I agree that EnCase jockeys are overpaid, and I generally think of forensics as a lower-status specialty than software security, but website breach investigations are much more annoying than just imaging hard drives.
I can only imagine, especially if the logging/auditing policy was "pretty much non-existent" and you don't know how extensive the access was for a given user account (nor how much of that access could have been used in the short window of compromise).
