Skip to main content

Mind Your Own DF/IR Business


 

April 1, 2025


Mind Your Own DF/IR Business


"It is not from the benevolence of the butcher, the brewer, or the baker that we expect our dinner, but from their regard to their own interest."


-Adam Smith

The Wealth of Nations




I read a lot of your posts.  Yes, yours. Virtually all of you in DF/IR, in the practice both in and outside of law enforcement.  A bunch of you in professional litigation support and incident response services.  Those of you who run, operate and work with digital forensic teams across the US and across the World.  I read the posts about the psychological toll that DF/IR work can take on a person.  I read the posts about the new artifacts that are discovered in iOS.  I read the deep-dives into location data and SEGB files.  I read the success stories about those who conduct child exploitation investigations and their successes in rescuing children and bringing monsters to justice.  I read the laments over current events, potential personnel and budget cuts, challenges faced regarding new technologies and the creative ways some of you overcome the adversities sent your way.  And, of course, the conference updates.


I comment on selected posts as well.  Most often, my comments are not to be argumentative, rather to express an agreement or opposing viewpoint, sometimes one that hasn’t been considered in the original post (OP) or previous comments.  Sometimes this leads to well-meaning banter and debate, sometimes it devolves into “them vs. us” arguments, which, try as I might to avoid them, still happen regardless of intent.  Sometimes one can come to the conclusion that even professional social media is not the place for reasoned discourse.


But this article isn’t about what I read.  It’s about what I don’t read.  I don’t read about your budgets or how much funding you’re allotted for tools, equipment, training or personnel. I don’t read what your position’s salary dictates or the calculus that goes into those numbers.  I’m never privy to the time it takes to conduct the aforementioned research or dive into data types with which many of us may not be familiar, including the reverse-engineering and byte-level forensic work it takes to try and come up with some reasoned answers to the questions posed.  I don’t see the *INSERT BIG TOOL COMPANY* CEO post their revenue numbers or objective key results.  The most I ever see is some enterprising *usually* former law enforcement examiner who wants to start their own business and is announcing same, only over time to be likely bogged down by the overhead with conducting such a business.  I wrote about this a bit several years ago, but alas, some still try to do it, even though the landscape has become worse for the little guy, not better.


But I digress.  


Digital forensics and electronic legal discovery is a business, regardless of your industry.  And some of the points I brought out in a talk last year at the Techno Security East conference will be echoed and used to support why digital forensics is a business for ALL of us, not just those of us who have matriculated to the private sector in a traditional business environment.


Business Principles


Let’s start by distilling some very basic principles to define what a business should do, at a 30,000-foot level.  For the purposes of this discussion, we’ll define digital forensics as a professional services business, as opposed to other businesses that offer a product or consumer service.  Our business offerings are much more specialized and designed to help our “clients” achieve certain specific goals.


A professional services business should:


Be expertise-driven

Be client-centric

Be governed by high ethical standards

Have an intangible output

Use a time-based revenue model


Putting DF/IR aside, let’s cite at some examples of likely professional services most people engage in their lifetime.  Legal services, accounting services, engineering services and medical services all incorporate these basic characteristics at one level or another.  Digital forensics and/or Incident Response is no different.  


But I’m in law enforcement!  I don’t have any clients or use a time-based revenue model!   


Perhaps not in the strictest of terms, but let’s break down all of these characteristics and draw the corollary between both private sector and law enforcement DF/IR work.


Expertise-Driven


As discussed in previous iterations of this blog, there’s no doubt that DF/IR is expertise-driven across the board, regardless if in LE/GOV or private sector.  We invest a ton of time in training, certification, research, case work, etc. in order to hone this expertise.  Then, if we’re lucky, we get to teach others some of what we’ve garnered over the years of practice.  The challenge (as stated in the immediately preceding article) is that there are many people in the private AND public workforce arenas that think they can do forensics without the basic knowledge of how things work in digital forensics.  One of the most nonsensical answers to a question in asking about DF/IR evidence presentation in front of case stakeholders I’ve ever heard was, “The evidence speaks for itself!”  No, it doesn’t.  And if you think it does, you’re a button-pusher, not a forensic analyst.  


We have too many on the periphery who think they can just get a cert or take a class or see a webinar and then “do forensics”.  The expertise required to do our work at a professional services level worthy of the cost involved is vast, and some only purport to have it.  This a disturbing trend, but nowhere near as disturbing as the level of ignorance about this expertise on the part of our potential clientele.




Client-Centric


Our clients are our business.  Without them, we do not exist.  Without litigation we don’t exist as forensic examiners.  Without bad actors, we don’t exist as incident responders.  It’s a very symbiotic, albeit relatively brief, relationship.  Everything we do in every case we work must be in furtherance of accomplishing the goals set forth by our clients.  


In the private sector, this direction is simple.  Or is it? Consider for a moment a criminal defense matter where the defense team either hires or has their own independent expert appointed.  Is the goal of analysis to “get the client off”.  Not at all.  The goal is to be the check-and-balance for the work that has been previously conducted to ensure it is thorough, correct, repeatable and helps prove (or disprove) the elements of the crime.  None of us want pedophiles roaming the streets or murders running loose.  We all just want the RIGHT people to go to prison for those offenses.  If reasonable doubt and/or procedural missteps are discovered in the case, perhaps there’s improvement to be made.  Perhaps you just have the wrong guy.  


For civil or corporate matters, it’s much the same.  Being client-centric does not mean we are paid to say what the client wants.  It means we are engaged to conduct a thorough analysis of the facts and the data to help us lead to a reasonable and believable conclusion.  Are there “hired guns” on the market who will inflate their own credentials and say whatever the client wants them to say?  Heck yea there are!  I run across them regularly.  But the standard-setters are in place to help separate the proverbial DF/IR wheat from the chaff.


And if you’re a law enforcement examiner, you’re still client-centric.  The biggest question becomes, WHO is your client?  It could be the murder victim or sexual assault complaining witness.  It could be the guy who owns the corner store that was robbed.  It could be the 5-year-old girl in the CSAM video series that was not previously identified or the child victim in your community.  Or it could even be your Sergeant/Lieutenant/Captain/Major/Chief/Sheriff.  For your sake, I really hope it’s NOT any of the latter, but if that’s what it takes, then so be it.  You have clients, and in fact, your clients may be some of the most vulnerable and easily targeted members of society who need the most help.  Your clientele is one of the largest responsibilities of your job.



Governed by High Ethical Standards


If you’ll harken back several paragraphs, I listed other types of professional services that are similar in these characteristics to DF/IR.  Among them, lawyers and medical professionals.  While the argument can be made for both of those categories that the ethical standards are loosely enforced, those in practice in these areas still have a duty to adhere to ethical standards.  The Hippocratic Oath states, “Above all, do no harm.”  This could also be applied to DF/IR, but add in addition to doing no harm, being complete, thorough and objective about your case work, your analysis and your findings.  


Ethics are the divining rod of any professional practice.  If those in practice are not urged (or even forced) to adhere to a standard of ethics, the practice will run rampant with the aforementioned button-pushers and self-appointed “experts” who will “make you a deal on your forensics!”  


Law enforcement has a code of ethics.  Every police recruit has likely had to stand up every morning of the police academy and recite it, much to their chagrin.  But the practice of DF/IR require a more specific and focused code of ethics.  A(nother) quick GrokAI search (as well as additional searches) reveals that while there are professional membership organizations within DF/IR that have their own code of ethics, there is no one governing body that has proposed, vetted and/or issued a Code of Ethics for the practice of DF/IR.  Color me surprised!  


Without a universal Code of Ethics, the foundation of our proverbial house may be somewhat shaky.




Have Intangible Output


Now, I know what you’re saying… We issue reports of our findings all the time!  In fact, I finished up two reports last week.  That’s tangible, right?


Well, in the business sense, “tangible” means a product that is generally the same or similar across the entire line of business and is produced regardless of the case-specific parameters.  Think about a motor vehicle manufacturer assembly line or a book publisher.  They all produce a tangible product every time an “order” is placed.  


We produce a tangible product when it’s requested, required by policy or law or is ordered by a judge.  Our product is virtually NEVER the same every time and frequently is not requested or required.  We also frequently issue findings (or production) verbally in consultation with one or more stakeholders in the case.  


This is what separates a professional service, like DF/IR, from other product-based services in terms of production.


Use a Time-Based Revenue Model


This final point is a little less tangible for many of our compatriots in LE/GOV service than it is for those of us in the private sector.  As a private sector provider of DF/IR services, particularly those involved in litigation and investigative support, we are somewhat bound by the billable hour.  Even in a flat-rate pricing scheme, it’s good practice to monitor an effective hourly rate to assess the status (ROI) of the flat rates.  Our billing schemes are much like the lawyer or expert witness medical doctor, only with much more overhead.  Between license fees, training, administrative costs, administrative overhead and other ancillary costs, they price of doing effective DF/IR work is high.  And those that don’t charge appropriately for it are doing the rest of the industry as disservice.


But how does this compute in the law enforcement or government practice of DF/IR?  Well, it sorta doesn’t. Sure, there are cases with high priority that require overtime and lots of labor and man-hours, but the volume *generally* isn’t anywhere near as high in the government space as it is in the private sector.  As long as no one’s life or safety is in danger, time is less of a consideration.  I can say this, because I’ve worked both the months-long cases and the ‘need it done yesterday’ cases in law enforcement.  Often, the government examiner’s time and priority is dictated by the “APE Case”, or Acute Political Emergency.  Regardless, I think it’s inaccurate to say your time and how much of it you spend on a case doesn’t matter.  It’s probably more accurate to say that it matters less than those of us who are bound by the billable hour and/or effective hourly rate. This is the consistent challenge I now see from our generation of LE/GOV examiners wanting to transition to the private sector.


All that said, none of us work for free.  My friends who are still in LE/Government like to chide me about our billable hourly rate as if I am paid that rate.  I get paid a salary, just like they do.  My income doesn’t increase because we get more cases or certainly not because I tell the end-client what they’d like to hear.  I don’t go home every night and use $100 bills for kindling to light my fire.  85-90% of the time, my findings are in line with theirs or opposing expert, if a civil case.  And people need our services, just like they need LE when bad people break the law.


We’re all here to make a living, do the best we can with what we have, improve ourselves, contribute to our collective industry in a positive way and *hopefully* come to a consensus on the truth and get it right most of the time.  


And isn’t that the best business model of all?



About the Author:

Patrick Siewert served 15 years in full-time law enforcement and investigated hundreds of high-tech crimes to precedent-setting results, Patrick is a graduate of SCERS & BCERT and is a court-certified expert witness in digital forensics, mobile forensics and historical cell site location analysis. He has published dozens of articles and is cited in numerous academic papers. He was the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia (USA) and currently serves as Director of Digital Forensics and E-Discovery for a Nationwide (US) provider of DF/IR and e-disco litigation support services, while keeping in touch with the public safety community as a Law Enforcement Instructor in multiple disciplines.

Email:  Patrick@ProDigital4n6.com

Patrick Siewert on LinkedIn:  https://www.linkedin.com/in/patrick-siewert-92513445/  

Patrick Siewert on X/Twitter : @RVA4n6

Patrick Siewert on Substack :  rva4n6.substack.com 

Pro Digital (old) blog site :  https://prodigital4n6.blogspot.com/ 

Labels

Labels:
Location: Virginia, USA

Popular posts from this blog

  January 1, 2025 What Is “The Philosophy of DF/IR” ? “If it is not right, do not do it, if it is not true, do not say it.” -Marcus Aurelius Welcome to the newest Digital Forensics/Incident Response blog (for now)!   I created this space for several reasons.   First, I have a passion for writing about our industry and the nuances that reside within it and come about because of our practice of forensic data analysis.   The intersection of data, evidence and the law is a fascinating thread on which to pull and the more we pull on it, the more we unravel the tapestry of our practice and work to hone and refine how we conduct our work.   Second, I have been inspired lately by the likes of Brett Shavers (DFIR Training) and others to continue writing.   For those of you who are not already familiar, I wrote a DF blog for my company, Pro Digital Forensic Consulting, before the company and I were acquired by a Nationwide Digital Forensic services provider.   ...
Read more

Effective Advanced Communication in DF/IR

  January 12, 2025 Effective Advanced Communication in DF/IR “Nothing important comes into being overnight; even grapes or figs need time to ripen.” -Epictetus As my bio and LinkedIn page relay, I teach a lot.   One of those teaching roles is as an Adjunct Professor in the Department of Forensic Science teaching an Intro to Digital Forensics course at Virginia Commonwealth University , which also happens to be my Alma Mater.   I teach one semester per year, which, when combined with a list of other responsibilities, is quite enough. For those of you who teach, you know that most semesters start off with excitement and energy and by the time the 15 or 16-week course starts to wind down, it can be a bit of a grind.   Even teaching once a week for 3 hours is grueling at times, especially with regard to assignments, grading, testing, etc… Oh, and FT work too!   Teaching at VCU is also one of the most rewarding roles I fill.   Not only does it help keep me up-to...
Read more

The Pyramid of DF/IR Expertise

The Pyramid of DF/IR Expertise "First say to yourself what you would be; and then do what you have to do." -Epictetus I woke up one day and realized I’m an Executive at a Nationwide Digital Forensic & E-Discovery professional services firm.   How did that happen?   I also woke up one day and realized I have 25 years in the justice system.   If I’d stayed in law enforcement, I could retire this year.   All of these things are simultaneously shocking and sobering.   They cause one to really reflect on the steps that it took to get them to where they have arrived.   It also causes one to take inventor of all of the opportunities, successes, mistakes, failures, training, experience, case work and daily practice – both mental and practical – that go into building a body of work.   It also makes one feel old all of a sudden, but “old(er)” doesn’t have to equal bad, as I’ve come to learn. But how does one get to this point?   As many of my colleagues...
Read more