While most of our clients come to us as referrals from already established clients, we get our share of new clients that come across us by just googling “computer forensics” or “digital investigation” or the like. That may be why you’re here reading this. With the referral clients there’s typically not a whole lot of establishing how we can assist on a matter, our mutual contact already 
did that for us. And we’re appreciative of that, not because we don’t mind engaging with folks who need investigative help, but because there is a bit of a learning curve when it comes to a new engagement with a new client. Where all can we assist in the process of investigating their issue? What all do we need to know as it relates to the issue? And one of the most obvious, why do they think there is an issue to investigate? A big portion of this initial process or “dance” can be attributed to the natural process of gaining trust. I don’t think most people consider the trust piece and the importance it plays in the process, and ultimately the quality of the engagement as a whole when they reach out to us. I say that because when I start asking about things that they think are outside the preconceived box of “searching on a computer” they are either puzzled or occasionally put off. Everyone has seen investigative shows/movies and most have a general understanding that the computing device (laptop, iPhone, server, etc.) contains more data than they realize, or are qualified to retrieve and make heads or tails of, much less advance their cause. In short, sometimes the tendency is to keep the data investigative portion in a box so to speak as I alluded to a moment ago.
There is also a tendency to think there are others (or perhaps they themselves) who are better qualified to determine where this fits in their investigation and the ensuing litigation, which they already have in mind. With rare exception, putting this all together from an “inside the company” perspective is not as productive 
as they or their internal team might presume. This becomes painfully obvious when questions are asked about their policies, procedures, specifics about the suspect(s), other staff and the organization as a whole in order to get an understanding of the environment. Therefore we often find that instead of a “piecemeal approach,” in general, a holistic approach to the issue is both more time efficient and effective. It’s better to provide as much information as possible up front. Being able to provide thorough answers to quality questions can make a huge difference. These vital pieces of information provided can not only assist in the current investigation, but also assess the likelihood of success in proving up and pursuing the case. It also helps us identify possible outside counsel (if you don’t already have them in place) that we can we make an introduction to in order to go to the next step and litigate. Some good questions would be: Did the client take precautions to safeguard their data? Do we have rights to the machines involved (BYOD)? Does the organization have a bigger issue and this is a merely a red herring?
Helping our clients identify ways to mitigate a future event is also top of mind as we investigate, educate and consult throughout the process. While we find this to be a fundamental thought process on the prospective client’s behalf it is often lost on others. In addition, ways that an organization is wired or run can also be contributing factors. Our long time clients that contact us immediately when they have a suspected intellectual property theft or some other malfeasance, usually by recently departed employees, have grown comfortable with our method and are able to provide us with necessary information up front. This type of trust, that we believe is important to foster in the relationships we have with our clients, understandably took time. We recognize that being patient with the initial process and allowing time for them to observe our capabilities, which extend from finding evidence on a computer, to building the case and being able to work with both internal and external counsel, benefits everyone 
involved. And most of these clients grow to understand that it’s really not in their best interest to either hamstring us or “test” our capabilities by minimally disclosing any details that they are already aware of. I mean, sure, you can throw some minimal set of data at us and tell us “let’s see what you find out” but we all come out on the short end of that stick. This can not only prove to be extremely cost ineffective for the client, but also generally by not telling us anything that might assist in locating responsive or corroborating evidence, the client who retained us is who ends up short of a good service, which can be understandably frustrating! The end result is they don’t have a good experience and don’t get the help that they need to resolve their matter. That and they end up thinking (and heaven forbid repeating) that either conducting a digital forensics investigation isn’t worthwhile or that the forensic examiner was not competent in their investigation, obviously neither of which would be correct.
This brings me back to the comment a moment ago, the reality is most folks don’t really knowingly withhold information that would be of great assistance in an investigation with nefarious intent. Therefore we can chalk it up to there being a bit of a learning curve when engaging with an outside investigative group. But once we get beyond that, we realize it’s typically not the person or team we’re dealing with that’s withholding information that would assist us, but oftentimes it can be the organization itself. What I mean by that is sometimes we find the client (or our point of contact at the client’s organization to be precise) being 
hamstrung by the way their company is wired. Say we’re dealing with someone in the security department or in information technology. In one of these siloed environments, they are only given a few pieces of the puzzle, which is what gets passed on to us. Oftentimes, there are other holders of other pieces of the puzzle and/or the entire view of the matter, these other holders can be (and often are) human resources, legal or executive personnel and management. The problem is that trying to get at this additional information, or ideally getting with these folks to discuss the matter, only goes so far up the chain and is often unsuccessful. Sometimes it’s because our contact may have limited experience in these matters (again the learning curve), sometimes it’s because our contact is really stifled (hence the siloed environment) and unable to get anyone to listen to them to fully flesh out the investigation, or occasionally our contact just wants to do what they’re told and tells us to work with what we were given. The latter type of engagement we tend to not really hear from again, and it’s a shame because as I mentioned earlier, they probably come away thinking that computer forensics isn’t worth it, which is almost never accurate.
Why am I writing about all this? Because although it doesn’t happen all that often, it happens and needlessly so. What’s the answer and/or point to all this? 
Have a plan and be open to the process. If you’re reading this and have an incident to investigate that you know has happened and work in an environment where you have some understanding of the event in question, then make sure you take all this into account. It’s also important to ensure that you get everyone on your side of the fence to sign off on what will be involved. In order to achieve the best chance of success not only with your internal folks, us with the investigative process and finally with outside counsel, it’s more effective to work together as a well-oiled machine in order to make those that have wronged you properly compensate you. As our friend Jerry Maguire once implored, “Help me, help you!”