Why Out-Source Computer Forensics?

industry bytes 2 Comments
Feb 10

In a recent article entitled "Why Insource Forensics? - Making the Business Case for Internal Forensics/eDiscovery Team," the writer makes the case for building an internal forensics team rather than outsourcing the services. While the article and the accompanying interview raise relevant points, the writer fails to address several issues that need to be considered when making this decision. Let me preface this by saying that there are instances when it is appropriate for an organization to bring forensic experts in-house. However, unless your company is the victim of constant intrusions, handles classified material or is continually embroiled in legal fights, bringing digital forensics and eDiscovery in-house is probably not for you.

The author suggests that bringing these proficiencies in-house will save your company money; however, this depends entirely on balancing your own needs and demands with the costs associated with building this type of practice.  Consider the cost of setting up an office or lab for handling forensic and eDiscovery requests. The labor cost alone for one professional analyst with the credentials and experience needed to lead a department will be an annual six-figure expenditure. Then there's the training cost and the expense related to maintaining the proper licensing and certifications. Finally, consider the up-front costs to purchase the necessary forensic tools, maintain the tools and keep current on any upgrades.  Even if you hired only one person to handle the work (and if the volume is on a level so as to require bringing forensics in-house then you will likely need more than one analyst), you should expect an annual budget expenditure well over $150,000.00.

The second issue to consider is impartiality. I recently heard of a company suspending one of their up-and-comers for having inappropriate material on his work computer. When he asked the company to identify the material in question, the only response was that the company's internal forensics people were looking into it.  At the time, conducting an ad-hoc internal investigation may have seemed like a good idea, but in retrospect, the impartiality of the fact-finder has now become a primary issue for opposing counsel. Corporate bias becomes the primary argument not only for the evidentiary argument but also for the entire case. How could the investigation be impartial when the investigators are on the company payroll?

The third issue to consider is that most in-house forensic employees come from a computer security or investigative background. While this has some advantages, computer security/forensics and eDiscovery require different skill sets. Deep experience in network security/forensics has very little in common with the work required to navigate the civil discovery process. In-house talent will require broad-based knowledge of security/forensics issues as well as deep experience in the litigation process.  That kind of talent is not cheap or easy to find. It will require a deep and educated bench.  There are, of course, advantages to having your own IT people involved in an investigation. No one will know your infrastructure like your own IT department, but that does not mean that they should be doing the work themselves. Every action performed on a computer changes and, potentially overwrites, data. “Just a quick look" can jeopardize your company’s case. Keeping it in-house has a proper time and place.  But when the preservation and defensibility of the evidence is key, or if the size of the matter will overwhelm existing IT manpower, companies should bring in outside experts that are involved in these kinds of cases on a daily basis. They will have all of the requisite knowledge as well as the tools to finish the project in a professional manner while performing tasks that are second nature to them. 

Lee Whitfield is Director of Forensics for Digital Discovery www.digitaldiscoveryesi.com and serves as a computer forensics expert to corporate and law firm clients.  He can be reached at lwhitfield@digitaldiscoveryesi.com.


  • Priyanka Rai said:

    LTS Secure comprehensive Security Operation Centre provides continuous monitoring for all layers of the IT stack: network packets, flows, OS activities, content, Identities, user behaviors and application transactions for protection from advanced threats using integrated Adaptive Security framework. For more information about this http://ltssecure.com/soc/

  • Matthew Hackling said:

    You're preaching to the choir :) Why do you do computer forensics? Because you want to take a matter to court or have some backup in place if someone takes you to court. If you do you need an independent expert witness to capture the data and present the evidence who can withstand the cross examination tricks of switched on attorney. Some underpaid inexperienced amateur will make a minor mistake in procedure and get flayed alive.