Andrew Rathbun

Vice President

Andrew Rathbun is a vice president in the Cyber Risk practice, based in Secaucus. Andrew leverages more than seven years of digital forensics and incident response experience in assisting with cyber investigations. He is an incident response practitioner with a broad set of expertise and skills across numerous digital forensic disciplines, one of which is ransomware and related intrusion matters. He is also a Kroll Artifact Parser and Extractor (KAPE) instructor.

Prior to joining Kroll, Andrew was a forensic computer examiner for the U.S. Department of Health and Human Services. Before that, he was a detective who conducted general criminal investigations as well as a digital forensics examiner who handled digital forensics cases at the Michigan State University Police Department.

Andrew is also Virtual Teaching Assistant for the SANS Institute. Additionally, Andrew contributes to AboutDFIR , and he is Administrator of the Digital Forensics Discord Server, which is a three-time winner of the DFIR Resource of the Year award presented by the Forensic 4:cast Awards.

He also contributes to multiple projects on GitHub, and he has co-authored two books: “Hitchhikers Guide to DFIR” and “EZ Tools Manuals.”

Andrew holds a bachelor’s degree in criminal justice and sociology from Western Michigan University . He also holds a Master’s in Human Resources Administration from Central Michigan. Additionally, he holds the following certifications: GIAC Certified Forensic Examiner (GCFE), GIAC Certified Forensic Analyst (GCFA), GIAC Advanced Smartphone Forensics (GASF) and GIAC Certified Incident Handler (GCIH). Andrew is also a member of the SANS DFIR Summit Advisory Board and the GIAC Advisory Board.

Stay Ahead with Kroll

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Incident Response and Litigation Support

Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle.

24x7 Incident Response

Enlist experienced responders to handle the entire security incident lifecycle.

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

Data Recovery and Forensic Analysis

Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.

Data Collection and Preservation

Improve investigations and reduce your potential for litigation and fines with the strict chain-of-custody protocol our experts follow at every stage of the data collection process.

Explore insights


KAPE Quarterly Update – Q1 2023

May 18, 2023

by Eric ZimmermanAndrew Rathbun

Return to top