Thursday, August 22, 2013

Daily Blog #60: On the business of being in business in the expert business, business

Hello Reader,
         We've been going strong, 60 days of blogs. To those of you who have kept up daily I salute you. I've been keeping things mainly technical but at times I know there is a wider audience of people who also are curious about other aspects of computer forensics. With that in mind I'm going of course today and going talk about the business of computer forensics.

My partner Rafael Gorgal and I started G-C Partners back in 2005, it's been 8 years and we've learned a lot in the process. I've seen other forensicators attempt to start their own independent labs over the years with various degrees of success and thought it would help more of you to know what it takes to start, run and succeed at running a civil digital forensic laboratory.

1. Pre-Requirements for a successful lab 

Before you start a lab you should make sure you that you actually are ready to do so. I've seen many a person go out and spend time and money putting out their sign without realizing what it takes to attract the business they need to succeed.

You will need at a minimum

a. At least one person who has already successfully testified as an expert witness in digital forensics


This is probably where I've seen the most problems for people trying to start new labs. You really, really need someone (preferably you to keep costs down) who has testified before to get civil expert witness work.

If you have been doing forensics work internally for a company for 15 years thats great, but lawyers only want to put experts on the stand who have testified before. If this person is not you, or can't be you, that's OK. You need to find a partner who has testified to fulfill this requirement while you spend your time getting business, managing the lab and working with clients.

This is where law enforcement has an advantage, most LE investigators will testify long before their civil counterparts will in terms of years of experience. As such its more common to see part time or retired law enforcement set up shop to offer services to the civil side.

If you only plan to take on IR work I still would encourage you to find a testifying expert to work with as it will make the lawfirms who your IR client retains more comfortable with your work product. In the end there may never be a lawsuit against the attacker you detected, but the people whose data was breached may sue and the IR team may have to testify.

b. The ability to qualify for whatever licensing is required in your state/country


You may have a disagreement with licensing for digital forensics but for those of who you live in a country/state with such restrictions its something you have to do. Take the time to research the requirements for your country/state and find out whats needed. For instance in Texas you have to become a licensed PI company, but the PI managers qualifications don't provide any provisions for experience as an examiner for qualification. Instead they want someone who has either

i. Been a PI manager for another company for 3 years
ii. Has a degree in criminal justice
iii. Has taken a course to earn a certificate of competency as a PI manager

Point iii didn't exist until a couple years after the law was changed so many existing labs had to pay existing PI managers to 'manage' their company until they had the requisite number of years managing a licensed PI company so they could take the managers test. The managers test BTW contains 0 questions about forensics.

c. Enough cash reserves to last three months without payment


When you first start our and you are working your first cases you'll be quite excited when you submit your first invoices. You'll be very sad when they don't get paid within 30 days. When you are a new vendor to a large company you will first have to be placed into the accounting system for payment and then your invoice will sit the requisite waiting period they established before they will mail out a check.

When all your clients are new you should expect that it will take two months to get paid for your first months work (if you are lucky enough to get work your first month). With that in mind make sure you have enough cash in the bank for the following:

i. Your expenses
ii. Business insurance
iii. Office expenses, unless you are going to work from home (which is just fine)
iv. Taxes
v. Expenses for travel and hard drives

If at the start of the 3rd month you have no business or your bills are still being questioned and you don't have enough cash saved to go beyond 3 months its time to go look for another job!

d. Enough prior exposure to local lawfirms and companies for word of mouth to build


This is important and only really understood by those who get the work already. When a lawyer looks to hire an expert witness they don't just go to google and search for 'expert witness'. They call other lawyers in the their lawfirm and their lawyer friends and ask who they used and are happy with.

Word of mouth is what civil forensic labs live and die off of. No matter how much money you spend on marketing, ad words, websites, cards, logos, flyers, brochures, super special deals on your services it won't matter if someone else has not already used you and liked you.

There is a considerable amount of risk involved for a lawyer picking the expert witness. If you can't produce a good report and provide good testimony then their case will suffer. Worse if your findings are proven to be incorrect or you are disqualified as an expert they will look to their clients as if they didn't do their job right. Possibly leading to lawsuits against the lawyer and you for negligence.

So understand and respect this requirement, you can't change it. I don't know how IR work is gained but I will tell you that civil expert witness work comes from the outside lawfirm no matter how many good friends you have working within a company who recommend you to in house legal.

e. Licensed copies of your preferred tools


Please, please, please don't ever used pirated software in your work as a testifying expert. If you are going for a full open source shop thats great, but never used pirated software. If it comes out in testimony that you don't have a license for the software you used to generate the results it will not reflect well on your testimony.


I think that's enough for this post, I'll be writing more about this topic as the blog moves forward to give me a variety of topics to discuss. I hope my past experience is helpful to you and will lead you to future success. We need more independpent labs out there, every case needs at least two experts!