Loading ...
Sorry, an error occurred while loading the content.
 

E-evidence site

Expand Messages
  • csiedsm@utica.edu
    Greetings, And my apologies to those that may be getting this more than once. I wanted to announce the updates to the www.e-evidence.info site (See the What s
    Message 1 of 13 , Nov 1, 2004
      Greetings,

      And my apologies to those that may be getting this more than once.
      I wanted to announce the updates to the

      www.e-evidence.info

      site (See the 'What's New' page)

      Several great resources have been located and archived.

      Just a reminder that this site is updated the first week of every month.
      Anyone with links to worthwhile resources is encouraged to contact me.

      Thankyou

      Christine Siedsma
      www.e-evidence.info
      Program Director
      Computer Forensic Research & Development Center at Utica College
    • IanC
      I generally quote a fixed rate of say $250.00 per hour that I spend on the assignment (plus expenses if I need to travel) with a $1,250.00 deposit up front per
      Message 2 of 13 , Nov 1, 2004
        I generally quote a fixed rate of say $250.00 per hour that I spend on the
        assignment (plus expenses if I need to travel) with a $1,250.00 deposit up
        front per drive.

        But whilst in my office I don't charge for the time a computer is running
        and I don't need to be there (Like imaging time,, or whilst it's searching).

        Often too I get a request to simply recover a file or maybe two - and I know
        the file name (and some search string phrases that should be within the
        file). So do tend to quote a fixed price if asked to just recover a specific
        thing. Same sometimes applies with regular clients by giving them a good
        discount,, or if say I get 5 drives on one case I give a discount too.


        How do you guys figure out your charging fee's?
      • The Dog's Bollix
        Through trial and error we have split our fees in two, namely a price for imaging and a price for analysis. We charge $300 to image a drive, and we charge $50
        Message 3 of 13 , Nov 1, 2004
          Through trial and error we have split our fees in two, namely a price for imaging and a price for analysis.

          We charge $300 to image a drive, and we charge $50 a month to store that image. We store it until the case is settled or otherwise disposed.

          We shoot hard to image, citing " Look, at least we'll have the evidence should you ever need it". 10 times out of 10 they need it analysed.

          Then we charge $1200 for an analysis. Usually, it's a "find porn" or find "chat room chat sessions". Sometimes it takes us a couple of hours (not including computer search time) and sometimes it takes us 20 hours.

          If we get multiple drives, we discount. I just had a civil case where my client was compelled to hand over his laptop for no reason, and hence we compelled the other side for their machines. 5 machines in all, I charged him $3K total for the analysis.

          I know many reading this will say, "You're charging too little". The demographics of my area, coupled with the kinds of cases we handle (mostly civil/divorce) coupled with the attorney's fear of the unknown has forced me to set a reasonable fee for services just so they'll pull the trigger on going ahead with an analysis. Once they see the possibilities, it means future business for us, however, we've already set a price precedent. Personally, I'd rather have the exposure of 10 cases at $2000 than one case at $7500.

          In fact, we're developing forensic software that will even further reduce the client's financial exposure, yet provide forensic evidence in a case - for about 20 minutes work and about $200 cost to the client. Of course our goal is to coax them into going ahead with a full forensic image and analysis once our own software finds the bait we need to upsell to our services.

          Having said that, should we be contacted by an Enron or the like, we'd revert to a pricing structure similar to Ian's.

          So to answer your question Ian, the market has decided our pricing fees to a large extent. The market, in our case, being people who work to earn a living and suddenly have the added expense of a legal situation imposed upon them.

          I'd actually be more interested in a discussion on how people have educated their market to the NEED for our services. And, I fully believe it IS a need. I have yet to work on a computer forensics case (as a result of some other civil complaint) that did not affect the outcome of that civil contention. (we don't do criminal work).

          Just my .02 euros,

          Tony.

          P.S. Undeleting files is a funny one. I once offered to undelete an ACT database for a sales manager for free just to show him it could be done and he balked. I do, however, see a market there. Personally, I'd probably charge $100 per file if I could take the computer to my lab and let the software run. If it was an onsite deal, then I'd charge hourly.




          IanC <saladin@...> wrote:
          I generally quote a fixed rate of say $250.00 per hour that I spend on the
          assignment (plus expenses if I need to travel) with a $1,250.00 deposit up
          front per drive.

          But whilst in my office I don't charge for the time a computer is running
          and I don't need to be there (Like imaging time,, or whilst it's searching).

          Often too I get a request to simply recover a file or maybe two - and I know
          the file name (and some search string phrases that should be within the
          file). So do tend to quote a fixed price if asked to just recover a specific
          thing. Same sometimes applies with regular clients by giving them a good
          discount,, or if say I get 5 drives on one case I give a discount too.


          How do you guys figure out your charging fee's?







          Yahoo! Groups SponsorADVERTISEMENT


          ---------------------------------
          Yahoo! Groups Links

          To visit your group on the web, go to:
          http://groups.yahoo.com/group/linux_forensics/

          To unsubscribe from this group, send an email to:
          linux_forensics-unsubscribe@yahoogroups.com

          Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.



          ---------------------------------
          Do you Yahoo!?
          Check out the new Yahoo! Front Page. www.yahoo.com/a

          [Non-text portions of this message have been removed]
        • IanC
          ... In regards to your above I don t really market myself and have thus far relied upon word of mouth for clients mainly.. But if a client doesn t understand
          Message 4 of 13 , Nov 1, 2004
            > I'd actually be more interested in a discussion on how people
            > have educated their market to the NEED for our services.


            In regards to your above I don't really market myself and have thus far
            relied upon word of mouth for clients mainly.. But if a client 'doesn't
            understand' about what I can do, I use visual effects that he can use
            (quickly & easily)..

            I simply give him a floppy disk that he can view in his own A: drive,, then
            ask him how many files he see's upon that.

            He of course says just one. (HeHe,, they all say that) :-)

            I then boot his system up quickly with a CD and using the same floppy he
            looked at,, I can very quickly (in minutes) show him 15, of the same
            document,, (each I altered slightly then deleted for effect)! (in deleted
            folders too)!!

            I know this is simple shite....
            But it's effective even to clients who think they know it all.


            ~~~~
            Bullshite baffles brains sometimes.....
            [But the computer doesn't lie];
          • Andrew Rosen
            ... We split it in 3: imaging / analysis / litigation support ... We charge more, but that covers data retention for a year. If they need long term storage /
            Message 5 of 13 , Nov 2, 2004
              --- The Dog's Bollix <isisxproahoo.com> wrote:
              > Through trial and error we have split our fees in
              > two, namely a price for imaging and a price for
              > analysis.

              We split it in 3: imaging / analysis / litigation
              support

              > We charge $300 to image a drive, and we charge $50 a
              > month to store that image. We store it until the
              > case is settled or otherwise disposed.

              We charge more, but that covers data retention for a
              year. If they need long term storage / CDs / DVDs or
              other copies, we bid that at the end of the year.
              Storage is cheaper faster by then anyways.

              > We shoot hard to image, citing " Look, at least
              > we'll have the evidence should you ever need it". 10
              > times out of 10 they need it ananalysed

              In the _vast_ majority of cases, we image first...
              even if the client doesn't want to pay for imaging.
              Its good SOP and reduces exposure.

              > Then we charge $1200 for an analysis. Usually, it's
              > a "find porn" or find "chat room chat sessions".
              > Sometimes it takes us a couple of hours (not
              > including computer search time) and sometimes it
              > takes us 20 hours.

              Life is like a box of chocolates

              > If we get multiple drives, we discount. I just had a
              > civil case where my client was compelled to hand
              > over his laptop for no reason, and hence we
              > compelled the other side for their machines. 5
              > machines in all, I charged him $3K total for the
              > analysis.

              There is a small economy of scale in data forensics as
              a practical matter. More drives, more data, more
              work, more time...

              > I know many reading this will say, "You're charging
              > too little". The demographics of my area, coupled
              > with the kinds of cases we handle (mostly
              > civil/divorce) coupled with the attorney's fear of
              > the unknown has forced me to set a reasonable fee
              > for services just so they'll pull the trigger on
              > going ahead with an analysis. Once they see the
              > possibilities, it means future business for us,
              > however, we've already set a price precedent.
              > Personally, I'd rather have the exposure of 10 cases
              > at $2000 than one case at $7500.

              Very smart, cogent and well articulated.
              I think your smart.

              > In fact, we're developing forensic software that
              > will even further reduce the client's financial
              > exposure, yet provide forensic evidence in a case -
              > for about 20 minutes work and about $200 cost to the
              > client. Of course our goal is to coax them into
              > going ahead with a full forensic image and analysis
              > once our own software finds the bait we need to
              > upupsello our services.

              Good luck with that, please let us know how that works
              out for you.

              > Having said that, should we be contacted by an Enron
              > or the like, we'd revert to a pricing structure
              > similar to Ian's.

              That's where you'd have taken such a beating you'd
              still be slap happy. It wasn't simply a matter of
              hundreds of machines, or legions of suits running
              around like chickens with their heads cut off running
              in every 5 minutes with new priorities, or the press
              or the glass bubble (We had to invite troops of
              lawyers and their experts into a lab that had to be
              set up on-site so they could inspect the lab and the
              protocol).

              That experience reinforced several opinions I had come
              to hold but had little more than empiracle evidence to
              support. The ability to scale a "real world" LARGE
              scale investigation and deliver results in near
              real-time was an exceptional opportunity. That is
              where the traditional models stop working, including
              billing models.

              > So to answer your question Ian, the market has
              > decided our pricing fees to a large extent. The
              > market, in our case, being people who work to earn a
              > living and suddenly have the added expense of a
              > legal situation imposed upon them.

              Most folks I know "work to earn a living", myself
              included.

              > I'd actually be more interested in a discussion on
              > how people have educated their market to the NEED
              > for our services. And, I fully believe it IS a need.
              > I have yet to work on a computer forensics case (as
              > a result of some other civil complaint) that did not
              > affect the outcome of that civil contention. (we
              > don't do criminal work).

              Criminal work is more rewarding on a personal level,
              less rewarding on a financial level and absolutely no
              different than civil work.

              I just testified in a criminal case in Washington
              state. We got convictions on all counts and
              enhancements. I spent nearly 3 days there, out of the
              office and was billing so light to the US Attroney's
              office that I had to disclose that fact to the AUSA
              just in case the defense lawyer asked in depositions
              or on direct.

              > Just my .02 eueuros
              >
              > Tony.

              Cheers -

              Andrew Rosen



              __________________________________
              Do you Yahoo!?
              Check out the new Yahoo! Front Page.
              www.yahoo.com
            • Steve Fowler
              Kudos to Ian for starting an interesting thread. And thanks too for Andrew s input, coming as it does from his high station in this biz (IMHO). I think you
              Message 6 of 13 , Nov 2, 2004
                Kudos to Ian for starting an interesting thread. And thanks too for
                Andrew's input, coming as it does from his high station in this biz
                (IMHO). I think you all should charge more! There are far fewer computer
                forensic experts than dentists -- so if you're specialty is more esoteric,
                why not at least get paid as much as they do?

                All the commentary thus far has pertained mostly to data storage device
                handling, and the biggest share of that does tend to fit into models
                describable on a standard pricing sheet (the Enron case notwithstanding),
                but my keenest interest re: this thread "Charging Clients Fee's" goes to
                ideas the group has about some of those less frequently occurring
                requirements, such as cases we've experienced spending huge amounts of time
                doing stuff peculiar to just this one certain case -- that didn't fit into
                any model for fee base, and hasn't yet been repeated.

                This area is interesting to me because we have found that it can sometimes
                be a bit troublesome to draw a line between what we're doing for our client
                and what we're doing to build a better business -- and of course, only the
                first of two can possibly merit charges. And this is the area I'd like to
                hear more on. Also, I have some comments I'll interject below amongst
                those already entered, and at the end will be my specific
                questions. Please read on:
                ==========
                At 07:10 AM 11/2/04, ASR wrote:

                >--- The Dog's Bollix <isisxproahoo.com> wrote:
                > > Through trial and error we have split our fees in
                > > two, namely a price for imaging and a price for
                > > analysis.
                >
                >We split it in 3: imaging / analysis / litigation
                >support

                We use yet a fourth split which is used to clarify to clients what they're
                paying for: between imaging and analysis, there's discovery. BTW, does
                everyone not charge for strategic consultation (I don't)?


                > > We charge $300 to image a drive, and we charge $50 a
                > > month to store that image. We store it until the
                > > case is settled or otherwise disposed.
                >
                >We charge more, but that covers data retention for a
                >year. If they need long term storage / CDs / DVDs or
                >other copies, we bid that at the end of the year.
                >Storage is cheaper faster by then anyways.

                We charge A LOT more. Maybe it's our location. Here in California legal
                frivolity seems like a passtime -- a higher entry fee gives a better
                indication of who's really serious.


                > > We shoot hard to image, citing " Look, at least
                > > we'll have the evidence should you ever need it". 10
                > > times out of 10 they need it ananalysed
                >
                >In the _vast_ majority of cases, we image first...
                >even if the client doesn't want to pay for imaging.
                >Its good SOP and reduces exposure.

                Gotta do this!


                > > Then we charge $1200 for an analysis. Usually, it's
                > > a "find porn" or find "chat room chat sessions".
                > > Sometimes it takes us a couple of hours (not
                > > including computer search time) and sometimes it
                > > takes us 20 hours.
                >
                >Life is like a box of chocolates
                >
                > > If we get multiple drives, we discount. I just had a
                > > civil case where my client was compelled to hand
                > > over his laptop for no reason, and hence we
                > > compelled the other side for their machines. 5
                > > machines in all, I charged him $3K total for the
                > > analysis.
                >
                >There is a small economy of scale in data forensics as
                >a practical matter. More drives, more data, more
                >work, more time...

                ...a VERY small ecomony of scale.... and a HUGE increase for potential
                confusion. In some cases it seems like there's almost a reverse
                ecomony: tagging & naming & documenting, etc., the requirements get tougher!


                > > I know many reading this will say, "You're charging
                > > too little". The demographics of my area, coupled
                > > with the kinds of cases we handle (mostly
                > > civil/divorce) coupled with the attorney's fear of
                > > the unknown has forced me to set a reasonable fee
                > > for services just so they'll pull the trigger on
                > > going ahead with an analysis. Once they see the
                > > possibilities, it means future business for us,
                > > however, we've already set a price precedent.
                > > Personally, I'd rather have the exposure of 10 cases
                > > at $2000 than one case at $7500.
                >
                >Very smart, cogent and well articulated.
                >I think your smart.
                >
                > > In fact, we're developing forensic software that
                > > will even further reduce the client's financial
                > > exposure, yet provide forensic evidence in a case -
                > > for about 20 minutes work and about $200 cost to the
                > > client. Of course our goal is to coax them into
                > > going ahead with a full forensic image and analysis
                > > once our own software finds the bait we need to
                > > upupsello our services.
                >
                >Good luck with that, please let us know how that works
                >out for you.
                >
                > > Having said that, should we be contacted by an Enron
                > > or the like, we'd revert to a pricing structure
                > > similar to Ian's.
                >
                >That's where you'd have taken such a beating you'd
                >still be slap happy. It wasn't simply a matter of
                >hundreds of machines, or legions of suits running
                >around like chickens with their heads cut off running
                >in every 5 minutes with new priorities, or the press
                >or the glass bubble (We had to invite troops of
                >lawyers and their experts into a lab that had to be
                >set up on-site so they could inspect the lab and the
                >protocol).
                >
                >That experience reinforced several opinions I had come
                >to hold but had little more than empiracle evidence to
                >support. The ability to scale a "real world" LARGE
                >scale investigation and deliver results in near
                >real-time was an exceptional opportunity.

                This would scare the hell out of me...

                >That is where the traditional models stop working, including
                >billing models.

                And HERE is the what I call the "interesting" area when it comes to billing
                (we'd all LOVE to hear more, Mr. Rosen).


                > > So to answer your question Ian, the market has
                > > decided our pricing fees to a large extent. The
                > > market, in our case, being people who work to earn a
                > > living and suddenly have the added expense of a
                > > legal situation imposed upon them.
                >
                >Most folks I know "work to earn a living", myself
                >included.
                >
                > > I'd actually be more interested in a discussion on
                > > how people have educated their market to the NEED
                > > for our services. And, I fully believe it IS a need.
                > > I have yet to work on a computer forensics case (as
                > > a result of some other civil complaint) that did not
                > > affect the outcome of that civil contention. (we
                > > don't do criminal work).
                >
                >Criminal work is more rewarding on a personal level,
                >less rewarding on a financial level and absolutely no
                >different than civil work.
                >
                >I just testified in a criminal case in Washington
                >state. We got convictions on all counts and
                >enhancements. I spent nearly 3 days there, out of the
                >office and was billing so light to the US Attroney's
                >office that I had to disclose that fact to the AUSA
                >just in case the defense lawyer asked in depositions
                >or on direct.
                >
                > > Just my .02 eueuros
                > >
                > > Tony.
                >
                >Cheers -
                >
                >Andrew Rosen

                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                So, here's some nitty gritty stuff it'd be fun to hear response on, if
                anyone cares to chime in...

                * When existing models don't fit, you're in a new situation, how do you
                account for your time (when you have to bill to eat): research -- process
                planning -- and (gulp, i hate this) mistakes -- leading to only a small
                value to the client (how much does the heart surgeon reduce his bill
                because of a mistake in the OR?), but not a value commensurate with the
                time you spent??? What about documentation of a type specific and unique
                to only this one case?

                * "Desk Work" (I don't know what else to call it): sworn declarations /
                reading & editing stipulations, protocols, or other attorney pleadings /
                long telephone conferences with attorneys / preparation for testimony /
                writing statements. We use an hourly rate as a basis, but -- think about
                doing all this amid your typical day of multitasking, interruption,
                occasional? chaos (i can't be the only one!) We have a set fee for sworn
                declarations, but most of this stuff often doesn't fit a model we have,
                so... ???

                What say you?

                Best regards,

                Steve Fowler

                >
                >__________________________________
                >Do you Yahoo!?
                >Check out the new Yahoo! Front Page.
                >www.yahoo.com
                >
                >
                >
                >
                >
                >
                >Yahoo! Groups Links
                >
                >
                >
                >
              • Andrew Rosen
                ... [snip] ... [snip] For me, it has always been about delivering value. I believe value is subjective, but it translates to dollars readily. You ve also
                Message 7 of 13 , Nov 3, 2004
                  --- Steve Fowler <sfowler@...> wrote:
                  [snip]
                  > >That is where the traditional models stop working,
                  > including
                  > >billing models.
                  >
                  > And HERE is the what I call the "interesting" area
                  > when it comes to billing
                  > (we'd all LOVE to hear more, Mr. Rosen).
                  [snip]

                  For me, it has always been about delivering value.
                  I believe value is subjective, but it translates to
                  dollars readily. You've also gotta "do the right
                  thing". When a case comes along where you can really
                  assist an injured party, do it at a loss if you have
                  to. This goes for protecting children, supporting law
                  enforcement, US intel and national security, etc.

                  If you deliver value and do the right thing, you will
                  have happy clients, a good life and will have earned
                  your keep.

                  Regards -

                  Andrew Rosen



                  __________________________________
                  Do you Yahoo!?
                  Check out the new Yahoo! Front Page.
                  www.yahoo.com
                • Melissa Royer
                  And God will bless you abundantly !! ... From: Andrew Rosen To: Sent: Wednesday, November 03, 2004 9:51
                  Message 8 of 13 , Nov 3, 2004
                    And God will bless you abundantly !!
                    ----- Original Message -----
                    From: "Andrew Rosen" <asrdata@...>
                    To: <linux_forensics@yahoogroups.com>
                    Sent: Wednesday, November 03, 2004 9:51 AM
                    Subject: Re: [linux_forensics] Charging Clients Fee's


                    >
                    >
                    > --- Steve Fowler <sfowler@...> wrote:
                    > [snip]
                    > > >That is where the traditional models stop working,
                    > > including
                    > > >billing models.
                    > >
                    > > And HERE is the what I call the "interesting" area
                    > > when it comes to billing
                    > > (we'd all LOVE to hear more, Mr. Rosen).
                    > [snip]
                    >
                    > For me, it has always been about delivering value.
                    > I believe value is subjective, but it translates to
                    > dollars readily. You've also gotta "do the right
                    > thing". When a case comes along where you can really
                    > assist an injured party, do it at a loss if you have
                    > to. This goes for protecting children, supporting law
                    > enforcement, US intel and national security, etc.
                    >
                    > If you deliver value and do the right thing, you will
                    > have happy clients, a good life and will have earned
                    > your keep.
                    >
                    > Regards -
                    >
                    > Andrew Rosen
                    >
                    >
                    >
                    > __________________________________
                    > Do you Yahoo!?
                    > Check out the new Yahoo! Front Page.
                    > www.yahoo.com
                    >
                    >
                    >
                    >
                    >
                    >
                    > Yahoo! Groups Links
                    >
                    >
                    >
                    >
                    >
                    >
                    >
                    >
                  • Steve Burgess
                    ... There is sometimes a fine line, it seems, between charging a client for learning curve and charging for work done under previous competence. I have
                    Message 9 of 13 , Nov 3, 2004
                      <snip>
                      >
                      >This area is interesting to me because we have found that it can sometimes
                      >be a bit troublesome to draw a line between what we're doing for our client
                      >and what we're doing to build a better business -- and of course, only the
                      >first of two can possibly merit charges. And this is the area I'd like to
                      >hear more on. Also, I have some comments I'll interject below amongst
                      >those already entered, and at the end will be my specific
                      >questions. Please read on:
                      >==========

                      There is sometimes a fine line, it seems, between charging a client
                      for learning curve and charging for work done under previous
                      competence. I have been in data recovery for 20 years, and computer
                      forensics for the latter big chunk of that and I find that nearly
                      every week - and certainly every month - brings something completely
                      new. I'm joyful about that, actually. Since I was a teenager, I'd
                      always wanted to do something that's continually fresh. But corollary
                      to that is the fact that I (and I assume, we) are always learning new
                      tools (like Andy's fine stuff). It is sometimes difficult to figure
                      out how much of the time spent with a new tool is learning curve that
                      should be charged to oneself, and how much is legitimately billable
                      hours. My wife believes that I consistently undercharge ... but she
                      has the family checkbook!

                      This leads me to another question. I'd like to see how many people
                      log their hours with a pencil, and how many use a program. This is
                      another area where the boss (my better half - well, my better third,
                      actually) feels I consistently undercharge as I am not keen on
                      billing hours I haven't logged in a book. And I neglect writing these
                      down sometimes when I am in the thick of an investigation and then
                      get called away. What are your foolproof methods that this fool might
                      use to keep tight track of billable hours?

                      <snip>

                      >At 07:10 AM 11/2/04, ASR wrote:
                      >
                      >>--- The Dog's Bollix <isisxproahoo.com> wrote:
                      >> > Through trial and error we have split our fees in
                      >> > two, namely a price for imaging and a price for
                      >> > analysis.
                      >>
                      >>We split it in 3: imaging / analysis / litigation
                      >>support
                      >
                      >We use yet a fourth split which is used to clarify to clients what they're
                      >paying for: between imaging and analysis, there's discovery. BTW, does
                      >everyone not charge for strategic consultation (I don't)?
                      >
                      >
                      >> > We charge $300 to image a drive, and we charge $50 a
                      >> > month to store that image. We store it until the
                      >> > case is settled or otherwise disposed.
                      >>
                      >>We charge more, but that covers data retention for a
                      >>year. If they need long term storage / CDs / DVDs or
                      >>other copies, we bid that at the end of the year.
                      >>Storage is cheaper faster by then anyways.
                      >
                      >We charge A LOT more. Maybe it's our location. Here in California legal
                      >frivolity seems like a passtime -- a higher entry fee gives a better
                      >indication of who's really serious.
                      >
                      >
                      >> > We shoot hard to image, citing " Look, at least
                      >> > we'll have the evidence should you ever need it". 10
                      >> > times out of 10 they need it ananalysed
                      >>
                      >>In the _vast_ majority of cases, we image first...
                      >>even if the client doesn't want to pay for imaging.
                      >>Its good SOP and reduces exposure.
                      >
                      >Gotta do this!
                      >

                      Absolutely!!!

                      <snip, snip>

                      >
                      >So, here's some nitty gritty stuff it'd be fun to hear response on, if
                      >anyone cares to chime in...
                      >
                      >* When existing models don't fit, you're in a new situation, how do you
                      >account for your time (when you have to bill to eat): research -- process
                      >planning -- and (gulp, i hate this) mistakes -- leading to only a small
                      >value to the client (how much does the heart surgeon reduce his bill
                      >because of a mistake in the OR?), but not a value commensurate with the
                      >time you spent??? What about documentation of a type specific and unique
                      >to only this one case?
                      >
                      >* "Desk Work" (I don't know what else to call it): sworn declarations /
                      >reading & editing stipulations, protocols, or other attorney pleadings /
                      >long telephone conferences with attorneys / preparation for testimony /
                      >writing statements. We use an hourly rate as a basis, but -- think about
                      >doing all this amid your typical day of multitasking, interruption,
                      >occasional? chaos (i can't be the only one!) We have a set fee for sworn
                      >declarations, but most of this stuff often doesn't fit a model we have,
                      >so... ???

                      As above, I find it difficult to keep track of the hours while
                      multitasking, especially when "desk work" pulls me out of the lab.
                      For billable hours, I consider phone conversations and prep for
                      testimony to be standard rate stuff. I only charge a higher depo or
                      court rate on those dates.

                      >What say you?
                      >
                      >Best regards,
                      >
                      >Steve Fowler

                      Cheers,
                      --
                      Steven G Burgess
                      Burgess Consulting & Forensics
                      Expert Witness, Computer forensics
                      Data Recovery, Data Transfer
                      Ph: 805.349.7676, tollfree: 866.345.3345
                      Fax: 805.349.7790
                      email: steve@..., doctordata@...
                      2255 South Broadway, Suite 9
                      Santa Maria, CA 93455

                      [Non-text portions of this message have been removed]
                    • Andrew Rosen
                      ... I regard data forensics in many of the same ways I regard flying. Both are fun and challenging and a mistake can have serious consequences. Without
                      Message 10 of 13 , Nov 3, 2004
                        All but obfuscated in the long list of quotes:

                        > >So, here's some nitty gritty stuff it'd be fun to
                        > hear response on, if
                        > >anyone cares to chime in...
                        > >
                        > >* When existing models don't fit, you're in a new
                        > situation, how do you
                        > >account for your time (when you have to bill to
                        > eat): research -- process
                        > >planning -- and (gulp, i hate this) mistakes --

                        I regard data forensics in many of the same ways I
                        regard flying. Both are fun and challenging and a
                        mistake can have serious consequences. Without
                        getting symantic, mistakes are not an option.
                        Forensics, like flying, involves careful preflight
                        inspection of the equipment, information about the
                        environment in which you will be operating (weather),
                        having appropriate resources (fuel management),
                        contingency plans (alternate landing sites), clear
                        and efficient communication skills with other parties
                        (radio), skill, knowledge and experience.

                        Equipment can break, the weather can change and other
                        people can do dumb things right in front of you...
                        none of these are mistakes. A mistake is not
                        planning, not reacting appropriately or not knowing
                        your limitations or the limitations of your equipment.

                        > >* "Desk Work" (I don't know what else to call it):
                        > sworn declarations /
                        > >reading & editing stipulations, protocols, or other
                        > attorney pleadings /
                        > >long telephone conferences with attorneys /
                        > preparation for testimony /
                        > >writing statements. We use an hourly rate as a
                        > basis, but -- think about
                        > >doing all this amid your typical day of
                        > multitasking, interruption,
                        > >occasional? chaos (i can't be the only one!) We
                        > have a set fee for sworn
                        > >declarations, but most of this stuff often doesn't
                        > fit a model we have,
                        > >so... ???

                        We lump that stuff into litigation support. Smaller
                        shops can find it more difficult to deal with the
                        chaos and interrputions. If you have a secretary or
                        assistant, make that one of their concerns... make
                        sure that you don't get interrupted unless its really
                        important. A sole practitioner may schedule call
                        backs and phone/desk work for a portion of each hour.

                        > As above, I find it difficult to keep track of the
                        > hours while
                        > multitasking, especially when "desk work" pulls me
                        > out of the lab.
                        > For billable hours, I consider phone conversations
                        > and prep for
                        > testimony to be standard rate stuff. I only charge a
                        > higher depo or
                        > court rate on those dates.

                        One of the nicest things I use every day is VNC. I
                        can sit at my desk and work on any or all of our lab
                        machines, client machines or home machines without
                        having to get out of my chair. The downside is the
                        growing backside.

                        Cheers -

                        Andrew Rosen



                        __________________________________
                        Do you Yahoo!?
                        Check out the new Yahoo! Front Page.
                        www.yahoo.com
                      • Steve Fowler
                        Which one pays better: flying... or heart surgury? Hmmmm.... ;-) I, for one (& I m sure I m not alone) much appreciate your time & insight! Thanks
                        Message 11 of 13 , Nov 3, 2004
                          Which one pays better: flying... or heart surgury? Hmmmm.... ;-)
                          I, for one (& I'm sure I'm not alone) much appreciate your time &
                          insight!
                          Thanks Andy.

                          Peace!

                          Steve Fowler

                          =====
                          At 04:00 PM 11/3/04, you wrote:

                          >All but obfuscated in the long list of quotes:
                          >
                          > > >So, here's some nitty gritty stuff it'd be fun to
                          > > hear response on, if
                          > > >anyone cares to chime in...
                          > > >
                          > > >* When existing models don't fit, you're in a new
                          > > situation, how do you
                          > > >account for your time (when you have to bill to
                          > > eat): research -- process
                          > > >planning -- and (gulp, i hate this) mistakes --
                          >
                          >I regard data forensics in many of the same ways I
                          >regard flying. Both are fun and challenging and a
                          >mistake can have serious consequences. Without
                          >getting symantic, mistakes are not an option.
                          >Forensics, like flying, involves careful preflight
                          >inspection of the equipment, information about the
                          >environment in which you will be operating (weather),
                          >having appropriate resources (fuel management),
                          >contingency plans (alternate landing sites), clear
                          >and efficient communication skills with other parties
                          >(radio), skill, knowledge and experience.
                          >
                          >Equipment can break, the weather can change and other
                          >people can do dumb things right in front of you...
                          >none of these are mistakes. A mistake is not
                          >planning, not reacting appropriately or not knowing
                          >your limitations or the limitations of your equipment.
                          >
                          > > >* "Desk Work" (I don't know what else to call it):
                          > > sworn declarations /
                          > > >reading & editing stipulations, protocols, or other
                          > > attorney pleadings /
                          > > >long telephone conferences with attorneys /
                          > > preparation for testimony /
                          > > >writing statements. We use an hourly rate as a
                          > > basis, but -- think about
                          > > >doing all this amid your typical day of
                          > > multitasking, interruption,
                          > > >occasional? chaos (i can't be the only one!) We
                          > > have a set fee for sworn
                          > > >declarations, but most of this stuff often doesn't
                          > > fit a model we have,
                          > > >so... ???
                          >
                          >We lump that stuff into litigation support. Smaller
                          >shops can find it more difficult to deal with the
                          >chaos and interrputions. If you have a secretary or
                          >assistant, make that one of their concerns... make
                          >sure that you don't get interrupted unless its really
                          >important. A sole practitioner may schedule call
                          >backs and phone/desk work for a portion of each hour.
                          >
                          > > As above, I find it difficult to keep track of the
                          > > hours while
                          > > multitasking, especially when "desk work" pulls me
                          > > out of the lab.
                          > > For billable hours, I consider phone conversations
                          > > and prep for
                          > > testimony to be standard rate stuff. I only charge a
                          > > higher depo or
                          > > court rate on those dates.
                          >
                          >One of the nicest things I use every day is VNC. I
                          >can sit at my desk and work on any or all of our lab
                          >machines, client machines or home machines without
                          >having to get out of my chair. The downside is the
                          >growing backside.
                          >
                          >Cheers -
                          >
                          >Andrew Rosen
                          >
                          >
                          >
                          >__________________________________
                          >Do you Yahoo!?
                          >Check out the new Yahoo! Front Page.
                          >www.yahoo.com
                          >
                          >
                          >
                          >
                          >
                          >
                          >Yahoo! Groups Links
                          >
                          >
                          >
                          >
                        • IanC
                          I m working on a forensic case involving 4 systems networked (the server had two drives so 5 drives in all). The server was running when a (forensic guy)
                          Message 12 of 13 , Nov 3, 2004
                            I'm working on a forensic case involving 4 systems networked (the server had
                            two drives so 5 drives in all). The server was running when a (forensic guy)
                            walked into the house, but none of the other systems were running.

                            All were Windows OS.

                            Photographs were taken and looking at the photo's I can see that a clock on
                            the wall says 6:20 and a computer and screen visible, shows it's turned off.
                            Then another photo later, of the same computer, shows that it's running -
                            and the clock on the wall shows 6:40. I've hardly started yet examining the
                            drives but have already seen alterations to files after no alterations
                            should have occurred.

                            My two (and a half) questions are.

                            1. If a server is running and a computer that's not running (networked
                            to it) is turned on,, would anything alter upon the server computer at all?
                            Maybe a network connection time stamp, or a shared folder?

                            1a: Specifically could any 'shared folders' alter (on either computer)
                            without anyone pressing buttons on the server?

                            2. Main question is: Do any of you guys know off hand any case law I
                            could use to try and exclude drive(s) as evidence, that I can prove were
                            altered by the Forensic guy?


                            I've hit this bridge in the past but the other side simply retracts a drive
                            as evidence voluntarily. But I don't think this will happen this time
                            (because this one is a pig headed bastrid) so I'm looking for something our
                            lawyer (who's not at all computer literate) can read & digest case law wise.


                            Best Regards - Ian
                          • The Dog's Bollix
                            That brings me to a point that crossed my mind recently .... Let s say you image a server today, take your MD5s today, yada yada. Another examiner images it
                            Message 13 of 13 , Nov 4, 2004
                              That brings me to a point that crossed my mind recently ....

                              Let's say you image a server today, take your MD5s today, yada yada.
                              Another examiner images it tomorrow, does the same dog and pony.

                              What makes his image any less valid than yours? Sure, there's going to be some changed data, some overwritten data, etc....but so long as you used a valid SOP and he/she did too, aren't you both looking at admissable evidence?

                              In the server example, it's likely that it was supporting a company that needed the data on there. They have made a decision to turn it back on until the examiner was ready to image it, (I'm just pontifficating here).

                              Don't know of any case law on point to help you mate.....

                              T

                              IanC <saladin@...> wrote:
                              I'm working on a forensic case involving 4 systems networked (the server had
                              two drives so 5 drives in all). The server was running when a (forensic guy)
                              walked into the house, but none of the other systems were running.

                              All were Windows OS.

                              Photographs were taken and looking at the photo's I can see that a clock on
                              the wall says 6:20 and a computer and screen visible, shows it's turned off.
                              Then another photo later, of the same computer, shows that it's running -
                              and the clock on the wall shows 6:40. I've hardly started yet examining the
                              drives but have already seen alterations to files after no alterations
                              should have occurred.

                              My two (and a half) questions are.

                              1. If a server is running and a computer that's not running (networked
                              to it) is turned on,, would anything alter upon the server computer at all?
                              Maybe a network connection time stamp, or a shared folder?

                              1a: Specifically could any 'shared folders' alter (on either computer)
                              without anyone pressing buttons on the server?

                              2. Main question is: Do any of you guys know off hand any case law I
                              could use to try and exclude drive(s) as evidence, that I can prove were
                              altered by the Forensic guy?


                              I've hit this bridge in the past but the other side simply retracts a drive
                              as evidence voluntarily. But I don't think this will happen this time
                              (because this one is a pig headed bastrid) so I'm looking for something our
                              lawyer (who's not at all computer literate) can read & digest case law wise.


                              Best Regards - Ian



                              Yahoo! Groups SponsorADVERTISEMENT


                              ---------------------------------
                              Yahoo! Groups Links

                              To visit your group on the web, go to:
                              http://groups.yahoo.com/group/linux_forensics/

                              To unsubscribe from this group, send an email to:
                              linux_forensics-unsubscribe@yahoogroups.com

                              Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.


                              __________________________________________________
                              Do You Yahoo!?
                              Tired of spam? Yahoo! Mail has the best spam protection around
                              http://mail.yahoo.com

                              [Non-text portions of this message have been removed]
                            Your message has been successfully submitted and would be delivered to recipients shortly.