For legal, ethical, and professional reasons the two roles of forensic computer examiner and attorney are kept separate. When serving as a forensic examiner, Mr. Amos does not serve in the role of attorney nor establish a privileged attorney/client relationship with the client. The forensic services provided are under the auspices of the client's own attorney. All privileged and confidential information involved is contractually protected by non-circumvention / non-disclosure agreements and additionally by the attorney workproduct privilege through the lead attorney in the case. For these and other reasons, all examinations performed by Gary Amos for Cyberlab Computer Forensics, LLC are as a forensic computer examiner and not as attorney at law.

Expert Witness Services. Gary Amos has appeared as an expert witness in civil and criminal cases in the federal courts of south Florida, has served as a court-appointed neutral in Tennessee state court, and served as a neutral expert between parties litigating in federal district court in Alexandria, Virginia. When serving as an attorney rather than forensic computer examiner in a computer case, Mr. Amos does not act in the capacity of expert witness.


Training. Gary Amos received his initial training as a forensic computer examiner in 2001 from the Computer Forensic Training Center in Key Largo, Florida. The Computer Forensic Training Center is recognized as an authorized computer forensics training program by the High Tech Crimes Network. The Computer Forensic Training Center is the only diploma-equivalent, certificate-granting computer forensics educational program in the United States. CFTC is owned and operated by John Mellon of Key Largo, Florida.

John Mellon is internationally recognized as one of the world's premier computer forensic experts and one of the originators of computer forensic science. He is a retired US Customs Senior Special Agent with 28 years investigative experience and over 17 years experience in computers. He started the forensic computer examination program for U.S. Customs in Miami, Florida in 1991, and was its chief examiner through 1993. He has served as Chairman of the Board of IACIS, the International Association of Computer Investigative Specialists, and as the IACIS Certification Committee Chairman. He developed and implemented the IACIS Forensic Examination Standards, the IACIS Code of Ethics, the advanced Windows Processing Certification, and previous IACIS Certified Forensic Computer Examiner (CFCE) problems which were prerequisites for attaining the CFCE certification from IACIS. He continues to instruct civilians and law enforcement officers world-wide in computer forensic examinations.

The computer forensic training sponsored by John Mellon and CFTC is now affiliated with the Southeast CyberCrime Institute at Kennesaw State University, the Tri County Technical College, Pendleton, SC, Sir Sanford Fleming College, Ontario, Canada and Roger Williams University, Bristol, RI. Cyberlab Computer Forensics, LLC highly recommends the training offered by Computer Forensic Training Center to anyone interested in receiving excellent instruction in forensic computer examinations.

Continuing Education: Gary Amos stays current with the fast-changing field of computer forensics by annually attending weeklong training events such as those sponsored by the Southeast Cybercrime Institute of Kennesaw State University, by teaching courses in computer forensics, digital evidence and technology law, by personal research and study, by maintaining ongoing professional interaction with other forensic experts in areas such as network security and live network data acquisition forensics, and by the everyday hands-on practice of computer forensics in real cases and the business of advanced data analysis and recovery for corporate and private clients.

Our experience includes analyzing computers with the following operating systems: DOS, MS-DOS, Windows 3.0 and 3.1, Windows 95A and 95B, Windows ME, Windows 2000, Windows XP Home and Pro, Unix, Linux, and several flavors of Apple Macintosh operating systems. We have examined computers with hard drives as small as several hundred megabytes and configurations as large as a terabyte (1,000 gigabytes). We have cracked as many as 8,000 passwords for a single case. Our experience includes uncovering contraband missed by law enforcement in one case, and doing preliminary forensic work later relied upon by federal law enforcement in tracing offshore laundered accounts in another. It includes forensic analysis of stand alone computers and computers connected to live networks.

This experience also involves cases such as the following: demonstrating the means and methods where an innocent individual's computer was hacked and turned into a proxy server for another's anonymous and malicious activity; demonstrating the means and methods whereby a network was used to wrongfully obtain another's copyrighted proprietary information; demonstrating that an online site had appropriated a programmer's protected intellectual property involving a method of proprietary data encryption; demonstrating that suspect employees had used company computers to visit contraband sites on company time and contrary to company policy; uncovering evidence showing collusion between top managers to take clients and business with them to their new employer contrary to their contract obligations and noncompete agreements, etc. These are only a few examples among literally dozens of others, and there are many other sorts of data scenarios not mentioned besides these.

Fees: Our Fees are normally based upon an hourly rate of $250 to $350 per hour, depending upon the operating system, the difficulty of the examination or recovery, and whether court testimony may be necessary. This rate will be determined and quoted before any limited or complete examination begins.

We offer four types of examinations: (1) a preliminary evaluation for $600 to determine whether further examination is advisable, (2) an intermediate, limited examination of 10 to 20 hours for finding specific items of interest to the client (the time may increase or decrease based on the operating system, hardware difficulties encountered, multiple hard drives encountered, the number of floppies or other media to be examined, password or encryption problems to be resolved, the type of data encountered, or other specific examination requirements made by the client), (3) a complete examination of up to 35 billable hours (which may increase or decrease for reasons similar to those mentioned above), and (4) a complete data audit/digital autopsy of the hard drive or other media. (A complete data audit or digital autopsy identifies and catalogs every existing type of data on a hard disk drive and presents a detailed and exhaustive report to the client or to the courts.)

NOTE: As hard drive sizes become ever larger, operating systems more complex, and software products more numerous and advanced, complete data audits (digital autopsies) of hard drives are rapidly becoming the norm in computer forensic work where laptops and desktop computers are concerned. Forensic examinations that used to require one week for 1 to 2 gig hard drives can now easily require three full weeks of bench time for hard drives of 60 gigabytes and larger. Additional time may be necessary to prepare completed court-ready exhibits and reports. As drive sizes and operating system complexity increase dramatically, bench time and report preparation time increase accordingly.

Because each examination/investigation is unique, and hardware and software varies dramatically from system to system, one cannot always foresee the special problems (multiple password schemes, encryption schemes, data bombs, proprietary encoding, and so forth) that may arise during an examination, making it impossible to forecast the number of billable hours a client should expect. Therefore some clients prefer flat rates per computer or per hard drive (or other media) before agreeing to a forensic examination. Cyberlab provides flat rate billing arrangements for specified forensic services where individual laptop and desktop computers are involved.

Special circumstances. Where hourly billing is used, you will be notified immediately if we encounter any hardware, software or other unusual conditions that will lengthen the estimated time quoted for the examination.

Retainer: A retainer of 50% of the estimated examination cost is required before the limited or complete examination is started. A signed retention agreement is required before conducting an examination. The retention agreement specifies the scope and details of the examination to be performed.

Travel rates: Our out-of-town daily rate is 2 times the quoted hourly rate, plus reasonable per diem and expenses. The in-town travel rate is 1/2 the quoted hourly rate.

The mega-storage multi-gigabyte issue. As recently as 1996 or 97, most PC’s were limited to hundreds of megabytes of storage. Then gigabyte storage hard disk drives became available on the market. It has been said that a gigabyte is roughly equivalent to a stack of 8 .5" x 11" typing paper as tall as the Empire State Building. In four years or so, disk drive sizes went from an average of 1 or 2 gigabytes to 15 or 20. In the year 2001, drive sizes of 40, 60, and 80 gigabtyes became available. In 2005, 160 gigabyte and 250 gigabyte drives are widely available and relatively inexpensive. Individual computer users are now breaking the terabyte barrier with home computers.

The vast capacity of mega-storage drives poses a unique challenge to the forensic examiner since effective investigation still involves a great deal of labor-intensive human effort despite the availability of automated forensic software to speed the process. Where mega-storage devices (multi-gigabyte drives of any dimension) are involved, we try to provide limited examinations targeting specific data types within the 25 to 35 hours which used to be considered a "full examination." Where mega-storage devices or multiple subject computers are involved, flat rates per week can be quoted for examinations and related forensic services.

Complete data-audit (digital autopsy) of a hard disk drive. Where the client or the courts require a complete data audit or digital autopsy of the hard disk drive (a detailed analysis and exhaustive report on all the data existing on the drive) necessitating weeks of bench time, the fees and other parameters of such complete data audits will be established by written agreement prior to beginning the examination.

Cyberlab Computer Forensics, LLC is available to assist other examiners in performing complete and fully documented data audits of a hard disk drive. This service may be particularly important for law enforcement, prosecutors, law firms, businesses, and corporations.

Emergency requests and rush orders. Cyberlab Computer Forensics, LLC., takes cases on a first come, first serve basis. Short deadline and rush requests will be given due consideration but may quoted a higher rate.

Password unlocking. If done by e-mail, ordinary mail, or express courier, passwords are unlocked for $75 for the first password and $25 for each additional password. No fee is charged if we cannot unlock the password.

We Accept:
Mastercard/Visa






Contact Cyberlab Computer Forensics, LLC, for specific fee and other information at
757-672-3522

or by e-mail:

cyberlab@pipeline.com