You read that right. I’m actually going to tell you how to save money. As much as that flies in the face of conventional business wisdom, it’s much better to have a client that recognizes the value that’s brought to the table when a digital forensic expert is needed than to have them be dissatisfied. I think that’s just good business and I’m sure you agree. So, how can you save you or your client some money? There are a couple of different areas we’ll touch on today for that. To be honest, these are applicable to a number of experts you might have on a matter to some extent, but if you’ve never had to engage someone in my capacity before, well, you may not know what you don’t know.
The first way you can save money is by not holding your cards so close. This isn’t Texas hold’em and I’m not sitting across the table donning a pair of sunglasses. I’m actually here to help you win. By that I mean whatever information you have that may assist in the investigation, present it! While long time clients of ours understand the process, we have had the occasional client initially give us little to go on (i.e. here’s the laptop, he left last Friday and we don’t know where he went but someone thought they saw him with a USB drive just prior to walking out the door). That’s a fine jumping off point if that’s in fact all that’s known. However, when we dig deeper there may be initial findings that show he 
routinely used a large USB drive for work product going back at least a year, as he and most of the other employees freely use some sort of online central storage (Dropbox, OneDrive, etc.), and there’s email traffic with his supervisor (possibly our client or contact) showing that he was becoming increasingly dissatisfied with his position and/or pay. When we receive a “yes, we know all that, what else did you find?” Talk about squandered money and time. If you’ve located a partner you trust to investigate the matter then by all means give them all the info you have that may be related to it. I think a number of clients think if they give too much information up front it will, in some way, make it cost more. To the contrary, this typically paints a better picture of the subject/matter and helps us put together a more focused and productive course of action. I liken it to making a stew; if you only use two of the ten ingredients that you have it simply won’t be as good. Again, if you’ve selected the right partner to help investigate the issue then your interests will be aligned. One last thing, when selecting the partner go with your gut, don’t be wowed or pressured. Too many people don’t trust their instincts when they should.
The next area where many end up spending more money than they planned is actually a result of attempting to shop around for the best price at the outset, which may be another surprising revelation. There are a number of times where an “estimate” is much too low where inexperienced (likely unlicensed) folks work on the project only to end up wasting the money, or 
scope creep has taken over. We’ve seen situations where an estimate has been provided with a minimum amount of work proposed and it’s not as much work as will end up being needed, thus by the time the entire case is completed the client has spent multiples of the “estimate” that was originally provided. Sometimes this is because the expert has made a rookie mistake by not thinking through the entire process and what it will entail, or because they threw out a low cost estimate knowing once the client was on the hook they wouldn’t want to back out midway through the project. Unfortunately we’ve seen too many of these scenarios when we’re then contacted as the second investigators and we attempt to minimize any further expense…sometimes at our expense just to help the client out.
Very closely related is dealing with inexperienced folks. When it comes to working an investigation with digital evidence and integrating it into a case for litigation, or even an internal administrative matter, experience counts. Your outsourced information technology provider is rarely if ever an investigator for one and/or licensed to provide such a service for another. Thus aside from a possible evidence tampering or destruction concern, any money spent in this endeavor could very likely be wasted. We work with many outsourced IT providers. Although most are competent and reputable in what they do know, there is a line that should not be crossed. Unfortunately there are also zealous client pleasers out there, which ordinarily is a great thing, but not in this situation. Save your time and most importantly money by engaging the right help from the start.
Now, that is not to say that your IT folks can’t be of assistance. And this is the final area of cost savings to discuss. IT personnel, regardless of them being in house or outsourced, can be a great resource at the beginning of an investigation. For starters, skilled IT techs tend to be pretty perceptive with what people are doing on your devices, particularly who is doing what and who interconnects within the office. In addition, they 
are also less likely to draw attention when it comes to gaining access to someone’s computer or phone when we need to take an image. This could mean getting us to the right computers, retrieving them for us or taking the image for us. Yes, we’ve had several long term clients whose staff we’ve trained and gotten them equipped so that they are able to take a subject’s machine, create a forensic image, document, and then put back into use with no one being the wiser. Otherwise, an office announcement regarding the start of an investigation might as well take place. With proper procedure, documentation and a chain of custody form filled out, the evidence can then be transferred to us to process and begin the investigation. This will help leverage your already existing provider which will save you some initial hours on the matter.
All of these points taken together can save you some money on your digital forensic investigation without compromising the integrity of the evidence or the resulting findings. Too often the opposite holds true which ends up costing time, potential evidence spoliation and ultimately your money.