Contact Berryhill Computer Forensics ... via email ( or call us toll-free at 1-888-745-1405.

Need CLE Credit?

Schedule a computer forensics CLE presentation at your firm or by webinar with Berryhill Computer Forensics.

Subscribe to d3 —due digital diligence — our FREE quarterly eNewsletter

Enter your email address and click "Go." You will be taken to a sign-up page to complete your subscription. Click your browser's "back" button to return to this page.


Protect your small firm from being fleeced by a Computer Forensics Expert

By Jon Berryhill

Small firms and solo practitioners need to protect clients from being fleeced by unqualified or unscrupulous individuals selling their services as computer forensics experts. In a recent example that illustrates this, the author was brought into a case in which opposing counsel retained a computer forensics expert. After the forensic work was complete, questions immediately began to surface regarding the quality of the work completed versus the cost incurred.

After a brief investigation into the eDiscovery work done by opposing counsel’s expert, some rather alarming issues were discovered: exaggerated fees, hours per task, unsupported conclusions, and “expert” opinions not supported by the facts. Ultimately, this expert billed $87,000, which was shockingly inflated 10-20 times above industry norms.

Opposing counsel’s computer forensics company assigned and billed for three analysts who drove nearly 500 miles with their equipment, and spent two days working at the defendant’s office. These analysts imaged hard drives from 14 computers, which were of typical size, and one server with two small hard drives. In terms of scope of work, this was a relatively small amount of work. A single analyst could have easily completed this task in less time. Unfortunately, this computer forensic company billed $87,000 for close to 200 hours of work.

Normally, counsel for defense wouldn't care about the other side being fleeced. This case was an exception, as the plaintiff’s attorney filed a cost-shifting claim. The author was brought in to examine the work that had been done, the other company’s practices, and the billing. As part of the investigation into their work, he made two specific requests to the plaintiff’s expert:

  • Cost for listing of image files. The cost to provide a listing of the image files created during the acquisition process. Creating this directory listing is a very simple process that takes only minutes, requiring no analysis.
  • Estimate of cost for a duplicate set of image files. An estimate of the cost for a duplicate set of the image files, which were on six, 250 gigabyte hard drives. This would require around $1000 of hardware and minimal labor fees to simply copy the contents from one hard drive to another.

Opposing counsel’s expert responded that to create the directory listings would cost just over $10,000, and the duplication of the six hard drives over $67,000. In addition to these outrageous cost estimates, they submitted an additional bill for over $1000 for their work to produce the cost estimates. This whole case has proven to be rather bizarre, and quite draining on the small firm representing the defense.

When you Sense Something is Wrong

If you begin to suspect that a computer forensics company is unscrupulous or unethical, you need to stop pouring money down the drain. To do this, issue a stop work order immediately. The company will very quickly send a bill for work completed to date. If severing a relationship with a computer forensics company, request all materials be turned over immediately, which in this particular case would be the hard drives containing the image file sets. Small firms need to have a buyer-beware approach. Get to know the expert before hiring their company, and do the appropriate homework to protect your small firm and your clients.

Dig a Little Deeper

References can be a great resource when investigating computer forensics experts. While there are reputable experts, some may exaggerate their credentials. Some may provide historical client lists, but none of these clients are willing to accept your call. When asking for a reference list, make sure it is a list of people willing to take a call from you. Call the references, and ask questions such as, “Were you happy with the work product? Would you hire them again? How did their work impact your case?”

Be wary of claims boasting of years of experience or an “alphabet soup” of letters after someone’s name. Some experts may exaggerate their years of experience by including experience with computers and/or computer data recovery, rather than actual forensic analysis. Various certification courses exist, but there are no standards. Real case experience, having things go right and wrong in the field, generates layers of tried and true expertise. To best understand the importance of hiring a seasoned expert, consider the parallel you can draw between new attorneys and seasoned veterans who have tried many cases. The depth of real case experience can’t be taught in any classroom, as every case is unique. Ask the expert “How many years have you actively worked on computer forensics cases? How many cases have you personally worked on? Have you ever testified in court? How has your work impacted cases?”

Occasionally there may be a need for multiple analysts from the expert company to assist in the recovery, imaging, and processing of data. Ask for details about the number of analysts actually working on your case. Ask, “What are their qualifications? What is their experience with actual computer forensics work? On how many cases have they worked? Will they be available during analysis to discuss whether further analysis will be needed? Is the person doing the analysis the one who will be available to testify?” Keep in mind that there are no formal requirements in place to be labeled as a computer forensics expert. That is why reference checks and asking the right questions are critical to protect your small firm and clients.

Rates can vary, and some experts may charge a flat fee for common tasks. There are some common computer forensics tasks that don’t vary considerably in terms of time or work required.

Common Computer Forensics Tasks Approximate Time Required*
1. Forensic quality image of hard drive 40–200 minutes per 100GB (Depending on size and age of hard drive)
2. Duplicate set of hard drive image files (a copy of the raw material) 30–60 minutes per 100 GB
3. Keyword search of image 1–4 hours for 10 keywords on a 100 GB drive (Varies based on size of drive, how full the drive is, and number of keywords; does not include time required to analyze hits.)
4. Extract active files, recover deleted files, create file listing, and provide copy on optical or magnetic media 1–2 hours

• These are approximate times. Many variables can affect these tasks, but if you're dealing with a healthy drive, the time should not vary from these ranges too much.

Seasoned and Qualified

Computer forensics is the acquisition, analysis and presentation of computer evidence, and a good expert must be skilled in all three of these areas. For every finding presented by the expert, demand the facts to support the conclusion. It is valid for an expert to express opinions, but to stand up in court, opinions must be supported by facts. It won’t do your case any good if the expert only uses “geek speak.” Having an expert who can’t effectively present the facts or communicate conclusions based on fact (both verbally and in writing) may blow gaping holes in your case. Experts with exceptional communication skills can explain findings in terms understood by the watchful, critical (and not necessarily technically savvy) eyes of the judge, opposing counsel, opposing expert, and the jury.

Jon Berryhill has led over 1000 computer forensic investigations spanning the past 20 years. He has served as a Special Agent in the U.S. Air Force Office of Special Investigations and worked extensively with the California Department of Justice Advanced Training Center. He has been certified in California State Court and Federal courts as an expert witness in computer crime.


Choosing a Computer Forensics Specialist