability of guilt or innocence and persist with the contention that their statements of opinion cannot substitute the opinions of the courts. It is common knowledge that jurors tend to be influenced by practitioners who exude confidence but whose testimony is sometimes biased and mistaken.

There is compelling reasoning to support an evidence-led approach to forensics and investigation. A suspect-led approach is judgmental and often biased to the detriment of those being investigated. Experienced investigators will let the evidence lead and avoid preoccupation with likely suspects cloud the impartiality of an investigation and affect their judgement unreasonably. The same stratagem must apply to forensic examiners. If for no other reason than to identify the weaknesses in a case, the examiner should always adopt this approach. If the analysis is flawed and reckless, it hardly serves the cause of justice. Kaptein (2009, p. 3) attributes United States Supreme Court Associate Justice A. Scalia from the Herrera versus Collins case (506 US 390, 1993) with the following statement: "Mere factual innocence is no reason not to carry out a death sentence properly reached."

However, the late Judge Scalia has been somewhat misquoted here, and I urge you to find more about the meaning behind the statement attributed to him, as is provided at the following website:

http://news.lawreader.com/2008/08/30/barry-miller-widely-published-scalia-quote-re-innocense-is-inaccurate-we-have-to-agree/.

On commencement of an examination, practitioners are usually confronted with determining the type of acquisition processes required, then locating the data required to complete the examination, and, most importantly, selecting the appropriate evidence analysis process. Careful planning of the examination is not always supported by existing processes and certainly not for practitioners faced with unfamiliar case types or unusually complex, large-scale cases. In such circumstances, practitioners need to be provided with the correct balance of case background information to assist them with filtering voluminous case information, which may otherwise prove overwhelming.

The examination of larger datasets may make it difficult to characterize the evidence of a crime and clearly define the scope and goals in the absence of tools, standards, or structured support processes. Regrettably, current forensics tools often fail to provide adequate investigatory support to practitioners and may be described as first generation without incorporating any decision support to aid the practitioner.

As early as 2001, the Digital Forensics Research Workshop (DFRWS) observed that practitioners were struggling to understand the daily challenges and dilemmas they faced, notably, missing or unconsidered steps in the investigative approach compared to proven investigative processes existing in more traditional forensic disciplines. The rapid pace of technological advancement together with the changeability of software applications and hardware have in effect compounded the challenges practitioners face.

The procedural inadequacies of digital forensics, in which practitioners were required to collect large volumes of data unprecedentedly in support of investigations, were further hampered by non-standardized analytical procedures and protocols lacking standard terminology. It was apparent then, and remains so to this day, that there was a need for forensic tools to be more carefully crafted to analysis processes. This would then meet the needs of the practitioner by providing more friendly user interfaces to address the problem of training and enhancing practitioner experience.

Better forensics processes were identified early on by researchers as urgently in need of being tested and put through trials in order to overcome the deficiencies in existing practitioner skill levels. Many researchers predicted this would inevitably become increasingly problematic. Their prediction was evidently well founded, as this now appears to be the norm.

Chapter 5, The Need for Enhanced Forensic Tools, emphasizes the redundancy of conventional forensic imaging and the indexing of increasingly larger datasets, and introduces new forensic processes and tools.

Expert witnesses are often challenged by the opposing legal team and their expert, and this is very true in cases where digital evidence is being tendered. US courts are especially sensitive to expert testimony relating to digital evidence, and the much-publicized legal case in 1993 between Daubert and Merell Dow Pharmaceuticals set a precedent for forensic practitioners and the processes and tools they used to recover evidence. The ruling has set a standard of expectation by US courts based on case law where the initial ruling held sway. The Daubert Standard, which replaced earlier case law, requires practitioners to establish their personal expert qualifications and necessitates them validating the reliability and accuracy of the forensic processes and tools they use in recovering evidence.

Digital forensics tools are typically produced to obtain the "lowest-hanging fruit." In other words, they tend to encourage practitioners to look for the evidence that is easiest to identify and recover. Often, these tools do not have the capability to look for or even recognize other less obvious evidence. This issue is described in more detail in Chapter 5, The Need for Enhanced Forensic Tools.

Forensics software certification to confirm forensic soundness is not widely and formally tested. Vendor hype and practitioner willingness to accept untested, open source, and non-validated tools have created a miasma that the legal fraternity should, but cannot usually, see through. Researchers have advocated a structure to measure whether digital evidence meets specific criteria to address the need, applicability, and admissibility of digital forensics practitioners in a given situation, such as the one in the United States based on the Frye test, now replaced by the Daubert Standard.

Forensic practitioners are often confronted with the inefficacy of conventional security processes embedded in computers and networks designed to preserve documents and network functionality; they aren't specifically designed to enhance digital evidence recovery. However, these processes can help in the identification of potential evidence and event reconstruction.

A common difficulty encountered by practitioners is a requirement for them to provide expert testimony to verify whether, for example, network systems provide and have maintained a sound protection of the stored data. Vendor hype used to secure the sale of a network system is not always reflected in them providing reassurance as to the accuracy and completeness of the data stores. Vendors often do not provide sufficient information about the software and networks' ability to protect the integrity of data. Consequently, practitioners are unable to validate the devices to the extent that they could survive legal challenge.

Because of the great number of inherent, technical complexities, it is often impractical for practitioners to determine fully the reliability of computer devices or network systems and provide assurances to the court about the soundness of the processes involved. An ordered process would be helpful for practitioners to ensure that no parts of the examination process were overlooked or were repetitive, thereby ensuring efficacious examinations through time saving and completeness.

During examinations, the practitioner may revisit portions of the evidence to determine its validity, which may require new lines of investigation and further verification of other evidence as circumstances dictate. It is often a tedious process, and frequently, an inordinate amount of time and resources is required to collect and analyze digital evidence. The sheer volume of the cases and the time required for investigation can negate the efficacy of practitioners to reconstruct and provide an accurate interpretation of the evidence.

However, from a pragmatic perspective, the amount of time and effort involved in the digital forensic process should pass the acceptable "reasonableness test", meaning that all possible effort shouldn't be put into finding all conceivable trace evidence and then seizing and analyzing it. This is especially becoming more challenging to practitioners as the volume of data to be analyzed becomes enormous and crosses over many networks. In my casework, it is evident that in practice, a gap exists between what is theoretically possible and what is necessary to complete an examination. While in theory there may be a desire to complete analysis of every byte of data, there is rarely any justification in doing so.

Digital forensics, also known as cyber forensics and computer forensics, is generally considered to consist of three roles in one: that of a cyber analyst familiar with the working of computer devices and networks, a detective with knowledge of investigating crime, and a lawyer with a sound understanding of the law and court procedures.

There is a growing cottage industry of self-claimed cyber forensic experts as well as a tendency for mediocrity in the industry. Self-qualified "experts" bamboozle the legal system and are not always challenged, and the truth of their evidence is seldom sought. However, there are basic standards of practitioner professionalism and experience required by computer and information security bodies, the courts, governments, and corporations

Forensic practitioners involved in the examination of digital crime scenes must assume command of the situation and identify all relevant digital evidence, which must be collated and compiled into a professional report for presentation to the lawyers and ultimately the courts. It is most important that to satisfy a court of law, a digital forensic examination must be legally well founded as well as convincing in the everyday sense. The practitioner must use sound and well-established processes for recovering data from computer storage media and processes that validate its accuracy and reliability.

I am often asked by tertiary students wishing to enter the profession what skills and experience are required to get a head start. Well, saying you like reading books really does not mean you are suited to being a librarian and have all the considerable skills that librarianship entails. So it is with any profession. It really is important to pursue in life what really interests you rather than a passing fancy. What forensic team leaders look for in someone entering the profession without any forensic experience is a real desire to engage with the discipline. An interest in information technology through work or study and holding an information technology tertiary qualification or a BSc in ICT would certainly stand a prospective candidate in good stead.

For a law enforcement officer seeking to specialize in a forensic discipline, they would be expected to have the investigative skills and case experience; an understanding of the law would obviously be advantageous. As such, they would have much to bring to the role if they could also demonstrate some proficiency in and knowledge of computer systems.

It must be stressed that a forensic examiner and an investigator are interchangeable roles and they are often combined roles. Many practitioners will undertake forensic training courses and forensic tool competency training. Others will also publish blogs and even journal papers reflecting their research and involvement in important forensic matters.

Undergraduate courses, typically a three-year course of study, usually include some digital forensics but are predominantly oriented toward computer science and information security. Postgraduate diplomas and certificates based on theory and practical casework offer an effective entrée to the profession. They are cheaper, shorter in duration, and can be offered to graduates and those in law enforcement and investigation professions possessing the basic skills required to gain a position. The procurement of these certifications, provided they are based on sound theory and practical components, is highly recommended. Masters courses in digital forensics are another option but costlier and longer in duration.

I am currently preparing a four-unit graduate certificate course in digital forensics that includes e-discovery and multimedia forensics and can be completed online using virtual crime simulations. The certificate can be a foundation for a graduate diploma and masters in digital forensics. The offering is directed at law enforcement officers and Information and Communications Technology (ICT) graduates wishing to join the discipline and seek some basic theoretical and practical qualifications.

Some of my ablest students entered the profession lacking in field experience, but from the outset, their keen interest in digital forensics, competency in IT studies, and sound results in the experiential forensic training they completed made up for it to some extent. It gave them a solid foundation and cemented their interest in the discipline.