Computer Forensics Investigations – Outsource Vs. In House
By Steve Richardson

Sooner or later, you are going to need computer forensics to conduct a digital investigation. With the increase in cyber attacks, the threat of insiders stealing intellectual property, the compliance issues for regulations such as Sarbanes Oxley and California Senate Bill 1386, and the increasing occurrence of civil suits, you need to be prepared ahead of time. One of the key questions you need to ask is, “Should I bring the capability in house or contract with an outside vendor?”

In order to properly answer the question, we really need to understand that there are three different situations where digital investigations become necessary: incident response, internal investigations, and electronic discovery. While each of these areas is different and they are typically managed by separate groups, the same skill set and tools are needed to conduct all three types of digital investigations. Therefore, you should understand the needs of each group before making your decision.

There are, of course, tradeoffs with each approach. Fast response times, cost savings and control are the key advantages of keeping this capability in house. Let’s face it, your own people will be on the scene first, and if the proper tools, training and procedures are in place, can respond faster, and at a lower cost than an outside supplier. And, you will have total control of the situation and any evidence that comes out of any investigation, giving you the most freedom in deciding the best course of action based on the needs of the business.

However, if you only conduct one or two digital investigations per year, it may be hard to maintain the expertise needed to conduct a proper investigation. You need to conduct four to six investigations yearly to have your personnel maintain proficiency, so you will need to schedule ongoing training to stay current with changes in the field and set up practice exercises to insure your personnel maintain their skills.

Another consideration is staffing levels. Investigations will consume a highly skilled resource for several days or potentially weeks. That means you will need to delay other projects that your specialist is assigned (or re-assign other resources) to allow the proper time to conduct the investigation and generate the necessary reports. This juggling can be difficult and may cause you to favor outsourcing. However, remember that most outsource companies are also going to require some support from your internal resources too. The outsource personnel will not know your network and will need a knowledgeable person from your staff to support their efforts, so you may not be able to avoid some resource juggling.

Even if you have the capability of conducting forensic investigations in house, there may be times when outsourcing still makes sense. Unbiased services, expertise and resource flexibility are the key advantages of outsourcing. The appearance of impartiality can be important in legal discovery and internal investigations, especially if a corporation is being accused of illegal or unethical behavior. The perception that a thorough investigation was conducted by an independent third party can be very important in any publicity that may come as a result of the investigation.

In addition, the evidence gathered by an independent third party may be given more weight than that presented by the company itself. In the case of an internal employee investigation, where there is a history of complaints made by the employee against the employer, the employee may claim that he was being targeted and file an employee discrimination or wrongful termination suit. In this type of situation, you may want to have a third party conduct this investigation even if you have the capability to do this investigation with in house resources. You will need to consult with legal counsel to help make this type of decision.

Since an outsource company deals with investigations on a regular basis, they have the opportunity to grow and maintain their expertise. You should ask your potential outsource provider for information on their examiners, including experience levels of their personnel, to make sure you are getting what you expect from your supplier. The issue of resource flexibility must be built into the service level agreement (SLA) that you sign with the outsource company. This comes in the form of response time and project completion time specifications. The latter is very hard to define as the project scope will be indeterminate at the time of the contract, but some parameters can be set, such as the time between the completion of the analysis and the final report.

Outsourcing can be expensive, especially since you will require a rapid response time. Engagements for an investigation usually take several days and can exceed one week. They will require several meetings to review the situation, determine the proper course of action, and review the results of the investigation. An investigation will always involve analysis of one system and may involve several systems. Each system will take several hours to image and analyze. You will want to insure your outsource company has the capability of imaging live systems, or you will find key resources shut down for hours at a time. While it is hard to get specific with the costs of outsourcing, most quality firms will get more than $300 per hour -- bringing a typical engagement to thousands or tens of thousands of dollars. If the investigation goes to trial, you will likely need the outsource supplier to testify, adding more cost to the engagement.

So given the tradeoffs, what course of action is best for you? In almost every case, the best solution may be a hybrid with some capability in house and an agreement with an outside supplier. At a minimum, you need the capability for a first-response in house. This will allow you to respond in a timely manner and give you the information needed to make the proper determination if an outside supplier is needed for this specific instance.

If the outside supplier is needed due to the scope or nature of the situation, you have the agreement in place to move forward immediately. If, on the other hand, the situation does not merit calling in the outside resource, you can save a substantial sum and maintain complete control over the situation.

To be successful, you will need to establish procedures and define ahead of time the people who need to be involved in any digital investigation. This will typically include a representative from information systems, human resources, management, and security, and may involve legal council. This team needs to have the proper training, procedures and tools in place to know how to respond to situations that give rise to digital investigations. Only in this way can you truly be prepared.

About the Author
Steve Richardson is the President and CEO of Technology Pathways.
He can be reached at srichardson@techpathways.com

<< Previous Page