Can encryption or password protection be deciphered or bypassed?
Often yes. Many programs employ encryption algorithms or password protection schemes that can be bypassed using specialized software or analysis techniques. Even data protected by very strong cryptographic algorithms may be accessed by exploiting weak user passwords or programming faults.
How Much Does a Computer Forensic Analysis Cost?
Unfortunately, it is not possible to accurately estimate total project costs upfront. There are too many unknown technical variables and subsequent analysis options to consider prior to collection and preliminary analysis. That said, Binary Intelligence is committed to providing the best possible service in the most cost-effective manner practical. From the first call through final resolution, our specialists work closely with each client to ensure they have the information necessary to prioritize analysis tasks and weight costs against benefits at each step.
The table below provides general pricing statistics for common engagements. Due to vast differences in capabilities and equipment among forensic practitioners, these numbers offer a better basis for comparison than hourly rates (see article on choosing a digital forensics vendor). Keep in mind that each situation is unique, some cases progress further than others and individual clients have differing requirements in regards to project objectives and deliverables.
General Time and Cost Guidelines for Common Computer Forensic Projects
(approximately 80% of cases fall within these ranges)
Forensic analysis of single computer/media**
8 to 32 hours
$2,000 – $8,000
Forensic analysis of standard cellular phone/media
2 to 8 hours
$500 – $2,000
Forensic analysis of Smartphone/media
4 to 24 hours
$1,000 – $6,000
Forensic analysis of digital camera/media
2 to 12 hours
$500 – $3,000
File or Document analysis/MetaData extraction
1 to 3 hours
$250 – $750
Email message review/tracing
1 to 6 hours
$250 – $1,500
Large Projects and electronic discovery
**Economies of scale do apply to computer forensic investigations. Analysis of additional computers/media associated with the same case only moderately increases time/cost expenditures.
The Binary Intelligence Approach to Expense Management
We understand that while our clients come to us when they need answers, they also have a strong desire to control costs and stay within budget. We also know that when dealing with situations involving digital evidence, the potential costs of inaction (or improper actions) can have catastrophic consequences. Our evaluation process allows clients to forensically preserve computer evidence and obtain legally sound answers while only incurring expenses for services they appraise as a net benefit.
The Binary Intelligence Computer Forensic Evaluation Process
- Call us at 1-866-246-2794 for an initial discussion and case assessment. Given accurate upfront information, we are able to prepare reliable cost estimates for digital evidence collection through completion of a preliminary examination.
- Once authorized to begin work, our computer forensic experts will collect and preserve identified electronic evidence repositories in a forensically sound manner. This typically involves the creation of physical device and/or logical file level forensic images.
- Sufficient preliminary analyses will be performed to thoroughly evaluate and quantify any relevant digital evidence that may exist on the acquired subject media.
- Following the preliminary forensic analysis, a digital evidence specialist will advise the client on the degree and availability of pertinent evidence. Potential “next step” recommendations will be offered.
- If additional actions are warranted and requested by the client, time and cost estimates for the additional detailed analyses and/or reporting will be provided.
Our preliminary examination often provides sufficient data to compel settlement in litigation or, in the case of corporate/domestic engagements, to allow decision makers to act. Since the evidence has already been preserved, we can always perform more detailed analyses and produce expert reports at a later time should the need arise.Go To Top
How do we know if a computer forensic vendor is really qualified?
Computer forensics is clearly the vogue business to be in among Information Technology professionals these days. Information security consultants, data recovery labs and even some computer repair shops are now offering “Computer Forensic” services. Unfortunately for consumers, some basic software, a vendor certification and flashy title does not guarantee competency – let alone expertise. In a marketplace inundated with self-proclaimed “experts”, consumers must exorcise caution when selecting a computer forensic services vendor.
In order to ensure they receive professional forensic services, consumers should carefully review the Curriculum Vitae and equipment resources of each perspective expert. Key areas to scrutinize include technical acumen, industry experience, certifications held, training received, equipment utilized, ethical standards and professional associations. Genuine experts will be more than happy to explain their credentials, provide supporting documentation and itemize equipment at their disposal. The following questions will help differentiate true digital evidence specialists from amateurs and neophytes:
- What is the experience level of the forensic computer examiner or investigator? How long have they been in the industry? How many and what type of cases have they worked?
- What is the primary business of the firm or examiner? Do they deal with digital evidence on a full-time or part-time basis?
- What relevant education and training does the individual possess? Was the training provided by respected vendors or organizations? How current is their training?
- Will the collection and/or analysis occur in a state that regulates computer forensic services? Is the examiner and/or firm licensed to collect and investigate digital evidence in that jurisdiction? Are they insured? What are the consequences of unlawful collection?
- Does the individual hold any professional certifications directly relevant to his or her area of expertise? Does the person hold any peripheral certifications that are indirectly related? Are they vendor specific or vendor neutral? Do they require continuing education and/or periodic competency assessments?
- Is the individual affiliated with any professional organizations? What technical resources, networking opportunities and/or a knowledge base do they provide to their membership? Do they endorse and uphold a code of ethics? Does the individual actively contribute to the organization?
- Has the examiner provided courtroom testimony? Have they ever been admitted as an expert by the court? Have they ever failed to qualify as an expert?
- Is the individual versed in proper evidence handling procedures? Do they employ formal documentation procedures when collecting evidence? Do they maintain accurate chain-of-custody records?
- Is the examiner really committed to ethical analysis and reporting practices? Do they author thorough, objective and factual reports or are they willing to employ “smoke and mirror” tactics?
- Does the vendor utilize multiple industry accepted forensic hardware and software technologies or are they limited to one or two basic tools? Do they own the tools? Does the individual regularly test and verify the functionality of his or her utilities?
- Are methodologies and processes employed by the practitioner forensically sound? Are they commonly accepted in the industry and courts?
Pricing is certainly another important consideration when choosing a vendor for digital forensic services; however, keep in mind that hourly rates are a very poor basis for cost comparison. This is because the quality of forensic equipment and technical resources available to an examiner substantially influence project time requirements. When comparing fees, it is more appropriate to evaluate vendor cost management processes and historical expenditure data from similar engagements.Go To Top
What types of digital media and devices can be forensically analyzed?
Any disk, device, cartridge, or system that has the capability of storing digital data. The majority of computer forensic examinations are performed on hard disk drives and removable storage media; however, any of the various alternative storage mediums are also subject to analysis. These include thumb drives, optical disks (CD/DVD variants), flash memory modules, solid state devices, and magnetic tapes. Additionally, data can be retrieved from several consumer devices such as digital cameras, mobile phones, MP3 players, DVR’s, PDA’s, GPS units, and gaming consoles. New storage devices and media are constantly being developed. A general rule of thumb is, if a computer can read from, store to, or interact with an object then forensic analysis is possible.
Does Ohio regulate computer forensic examiners and high-tech investigators?
Yes. Many states, including Ohio, regulate the the collection and investigation of computer evidence. In order to ensure that recovered evidence and testimony is admissible in court, you should make sure that you contract with a service provider that is licensed by the Homeland Security Division of the Ohio Department of Public Safety.
As defined in ORC Section 4749.01(B)(1), licensure is required for the conducting, for hire, in person or through a partner or employees, of any investigation relevant to any crime or wrong done or threatened, or to obtain information on the identity, habits, conduct, movements, whereabouts, affiliations, transactions, reputation, credibility, or character of any person, or to locate and recover lost or stolen property, or to determine the cause of or responsibility for any libel or slander, or any fire, accident, or damage to property, or to secure evidence for use in any legislative, administrative, or judicial investigation or proceeding.
Binary Intelligence is fully licensed and insured. Our Ohio license number is 2003005424.
Why not just let our IT staff examine the computer evidence?
Because computer forensics is a highly specialized discipline that requires training and experience to master. There are many legal standards that must be met and improper handling by untrained personnel may render any recovered evidence inadmissible. Often, unqualified examiners unwittingly destroy or alter electronic evidence. This reduces the probability of recovering relevant data and can have serious consequences during litigation.
The authenticity of computer evidence and the reliability of techniques used by the examiner may be subject to challenge.The forensic expert must be prepared to testify to the validity of programs and procedures utilized in the collection and examination of the computer evidence. Some factors to consider include:
- whether the employed technique or theory has been or can be tested
- whether the technique or theory has been subjected to peer review and publication
- whether, concerning a particular technique, there is a high known or potential rate of error
- whether standards controlling the techniques exist and are maintained
- whether the technique or theory is generally accepted by the relevant scientific community
If you are considering using an internal employee or an existing technology provider, be wary of the risks and consider the following questions. Does this individual possess the proper hardware and software to properly process electronic evidence? Can this individual qualify in court as an expert in computer forensic science? Can the individual defend his or her methodology? Does the state require licensing and, if so, is the individual or company licensed to collect and investigate digital evidence?
Often computer media is sent to a forensic expert for analysis after a company’s computer personnel have already attempted to process it for evidence. In most cases, they have unintentionally altered key evidentiary items, changed file attributes, and greatly diminished the potential of the ensuing expert forensic examination. These second-hand examinations are far more time-consuming (and costly) because the qualified examiner must identify and separate the actions of the untrained inspector.
- Computer Forensics
- Cell Phone Forensics
- JTAG & Chip-Off Forensics
- Digital Investigations
- About Us
- Contact Us