Digital Investigative
Services
February 2013
Digital Investigative Services
Table of Contents
Table of Contents
i
1
Introduction
1
1.1
Digital Investigative Services
1
2
Scope
3
3
Collaborative Approach
3
3.1
Tools Used
4
3.2
Qualifications and Accreditation
4
4
Description of Services
4
4.1
Digital Forensic Investigation in the Cloud
4
4.1.1
Incident Response
5
4.1.2
Investigation Service
6
4.1.3
Computer and digital media Investigations
7
4.1.4
Mal-ware Analysis
8
4.1.5
e-Discovery & Litigation Collection
8
4.1.6
Data Recovery & Preservation
8
4.2
Forensic Readiness Plan
4.3
Forensic Training
10
5
Deliverables
11
6
Resource Estimate and Pricing
11
Disclaimer
9
12
This document is subject to the conditions in the Disclaimer © CSC Computer Sciences Limited. All Rights Reserved.
COMMERCIAL IN CONFIDENCE
i
Digital Investigative Services
1 Introduction
Operating in a dynamic environment, organizations need to protect vital assets and
capitalize on investments as new threats arise and new technologies become available.
Cloud Computing is a new and evolving model of how organisations buy and consume IT
that can bring game changing opportunities. It involves enabling the assembly of a complete
set of business/IT capabilities that can be accessed on demand, are available around the
clock, and can be scaled up or down as needed - in real time. It is very different from the
capital-intensive information technology industry that we have become accustomed to and
offers many potential benefits. Equally, it introduces new challenges in terms of data security
management.
The need for digital forensic and investigative services by Corporate Legal Counsel, Human
Resources and IT departments, has burgeoned over the past few decades and shows no
signs of decreasing. The manner in which business is being conducted around the world is
changing rapidly. New information technologies such as social networking, cloud computing
and VOIP not only lead to greater connectivity between people and organisations but also
create a greater reliance on technology. Just about anybody can share, access, and
disseminate information in unlimited volume, and organisations have come to depend on it.
In fact, it is enormously empowering.
At the same time, the workforce has become
increasingly mobile and the ubiquity of high-speed internet access, smart mobile devices
and portable storage means that "the office" can be anywhere.
The advent of this dependence on information technology within sectors such as
Government, retail and finance lends itself to greater potential exposure by criminals or
intentional/accidental security incidents. New vulnerabilities are being exploited with recent
media exposure highlighting high profile unauthorised attacks on organisations from a
variety of sectors such as Sony, Nintendo, PayPal and the Serious and Organised Crime
Agency based in Great Britain. Recent information security breach reports by PWC and
Verizon report the number and cost of security incidents is rising fast across the world, with
all sizes of organisations being targeted.
The CSC Digital Investigative Service (DIS) provides the variety of skills and expertise
needed to meet the unique challenges of your organisation’s digital forensic and
investigative requirements. Investigation services are provided which cover the entire
Information Security Lifecycle and add immediate business value by improving the
customer’s ability to respond and deal with security incidents and breaches and helping
them reduce their exposure to security incident based risk.
Our team of digital investigators and technical personnel are security cleared to the highest
levels and hugely experienced within the field of digital security. The team is a combination
of individuals who are recognised industry leaders within their skill sets, and those who have
created and managed Hi-Tech Crime units within Police Forces and the commercial sector
With nearly 100 years of combined investigative experience, along with a heritage of
delivering consistent, reliable security services worldwide, the CSC team can help clients
protect and track valuable assets, minimize and manage risk, and maximize business
results.
1.1
DIGITAL INVESTIGATIVE SERVICES
This document provides description for the range of investigation and consulting services
available from the CSC Digital Investigative Service:
This document is subject to the conditions in the Disclaimer © CSC Computer Sciences Limited. All Rights Reserved.
COMMERCIAL IN CONFIDENCE
1
Digital Investigative Services

Digital Forensic Investigations in the Cloud
o Cloud Computing digital investigation that deals with the challenges of the
Cloud environment, such as obtaining and analysing residual evidential
artefacts from cloud usage. CSC has identified and created investigative
procedures in relation to Cloud Computing Digital Investigations that, in
working with the customer and cloud service provider (CSP), can seek to
overcome many of the issues arising from use of such technology.
This new field of Cloud Computing Digital Investigation is supported by CSC’s range of
established digital investigative solutions and services:






Incident Response
o Incident Response provides specialised and confidential assistance to clients
in the event of unexpected or unauthorised high-tech activity to help restore
normal or proper operation of a compromised system while also deploying
forensic techniques to assist in identifying and gathering information that will
help to ascertain the nature and origins of the attack.
Investigative Services
o This service is designed to provide the customer with a full IT investigation
capability using appropriate experts in gathering digital and other forms of
evidence from a range of digital sources. Results of the work undertaken will
be provided in an acceptable form, written and digital, that will allow
admission to all forms of tribunal.
Computer and digital media investigations
o Investigations into a wide range of digital sources (computer systems, mobile
phones, removable media) to document, seize, and analyse media suspected
of unauthorised usage.
Mal-ware Analysis
o Examination of recovered malicious code to understand its behaviour and
intended actions, as well as its origin and those involved in its creation.
e-Discovery & Litigation Collection
o Service to support litigation actions and minimise subsequent e-Discovery
processing costs, for example to ensure integrity and quality of data collected
from forensic investigation for legal proceedings.
Data Recovery & Preservation
o Provided to clients who have suffered a catastrophic event resulting in the
loss of critical data. This may include the recovery of data lost as the result of
intentional or unintentional deletion or other destructive act, or collection and
preservation of specific data for future use.
In addition, non-investigative consulting services are also available:


Forensic Readiness Plan
o Support to develop and implement Service Improvement and Forensic
Readiness plans to ensure that organisations have procedures and
mechanisms in place to maximise their potential to use digital evidence whilst
minimising disruption and cost to the business from information security
incidents.
Forensic Training
o Training courses for forensic awareness, incident response, and basic digital
investigation, tailored to organisation needs.
This document is subject to the conditions in the Disclaimer © CSC Computer Sciences Limited. All Rights Reserved.
COMMERCIAL IN CONFIDENCE
2
Digital Investigative Services
2 Scope
As part of our comprehensive portfolio of Security Solutions, Digital Investigative
Services provide high quality, cost-effective digital forensic analysis, data collection,
recovery and preservation, and security incident response capabilities, as well as a variety of
other digital media-based investigative and consulting services to clients around the world.
Our Consultancy services include Forensic Readiness audits and assessments, the
development of Forensic Readiness plans, and the delivery of training in many aspects of
digital forensics.
Incident Response provides specialised and confidential assistance to clients in the event of
unexpected or unauthorised high-tech activity in any location. The service can also be
provided on a 24 x 7 basis.
The Investigation service is designed to provide the customer with a full IT investigation
capability using appropriate experts in gathering digital and other forms of evidence.
Our Digital Investigative Service Team has professionals who have a wide variety of skill
sets within the technical and legal field of digital investigations and these include but are not
confined to the following:









Computer forensics covering a wide variety of operating systems and hardware;
Mobile Phone Forensics (including smart phones);
Cloud Based Digital Investigations;
Live forensic analysis;
Network forensics including log file analysis;
Memory analysis;
Security Breach Analysis;
Automated Vulnerability assessments;
Intrusion Detection Systems;
Data Recovery.
Our Digital Investigative Services professionals have the training and skills needed to assure
success, and their results stand strong under the scrutiny of legal process.
3 Collaborative Approach
Our approach to security is business driven, focusing on the key aspects of your business to
provide only the services that you require. Mutual cooperation permits us to offer a unique,
legally defensible strategy for rapidly providing incident response support and digital datarelated investigations using proven and forensically sound tools and best practice
procedures.
We work in close liaison with our clients helping them to prepare for possible security
incidents, advising them on the latest mandated legislation or regulation and helping them to
investigate the latest types of malicious external or internal incidents.
Selecting on-demand, or one of three levels of guaranteed response service, can help to
assure 24 x7 peace of mind 365 days a year. Performed either on-site or at CSC’s computer
forensic laboratory, services are highly customizable in order to accommodate specific
customer requirements and ensure that precise needs are met with the highest quality
This document is subject to the conditions in the Disclaimer © CSC Computer Sciences Limited. All Rights Reserved.
COMMERCIAL IN CONFIDENCE
3
Digital Investigative Services
support available. Working collaboratively with your information security professionals, we
will identify the components necessary to craft a solution that integrates seamlessly with
your existing security architecture.
3.1
TOOLS USED
Examples of the computer forensic and analytical software used during an investigation and
analysis, includes:












3.2
Guidance Software Encase Forensic Edition;
Guidance Software Encase Enterprise;
Access Data Forensic Toolkit (FTK);
X-Ways;
New Technologies Inc. Utilities;
Digital Detective NetAnalysis;
WinHex Professional Edition;
Foundstone Tools Suites;
Sysinternals Utilities;
WireShark;
dcflDD;
Helix.
QUALIFICATIONS AND ACCREDITATION
The team holds qualifications and accreditations in all of the recognised industry bodies
including:




British Computer Society (BCS);
Institute of Engineering and Technology (IET);
Certified Information Systems Security Professional (CISSP);
Chartered IT Professional (CITP).
Vendor specific training courses include Guidance Software’s EnCase, Accessdata Forensic
Toolkit, including the advanced specialist modules for both vendors, plus numerous other
computer and mobile phone forensic courses.
4 Description of Services
4.1
DIGITAL FORENSIC INVESTIGATION IN THE CLOUD
The advent of cloud computing services available has presented a number of challenges to
the Digital Forensic Investigator as increasingly users are progressively changing the
manner in which they create and store data.
According to NIST, Cloud Computing is a ‘model for enabling convenient, on-demand
network access to a shared pool of configurable computing resources (e.g. networks,
servers, storage, applications and services) that can be rapidly provisioned and released
with minimal effort or service provider interaction’.
Whilst Cloud Computing has numerous security benefits for companies, in respect to digital
forensic examinations the loss of control caused by these environments presents a huge
challenge ranging from security, compliance, and deployment through to how an
investigation within such an environment can be processed.
This document is subject to the conditions in the Disclaimer © CSC Computer Sciences Limited. All Rights Reserved.
COMMERCIAL IN CONFIDENCE
4
Digital Investigative Services
CSC Digital Investigative Personnel have identified key challenges when dealing with
investigations in the cloud, such as whether and what cloud services have been used, what
artefacts remain as a result of that usage, how data has been stored and how it can be
obtained and analysed in an evidentially sound manner.
In providing a digital investigation service to a customer, CSC has identified and created
investigative procedures in relation to Cloud Computing Digital Investigations that, in working
with the customer and cloud service provider (CSP), can seek to overcome many of the
issues arising from use of such technology. CSC will use their digital investigative expertise
and experience to obtain the best possible evidence from a variety of sources such as:





Client Side Analysis (traditional digital media analysis such as computers/smart
phones where the device is switched off);
Client Side Analysis (live forensics analysis allowing for memory analysis, mounted
encrypted volume examination etc);
Server CSP Side Analysis (depending on the co-operation of the CSP including any
legislative and jurisdictional issues, details of any logs, records and other evidential
data stored and made available to the investigator);
Network Traffic Analysis (with appropriate consideration of legal authorisation such
as RIPA 200 and DPA 1998, monitoring of communications between the client and
the CSP);
Application Programming interface (API) Analysis would enable the capture of data in
the form of a set of commands used by the customer to interact with the cloud
service.
Digital Investigations in the cloud is a relatively new and evolving concept, customers have
to accept that evidential artefacts may be unreliable or incomplete. However, by using the
CSC Digital Investigation Service, the customer can be re-assured that it is combining the
very latest in technical and investigative expertise.
CSC’s Digital Investigation in the Cloud service is supported and complimented by our large
range of established digital investigative services:
4.1.1
Incident Response
Incident Response provides specialised and confidential assistance to clients in the event of
unexpected or unauthorised high-tech activity in any location and at any time. The service
can also be provided on a 24 x 7 basis.
The service provided is specifically targeted towards assisting the customer in restoring
normal or proper operation of a compromised system while also deploying forensic
techniques to assist in identifying and gathering information that will help to ascertain the
nature and origins of the attack. The output from an incident response team can be passed
to either an internal or external investigator.
Incident response would, in the first instance, address issues such as:







Computer system attacks/intrusions;
Unauthorised access to, manipulation, or deletion of any information;
Unauthorised system activity (i.e. breaches of an acceptable usage policy);
Theft or Fraud involving digital devices;
Malware or virus infections;
Systems failure;
Data corruption;
This document is subject to the conditions in the Disclaimer © CSC Computer Sciences Limited. All Rights Reserved.
COMMERCIAL IN CONFIDENCE
5
Digital Investigative Services

Data Protection or breaches of an acceptable use policy.
The service may be offered as a standalone service, being deployed after an event has
occurred, or on a retained basis:



Involves the receipt, triage and response to computer related incidents, and their
subsequent analysis and mitigation;
Identifies the scope of the incident, the extent of the damage caused, and the
available response strategies and workarounds;
Typical activities include:
o Determination of intruder activity on system components;
o Filtering of network traffic;
o Executing actions to protect systems and networks;
o Providing mitigation solutions and strategies;
o Evidence collection;
o Digital media analysis of involved systems;
Incident analysis identifies the scope of the incident, the extent of the damage caused, and
the available response strategies and workarounds. This analysis may include vulnerability
and/or artefact analysis in order to correlate the events associated with the incident and
develop a response strategy.
Forensic evidence collection is commonly a part of incident response and includes the
collection, preservation and documentation of evidence from compromised or otherwise
suspect computer systems. Forensic analysis of this evidence is used to determine changes
to the systems and to reconstruct the chain of events leading to the incident and its
discovery.
These services may be provided in a direct, on-site capacity in support of an ongoing
incident, in an off-site as-needed basis, or both depending on client needs.
4.1.2
Investigation Service
This service is designed to provide the customer with a full IT investigation capability using
appropriate experts in gathering digital and other forms of evidence.
The service can be delivered in a number of ways:

On-site (customer or nominated) investigation of systems and networks in support of
a customer led investigation. This may include assisting with the execution of court
orders, search & seizure, system imaging and live network examination. It may be
conducted in an overt or covert manner, as appropriate;

Off-site (CSC) investigation of systems and networks in support of a customer
investigation. This would normally be the case when the customer deposits the
relevant material at the CSC laboratory for examination;

Full investigation on behalf of the customer. This can include on-site attendance,
evidence identification, witness interviews, system imaging and live network
examination and full case investigation & analysis.
As part of these investigations we have the capability to examine and analyse a number of
digital sources including, but not limited to:

Computer Systems inc. Networks, Servers, Firewalls, Routers and PC's - In order to
identify documentation and other evidence in support of the case at hand. This can
include the recovery of deleted documents and other data (such as e-mail);
This document is subject to the conditions in the Disclaimer © CSC Computer Sciences Limited. All Rights Reserved.
COMMERCIAL IN CONFIDENCE
6
Digital Investigative Services

Personal Digital Assistants - The recovery of data stored within a PDA whether it is
documentary or databases containing personal information, or indeed other
Internet/email activity that may assist the case under investigation;

Mobile phone technology - Recovery of data held on mobile phones that may give an
indication of the usage of that phone;

Removable Media - Computer disks, removable drives and memory expansion cards;

Embedded systems such as media centres and Network Attached Storage;

Reconstruction of RAID for data recovery and or forensic analysis;

Encryption.
These investigations are carried out within the confines of all appropriate legislation, policy
and guidelines including Data Protection Act, Human Rights Act, Regulation of Investigatory
Powers Act, Association of Chief Police Officers Guide to Computer Based Evidence and
EMEA-wide legislation.
These services will deliver the results of the work undertaken in an acceptable form, written
and digital, that will allow admission to all forms of tribunal.
The team will also be available on a 24x7 call out scheme, which will provide clients with the
ability to make use of the skill sets in the event of an emergency incident response.
4.1.3
Computer and digital media Investigations
As part of these investigations the unit has the capability to examine a wide and diverse
range of digital sources including, but not limited to:



Computer Systems – such as networks, servers, firewalls, PCs and routers.
Information such as Internet history, encrypted files and deleted data including emails
can be recovered;
Mobile Phones – iPhones, Blackberry and Android mobile phones can be analysed to
give a client records of data usage, contacts and email activity;
Removable Media – removable hard disk drives, USB storage devices and memory
cards;
These investigations are carried out within the confines of all appropriate legislation, policy
and guidelines and all services will deliver the results in an acceptable form, written or digital
that will allow admission to all forms of tribunal or court.
Using proven, forensically sound techniques, procedures and tools to document, seize and
analyse electronic media suspected in an incident such as:
o
o
o
o
o
o
Unauthorized Access;
Inappropriate Use;
Intellectual Property Disputes;
E-Espionage;
Data theft, and
Pornography.
This document is subject to the conditions in the Disclaimer © CSC Computer Sciences Limited. All Rights Reserved.
COMMERCIAL IN CONFIDENCE
7
Digital Investigative Services
4.1.4


4.1.5




4.1.6










Mal-ware Analysis
Involves the examination of recovered malicious code in an effort to understand its
behaviour and intended actions, as well as its origin and those involved in its
creation.
May involve
o Static Analysis - the deconstruction and examination of the physical
components of the malicious software without execution of the code. Code
dis-assemblers, de-compilers, and source code analyzers; as well as, other
forensic and system utilities; are commonly used during static analysis;
o Dynamic Analysis - the actual execution of the malicious code in a controlled
environment to determine its affects on its surroundings. De-buggers, function
call tracers, machine emulators, logic analyzers, and network sniffers are
commonly used in this process.
e-Discovery & Litigation Collection
Founded in sound computer forensic techniques that ensure the integrity of data
collected and the admissibility of findings in court.
Expertise and knowledge to facilitate litigation efforts and to minimize subsequent eDiscovery processing costs
On-site imaging and collection of a custodian computer data and other related media
Processing and filtering of data using counsel provided criteria to identify and
produce only litigation-relevant data
o File Type;
o Date Range;
o Keywords;
o Device level de-duplication;
o Removal of 'Known' files;
Data Recovery & Preservation
Data recovery services provided as a service to those clients who have suffered a
catastrophic event resulting in the loss of critical data.
Services may include the recovery of data lost as the result of intentional or
unintentional deletion or other destructive act.
Collection and preservation of specific data for future use, such as the imaging and
archiving of departing employee's digital media, is also available.
Data recovery and preservation may be a sub component of other services provided
Investigations and analysis are conducted using industry standard methodologies
and procedures
Personnel follow NIST recommended investigative cycle of
o Preparation;
o Preservation;
o Duplication;
o Analysis;
o Reporting;
Proven, court-admissible procedures and best practices are utilized to document,
seize, and analyze electronic media;
Accurate and unbiased analysis and reporting is provided for every investigation;
All results of investigations are reported in a technically accurate manner without
editorial comment. Opinions are given as necessary to help reach a conclusion and
are always based on the facts of the evidence and the expertise of the examiner;
All investigations and analysis are guided by publications such as:
This document is subject to the conditions in the Disclaimer © CSC Computer Sciences Limited. All Rights Reserved.
COMMERCIAL IN CONFIDENCE
8
Digital Investigative Services
o
o
o
o
National Institute of Standards and Technology SP800-86 "Guide to
integrating Forensic Techniques into Incident Response";
Carnegie Mellon Software Engineering Institute "Handbook for Computer
Security Incident Response Teams (CSIRTs)";
Carnegie Mellon Software Engineering Institute "First Responder's Guide to
Computer Forensics";
Department of Justice Guidelines for Searching and Seizing Computers.
CSC’s DIS team also provides non-investigative, consulting services:
4.2
FORENSIC READINESS PLAN
Forensic Readiness (FR) could be defined as the ability of an organisation to maximise its
potential to use digital evidence whilst minimising disruption and cost to the business.
All of Her Majesty’s Government (HMG) departments are mandated to have a Forensic
Readiness (FR) policy in place (by 2010) in order to comply with the Security Policy
Framework (SPF). Additionally, any partners to HMG Departments may be required to have
an FR policy in place; these include organisations making up the Critical National
Infrastructure, the National Health Service and Local Government.
Organisations falling outside of this mandate should adopt FR as a matter of good practice
for the potential benefits it can afford aspects of their business, such as:












To minimise the impact of information security incidents;
To support legal defences and commercial disputes;
To support claims to Intellectual Property Rights;
To demonstrate due diligence and good corporate governance;
The verification of terms in transactions;
To support employee sanctions, for example in the case of breach of Acceptable Use
Policies;
To act as a deterrent to the insider threat;
To show that regulatory requirements have been met, as in the case of the HMG
SPF, for example;
To add value to existing business processes and leverage Incident Response,
Business Continuity (BC) and Crime Prevention;
The reduced cost and time for internal investigations;
If an incident were to take place there would be minimum disruption as well as a linkin to BC plans;
The extension of Information Security to the wider threat from cybercrime.
Following a computer security incident, the focus of businesses, particularly larger ones, is
damage limitation and the need to recover to normal operations as soon as possible. This
can lead to digital evidence being destroyed, diminished or ignored. Additionally, it may not
always be possible to gauge the severity of an incident at the moment of discovery. The
frantic restoration of IT systems and processes can destroy digital evidence, which could be
crucial to legal proceedings at a later stage. Indeed, even if the incident does not lead to
legal proceedings, a Company’s image and reputation can be adversely affected if a suitable
explanation of the cause and effect of the incident cannot be provided – the same causes
This document is subject to the conditions in the Disclaimer © CSC Computer Sciences Limited. All Rights Reserved.
COMMERCIAL IN CONFIDENCE
9
Digital Investigative Services
and effects that could be identified by the analysis of the very digital evidence that was so
quickly destroyed.
A Company without a coherent FR policy in place that suffers a computer security incident
must also look to its obligations under due diligence as well as corporate governance.
The containment, eradication and recovery from an incident must not be standalone factors.
Forensic investigations and digital evidence gathering need to be considered as there is no
telling how an incident will develop. That said, retrieving the evidence forensically and the
subsequent investigation can be time consuming and costly - factors which cannot be
ignored by businesses. The alternative is to call in an Incident Response Team post event,
where business and IT processes could be significantly disrupted whilst evidence is secured
and analysed.
A coherent and focussed FR plan should minimise both the disruption and the cost, whilst
assuring collection of the best possible digital evidence at all stages.
CSC DIS is able to offer a tailor-made, scalable Forensic Readiness service ranging from
initial assessments to comprehensive solutions incorporating incident response and postevent analysis and investigation.
CSC can advise and help implement a Forensic Readiness plan for an organisation. In order
to do this CSC can assist in performing the following steps:
Identify potential sources and different types of available evidence within an
organisation;

Decide which crimes and disputes are of concern to an organisation to determine the
evidential requirement;

Set up a policy for the secure storage and handling of evidential information;

Specify the circumstances when an investigation is required;

Achieve compliance to mandatory security & industry requirements;

Ensure processes and procedures are in place to deal with a security incident when it
occurs ;

Carry out Forensic Readiness audit.
The output from this service would be a Service Improvement Plan and Forensic Readiness
policy that is complimentary to the other security operating procedures and document sets
that an organisation may have.
4.3
FORENSIC TRAINING
Training courses can be tailored towards requirements. They can include:
Forensic Readiness Awareness – appropriate for individuals within an organisation who
perform a role which may impact evidential data.
First Responder Training – appropriate for individuals within an organisation identified as
those who would be the first to react to an event/incident to ensure that materials are
secured.
This document is subject to the conditions in the Disclaimer © CSC Computer Sciences Limited. All Rights Reserved.
COMMERCIAL IN CONFIDENCE
10
Digital Investigative Services
Basic Investigation Training – training on how to initiate a basic investigation and identify
when incident escalation is required.
5 Deliverables
During the course of the investigation, CSC’s trained personnel will provide the client with
the following:








“Due-diligence” conference calls with principals in the client's organisation;
Rough Order of Magnitude (ROM) estimate of the costs, level of effort and projected
schedule for the work to be done;
Advice, support via telephone, e-mail or on-site depending upon the severity of the
incident;
Requestor has the sole authorization to extend or terminate further analysis;
Preliminary investigation to determine the extent of the incident. If necessary, seize
the systems to enable CSC to take control of the systems for further evaluation;
*Targeted preliminary investigation to determine the extent of the incident. This will
establish the incident-specific “security posture baseline” post security event;
*Informal Immediate Needs Reports (INRs) that will outline the nature of the
weakness and the potential loss exposure and provide recommended short- and
long-term solutions to the problem;
Summary report of the event and work performed by CSC.
A written Report of Findings will be provided at the conclusion of the engagement. The
report will consist of an investigative summary including the scope of support requested by
the client, the actual computer forensic/investigative support provided, a detailed description
of all analytical findings and any other data recovered from the suspect device(s) relevant to
the Request for Service and/or required to provide clarity to the Report of Findings. When it
is necessary to draw conclusions as a part of the Request for Service, all conclusions
provided will be based on information discovered as part of the investigation/analysis and
the experience of the investigator/analyst.
In a litigation support or electronic discovery engagement, the deliverable will likely also
include the actual data collected (e-mail and electronic documents) in a format requested by
the client.
6 Resource Estimate and Pricing
All engagements are provided on a time and material basis. Engagements are bespoke
depending on the nature of the incident or services required. Cost estimate will be provided
based on an agreed scope with the customer for each bespoke engagement. Please refer to
the standard CSC rate card for consultant daily rates.
The table below provides illustrative examples of duration and cost for a variety of
engagements:
This document is subject to the conditions in the Disclaimer © CSC Computer Sciences Limited. All Rights Reserved.
COMMERCIAL IN CONFIDENCE
11
Digital Investigative Services
Engagement Type
Duration/days Day rate
Total Cost
Forensic Readiness Assessment
20
£1,018.77
£20,375
Average Incident Response Investigation #
3-7
£704.89 £2115 - £4934
Average Cloud Forensic Investigation #
3-7
£704.89 £2115 - £4934
Computer Forensic Investigation #
3
£565.95
£1,698
Mobile Phone Forensic Investigation #
1
£565.95
£566
Forensic Readiness Awareness Training *
1
£704.89
£705
First Responder Training *
2
£704.89
£1,410
Basic Investigator Training *
3
£704.89
£2,115
# Based a simple, single incident (such as security breach, theft, virus outbreak, or
unauthorised use)
* Based on a single class for 4-6 people
Disclaimer
This document has been prepared by CSC Computer Sciences Corporation Limited (“CSC”).
The contents of this document and any ancillary materials provided by CSC are
commercially sensitive and confidential, and, unless agreed in writing by CSC, may not be or
copied or communicated in whole or in part to any other party except for the sole purpose of
evaluation by the client.
CSC has prepared this document in good faith based on information made available to it by
the client and CSC reserves the right to make amendments and correct any errors that are
identified.
This document is provided subject to agreement on a mutually acceptable written contract.
Except as agreed in such a contract, nothing in this document or in any related discussions
or correspondence should be construed as an offer or representation that should be relied
upon.
This notice and the following legend apply to this document and must be reproduced on any
copies:
Copyright © 2011 CSC Computer Sciences Corporation Limited All rights reserved.
Any request for further information concerning this document should be addressed to:
Royal Pavilion,
Wellesley Road,
Aldershot,
Hampshire,
GU11 1PZ
CSC Computer Sciences Limited is registered in England under number 963578,
registered office Royal Pavilion, Wellesley Road, Aldershot, Hampshire, GU11 1PZ
This document is subject to the conditions in the Disclaimer © CSC Computer Sciences Limited. All Rights Reserved.
COMMERCIAL IN CONFIDENCE
12