KAPE Quarterly Update – Q3 2023
Nov 03, 2023
by Andrew Rathbun, Eric Zimmerman

Andrew Rathbun is a vice president in the Cyber Risk practice, based in Secaucus. Andrew leverages more than seven years of digital forensics and incident response experience in assisting with cyber investigations. He is an incident response practitioner with a broad set of expertise and skills across numerous digital forensic disciplines, one of which is ransomware and related intrusion matters. He is also a Kroll Artifact Parser and Extractor (KAPE) instructor.
Prior to joining Kroll, Andrew was a forensic computer examiner for the U.S. Department of Health and Human Services. Before that, he was a detective who conducted general criminal investigations as well as a digital forensics examiner who handled digital forensics cases at the Michigan State University Police Department.
Andrew is also Virtual Teaching Assistant for the SANS Institute. Additionally, Andrew contributes to AboutDFIR , and he is Administrator of the Digital Forensics Discord Server, which is a three-time winner of the DFIR Resource of the Year award presented by the Forensic 4:cast Awards.
He also contributes to multiple projects on GitHub, and he has co-authored two books: “Hitchhikers Guide to DFIR” and “EZ Tools Manuals.”
Andrew holds a bachelor’s degree in criminal justice and sociology from Western Michigan University . He also holds a Master’s in Human Resources Administration from Central Michigan. Additionally, he holds the following certifications: GIAC Certified Forensic Examiner (GCFE), GIAC Certified Forensic Analyst (GCFA), GIAC Advanced Smartphone Forensics (GASF) and GIAC Certified Incident Handler (GCIH). Andrew is also a member of the SANS DFIR Summit Advisory Board and the GIAC Advisory Board.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.
Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.
Improve investigations and reduce your potential for litigation and fines with the strict chain-of-custody protocol our experts follow at every stage of the data collection process.