Digital Forensics & Incident Response

Kroll’s elite cybersecurity leaders respond to more than 3,000 cyber incidents ever year. Our team has the resources and expertise to support clients through the entire incident lifecycle to ensure they can have peace of mind in a time of crisis.
Contact Us

Regardless of the type of cybercrime or data exposure, Kroll has the human and technology resources to act quickly to identify threats, secure valuable data, and investigate a digital trail wherever it may lead. If an attack comes from the inside, we combine our digital forensic expertise with recognised investigative methods, including employee interviews and surveillance, to determine how anyone with access to sensitive information may have interacted with a client’s system.  

In the case of an outside attack, such as malware, ransomware or business email compromise, our investigators collect and examine both digital and physical evidence to determine where, when and how an incident occurred and if the client’s systems are still vulnerable. Kroll can determine what data may have been compromised and if any digital evidence has been altered or erased. Our experts work with our client’s in-house teams to recover data and accurately recreate events to develop an effective recovery plan. 


With the rising concerns of ransomware and intrusions that leverage data exfiltration, Kroll’s incident response teams have not only the experience to properly investigate the many aspects of risk to data, but also the technical understanding of how to properly contain the threat and eject active actors from compromised networks.

– Devon Ackerman, Managing Director, Head of Incident Response, North America

Case Study – Insider Threat Investigation

Watch Michael Quinn, a managing director in our practice, recount an insider threat investigation his team conducted.

Kroll’s client – a global software company based in Europe – received an email from anonymous source claiming it had access to sensitive data, including personally identifiable information, confidential financial records, and IP source code for a subsidiary. The sender demanded a ransom of one million euros in bitcoin and gave the client two weeks to pay before the data would be leaked.  

Kroll’s team of forensic investigators determined that someone inside the company was source of the infiltration. We identified the individual responsible and gathered essential information to assist with a prosecution. 

For more details, read the full case study.

Trial-Tested Litigation Support

Our litigation support team coordinates with our incident responders to optimise the investigation process and facilitate both remote and onsite data collection to deliver potentially case-changing insights.

Unique Threat Intelligence Expertise

Experts on Kroll’s incident response team have worked at some of the world’s top intelligence agencies – including the Hong Kong Police Force (HKPF), FBI, DOJ, Europol, and GCHQ – and hold more than 100 different industry certifications.

Client-Friendly Incident Response Retainers

Kroll offers incident response retainers designed to provide both peace of mind and maximum flexibility. Our retainers give clients access to our elite digital forensics and incident response capabilities as well as a range of proactive services to ensure they get tangible value.

Cyber Insurance Preferred Partner

Kroll has a dedicated team to help clients navigate any relevant insurance and legal channels. We also have extensive relationships with more than 60 leading cybersecurity insurers around the world.

Enabling Diligent, Seamless Response Worldwide

Incident Response and Litigation Support 

Members of Kroll’s cybercrime investigation team reflect our multidisciplinary approach to leadership and problem-solving. If a client faces litigation or regulatory action, our experts work closely with their in-house and outside counsel and other senior executives to explicate forensics data to help make their case. We can also assemble case files for referral to regulators or law enforcement and, if requested, serve as expert witnesses.

Kroll Cyber Digital Forensics and Incident Response

Below are a selection few of our services available to support incident response and cyber investigations: 

  • 24x7 Incident Response
    Whether the incident involves a malicious attack or inadvertent data exposure, Kroll can help. With a global network of cyber security and digital forensic experts, we can deploy remote solutions on a moment’s notice and/or have a team onsite within hours to help an organisation contain an incident and determine next steps.
  • Digital Forensics
    Our cybersecurity experts ensure no relevant digital evidence is overlooked and can assist at any stage of an investigation or litigation, no matter the location or number of data sources involved.
  • Cyber Litigation Support
    For clients needing to respond to investigatory or forensic discovery demands related to a data security incident, our forensic engineers can help win cases and mitigate losses. Many of our cyber experts have considerable experience providing expert testimony and presenting findings to judges, juries and arbitrators. Our team members have also been appointed by various courts to serve as special masters.
  • PCI Forensic Investigator
    Our Payment Card Industry (PCI) forensic investigators use cutting edge tools and methods to help determine whether cardholder data has been compromised and how it occurred. Kroll’s Cyber Risk team also has experience conducting PCI Security Council-mandated investigations.
  • Data Recovery and Forensic Analysis
    Kroll’s experts use advanced forensic software and procedures to collect and preserve data from every aspect of a client’s system – from servers to laptops to mobile devices. We handle evidence with care and precision using data recovery tools and forensic methodologies that are supported by case law.
  • Malware and Persistent Threat Detection
    Our expert cybersecurity consultants and forensic analysts perform live system memory and forensic analysis on evolving malware threats. We also have extensive experience determining the scope and targeting of advanced persistent threats to help clients respond more effectively.
  • Threat Simulations
    Kroll has developed a seven-step process for leading tabletop exercises (TTX) for client organisations of all sizes, industries and levels of complexity. Participation in a Kroll TTX can help a company’s response team define and rehearse their roles so they can respond with greater confidence when an incident occurs.
  • Incident Recovery and Remediation
    Kroll’s incident response team helps clients expedite recovery of their systems to minimise disruption to their businesses. Related services include device and server reimaging, directory rebuilding, network hardening and segmentation, hardware upgrades and patch management.

Many more solutions are available, use the links on this page to explore them further or speak to a Kroll expert today via our 24x7 cyber incident hotlines or our contact page.


Talk to a Cyber Expert

Kroll is ready to help, 24x7. Use the links on this page to explore our services further or speak to a Kroll expert today via our 24x7 cyber hotlines or our contact page.

Incident Response Plan Development

Today, you learn your company is experiencing a serious cyber incident. It could be a ransomware attack, a hacked O365 email account, the theft of PII or PHI, data exposure from misconfigured network settings. What is the first step you should take?

Incident Response Tabletop Exercises

Kroll’s field-proven incident response tabletop exercises provide a customised test of every aspect of an organisation’s cyber response plan.

Optimised Third-Party Cyber Risk Management Programmes

Manage risk, not spreadsheets. Identify and address cyber threats in third-party relationships to ensure compliance with regulations such as NYDFS, FARS, GDPR, etc.

Third Party Cyber Audits and Reviews

Kroll’s cyber audits and reviews ensure third parties handle sensitive data according to regulatory guidelines and industry standards.

FAST Attack Simulation

Safely perform attacks on your production environment to test your security technology and processes.

Cyber Governance and Risk

Manage cyber risk and data security governance with Kroll’s defensible cybersecurity strategy framework.