How much does a digital forensic analysis typically cost?

In recent years due to advances in computer software and hardware, the cost has decreased significantly. The prices can range from £72 an hour to £200 an hour. The process involves three steps: Acquisition, Analysis, and Reporting. Acquisitions cost around £500.00 for the day dependant. Analysis and reporting, of course, depend on the nature of your case. In most instances, searching and reporting can be completed in less than 15 hours, and the total analysis is usually less than £2000.00 GBP.

The forensic image or copying process can be done outside of business hours and even remotely when the user is using their workstation without their knowledge. In some cases, the image can be made remotely.

What are common scenarios?

 

• Employee internet abuse
•Unauthorised disclosure of corporate information and data (accidental and intentional)
•Industrial espionage
•Damage assessment (following an incident)
•Criminal fraud and deception cases
•Protection, no contact or anti-harassment orders that either clearly express or that have incorporated by law that telephone, e-mail or other types of electronic communications are included.
•More general criminal cases where computers are alleged to be an instrumentality of crime and information is stored on computers that is evidence of crime(s) or potentially exculpatory evidence (many people store information on computers, intentionally or unwittingly).

What is Computer Forensics?

 

Computer forensics is considered to be the use of analytical and investigative techniques to identify, collect, examine and preserve digital information in a manner that allows it to be used as evidence.

 

I have an incident, what should I do?

Firstly if the device is switched on leave it on. The device may have remote access so unplug the network cable and stop any WIFI connection if possible. If the device is off, leave it off! If your staff haven’t been trained in Computer Forensics handling in evidence then they have probably not produce continuousious chain-of-custody or followed other accepted evidence techniques. If proper evidence handling techniques have been used, the collection process itself has most likely altered, and/or tainted, the data collected. By opening, printing, and saving files, the meta-data is irrevocably changed. The simple act of just turning on the computer changes caches, temporary files, and slack file space, which along with the alteration of the meta-data, may have seriously damaged or destroyed any evidence that was present. Call us for advice!

How does the digital forensic analysis work?

We typically produce a couple of copies of the forensic image. Then we extract registry data, recover deleted files and index the disk for instant keyword search from the copy. 100’s of artefacts such as chat, web and other history are parsed from the unallocated areas of the disk. A supertimeline is produced for analysis to ascertain key events in the history.

Document Metadata, what is it? How is it analysed?

Metadata is essentially data about data. For example imagine you create a word document. The external Created (or born on date) is thus created to what the system is set to. The ‘Author’ field is updated to the owner of the computer input. If the document is typed into and ‘Saved’ this will update the ‘Last Saved’ and ‘Last Modified’ dates. The system as a whole has to be analysed in order to establish the integrity of a file as these fields can be manipulated by a user. A search of the system can yield evidence of clock tampering, deleted versions of the file and file usage via link file analysis.

I have an Apple Mac system/phone, can these be analysed?

Yes, but beware. Some firms use investigators without formal MAC forensic training and experience. In doing this they may overlook MAC specific artefacts found in backups and other areas as they won’t be viewing the artefacts in their native format.

What about Blackberry’s, sat-navs, mobile phones, voice recorders and digital cameras?

Compute Forensics will analyse anything that holds digital information. Volatile and non-volatile memory can be collected from any device that holds it.

Do you accept instructions from private firms, corporate instructions or legally aided LSC work?

Yes, our Sweet & Maxwell vetted expert witnesses work on private jobs, corporate investigations and legally aided work.