DFIR Training Blog



These DFIR tools are expensive! (but not really)

When you work with a lot of forensic tools, there is never a single “that time of year” to renew your annual maintenance fees as it feels like “that time of year” is every month.   Mind you, I’m not complaining one bit, but I did have a conversation today over coffee about the cost of forensic software and listened to a lot of complaints about the cost of the DFIR business with my fellow DFIR buds.

Most of the complaints stemmed from the high initial cost of software, with hardware complaints taking a close second place, and the maintenance fees a distant third place.  Interesting enough, we each knew the current going rates for just about everything because when you have to write big checks*…you tend to remember how much the checks were written for…

Some of the complaining I heard was summed up with:

  • “…they don’t even put it on a CD. You just download it after paying X amount of dollars. Why so expensive?”
  • “You don’t even get a printed manual.”
  • “…how difficult is it to write the software to sell it so high?”
  • “…I can’t afford to pay X amount for X number of licenses.”
  • "They are making a killing!"

I agree that the tools are expensive if you compare them to other things you buy during your lifetime.  Some tools, like the monster forensic workstations, cost as much as a compact car!  But in the grand scheme of things, I think the prices are reasonable for a few reasons.   For one reason, you can’t do the job without a set of tools.  FOSS tools only do so much and commercial tools only do so much, so you need a toolbox with both FOSS and commercial tools to get the job done.  Yes, you can do theoretically do everything with open source tools and not spend money on software, but realistically, that is not always possible all of the time for all of the folks working in DFIR.

For the business proprietors who directly write the checks, any expense is too much because it takes away from business revenue.  When the expenses are in the tens of thousands, the checks are quite heavy; however, I tend to counter complaints of cost with a question of “How many cases do you have to work in order to pay for one license?”    The answer varies, but sometimes one decent case can pay for a year’s worth of software, hardware, and training.  When you look at the revenue earned with a software license and computer, which the revenue is replicated again and again over the lifetime of the license, the costs are not that bad.  Depending upon how many cases you do and how much you or your company charges, the ROI on the tools are actually really good.

Early in my private forensic work, I quickly learned to add up the expenses for tools and compare it to revenue.  No algebra needed.  No complex effort either.  I simply subtracted the annual cost of the tools from the annual billable hours where I used each tool.  Easy enough to get a high level view of tool ROI.

Now, I’ve only talked about the private DFIR folks, but I also personally know how it works in government.  The biggest differences are ‘who is writing the check’ and that there is no revenue with government forensic work to easily justify the purchase and renewal of forensic tools.  But you can use ROI in the manner of work hours, effectiveness, and efficiency.  With the proper tools, government examiners can more quickly get more cases done as well as being able to handle more types of casework.  I know of agencies that don’t certain types of cyber crime cases simply because the agencies refuse to pay for the tools or training.  That’s not good on any level but should be an easy sell by the examiners.  It would be like a police department not being able to investigate robberies because no one has the tools or training to do it. 

The same philosophy goes toward training.  I absolutely agree that some training is extremely expensive, especially when you add in travel, meals, and lodging.  However, the same thinking also applies to ROI. Learning a skill can be applied across one or all cases you have for the rest of your work career.  So, if you learned a skill that for years you billed clients on numerous cases, the ROI was well worth it.  Even with government examiners, a skill learned from a course can solve a case, make your day in court, and give victims justice .  Without training or education, you won't be able to do some things because you just won't know what you don't know.

My coffee time today ended well, not because I convinced my coffee buddies that we actually have a reasonable cost for tools, but that I got to spend some time talking shop with a group of people who are all working in a really cool field.  You can’t put a price tag on that. 



*by writing checks, i mean entering your credit card information online....


Written by :Brett Shavers

{rscomments option="com_rsblog" id="18"}