Analysis Costs


A breakdown in costs to analyse the binary and produce the required output is as follows:


The investigation team consisted of 2 people, sniph and elliot.


Time spent analysing the software:

Incident Investigator 1 - sniph: 26 hours

Time spent coding custom analysis tools:

Incident Investigator 2 - elliot: 20 hours

Time spent documenting results:

4 hours each

In a typical scenario, the compromised machine would have been taken offline for forensic analysis. As such, it would not have been available for the 26 hours spent analysing the code. In a critical security incident, it can be assumed that the Investigation team works greater than 8 hours per day. This would suggest a total of 2.5 days of outage before the system can be either cleared for production, or rebuilt from a stored backup. Rounding this to 3 days, one can assume that the system downtime in working hours was 24 hours total (3 days * 8 hours per day). If the system was high availability, the costs would increase depending on the resources available for forensic analysis.


An assumption of 50 affected users, at a cost of $12.00 lost per hour per user, was used in calculating cost of damage to individual users.


The total costs can be seen in the following chart:


Title Hours Cost/Hr Total -15% +15%
Incident Investigator 1 30 $33.65 $720.00 $612.00 $828.00
Incident Investigator 2 24 $33.65 $807.60 $686.46 $928.62
System Downtime 50 Users * 24 Hours $12.00 $14,400.00 $12,240.00 $16,560.00
Subtotal     $15927.60 $13538.46 $18316.62
Benefits @28%     $4459.728 $3790.77 $5128.65
Subtotal - Salary + Benefits     $20387.33 $17329.23 $23445.27
Incidental Costs     $1000 $850 $1150
Total Labour Cost     $21387.33 $18179.23 $24595.27


Field Experience


sniph has worked as a network engineer, systems administrator, and coder for the 6 years. The last 2 years have been specifically in a security consulting role.

elliot has worked as a network engineer, coder and security consultant for the last 4 years.