June 12, 2015
The Art of Estimation (in Digital Forensics)
In business, there are definite priorities. Priorities are often driven by cost, time and
available resources, regardless of the line of business in which you
operate. Digital forensics is definitely
a niche business. Many of our clients
are litigators & investigators who are retained by clients during some sort
of dispute, part of which may be settled through the proper acquisition and
analysis of digital evidence.
Regardless, they almost always want to know the two factors that affect
nearly every business decision:
1)
How much does it cost?
And
2)
How long will it take?
While these questions may seem simple to answer, in a
digital forensic case, they are often affected by a number of variables. Some of these variables can be anticipated,
but many of them cannot. It’s because of
these variables that many in the legal services field (including us) are
starting to transition to a flat fee-based system of providing estimates. While we currently only incorporate this
system for mobile devices, we’ve found it helps our clients make informed,
definite decisions about which direction they’d like to proceed after
presenting the initial facts of the case.
Mobile device acquisition and analysis is a big part of our service
offering, but the variables encountered in computer forensic analysis (i.e.,
desktop, laptop, portable hard drives etc.) can be even trickier.
The problems with providing a decent estimate on computer
forensic cases comes down to simple math.
If an acquisition and analysis on a mobile device that stores 32 Gb
worth of data takes X amount of time, think about how much time it takes to
examine a computer hard drive of 1Tb or more.
This is the problem with big data from a forensic perspective. Most people really don’t have a firm grasp on
how much data can be stored on a 32 Gb mobile device, let alone a 1Tb hard
drive or larger. The sheer volume of
data that exists on media with this high capacity is astonishing. Factor into it that your case may involve
video or other multimedia files which take longer to process and view and the
clock just keeps ticking up on your case.
Through years of case work in both the private and
governmental sectors, we’ve learned to try and drill down exactly what is
relevant to the case to mitigate the length of these examinations to a
degree. However, as in police work when
a detective hands a forensic examiner a computer and says “find me whatever you
can”, clients will sometimes retain our services for what we term as an “open-ended”
investigation. These types of cases can
often cost clients thousands of dollars, so when we’re asked to give an
estimate on them, we’re obligated to estimate on the high range. It’s always better to estimate high and bill
low than vice-versa.
Unfortunately, those variables that are unforeseen are the
real bugaboo. As a matter of practice,
we generally incorporate these into our estimates, but as Murphy’s law has it,
there’s always something that can go wrong and at the wrong time. Ethical business practices dictate that we
stick to our estimates and “eat” the extra time it takes to get the work done,
but those instances factor into our next estimate for subsequent clients as
well.
Then there’s the cases when we have to give a WAG estimate –
a Wild Ass Guess. And while the WAG is a
humorous term for it, we still try to incorporate experience along with
case-specific information from the client to come up with a decent
estimate. But the WAG estimates are
those in which the perfect storm of absence of information exists: An
open-ended request with moderate to big data size and little information provided
by the client. Estimates like this can
be hard to swallow, but we try to be consistent and reasonable.
So how do you mitigate all of these factors? When you call a digital forensic consultant
with a request, have as much case-specific information as possible. Know what you’re looking for and where it may
be located. Be open and honest. We adhere to strict confidentiality in all
cases and trust me, we’ve seen and heard it before, so your case isn’t any more
shocking than anything else we’ve seen.
Understand that these things take time.
Often during an examination, we find something we’ve not encountered
before, which takes research and documentation.
For example, if you are investigating a financial case and there is the
potential for valuable data to reside within a specific bookkeeping program
(i.e., Quicken), we may need to research the file format(s) incorporated by
that program and any encryption, data protection or other considerations with
regard to those files. We’ve seen a lot,
but we haven’t seen it all (yet).
The bottom line: If we can get as much information as
possible about your case BEFORE you retain us, we can provide
a more accurate estimate of how much your case may cost and avoid the WAG
estimates. The data we find may help
settle your case much, much faster than it would have been without the data
analysis, therefore saving you more money in the long run. That alone is worth the investment in a
digital forensic expert.
Author:
Patrick J.
Siewert, SCERS, BCERT, LCE
Principal
Consultant
Professional
Digital Forensic Consulting, LLC
Based in
Richmond, Virginia
Available
Globally
About the Author:
Patrick Siewert is the Principal
Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia. In 15 years of law enforcement, he
investigated hundreds of high-tech crimes, incorporating digital forensics into
the investigations, and was responsible for investigating some of the highest
jury and plea bargain child exploitation cases in Virginia court history. A graduate of both SCERS and BCERT (among
others), Siewert continues to hone his digital forensic expertise in the
private sector while growing his consulting business marketed toward
litigators, professional investigators and corporations.
Twitter: @ProDigital4n6
