Devon Ackerman



Global Head of Incident Response

Devon Ackerman is the global head of incident response in the Cyber Risk practice of Kroll, based in New York. Devon is an authority on incident response and digital forensics. He has extensive experience in the investigation and remediation of cyber-related threats and incidents from his years with the Federal Bureau of Investigation as well as in the private sector.

Building Data Inventory – Fundamental Steps

In his current role, Devon leads engagements for clients across a wide range of industries involving investigative digital forensics, intrusion response (unauthorized access), and malware analysis. He also serves as a Senior Forensic Science Team Lead, where he conducts and oversees digital evidence collection, triage, and preservation.

Devon’s extensive cyber investigative experience includes physical and cyber-based corporate espionage and sabotage investigations; ransomware and malware cyber intrusion events; unauthorized user access; PII and PHI compromise; malicious spear phishing and whaling campaigns; Office 365 and G Suite compromises and related log analytics; data destruction events; breach response; and other events involving misuse of networked endpoints and infrastructure.

Devon joined Kroll from the FBI, where he was a Supervisory Special Agent and Senior Digital Sciences Forensics Examiner in the Digital Evidence Field Operations Unit. In this role, he oversaw and coordinated all FBI Digital Forensics-related field operations across the United States, spanning a variety of matters such as domestic terrorism, mass shootings, critical incident response events, and large-scale electronic evidence collections. Devon has also provided expert witness testimony in federal and state courts.

During this time, Devon developed a number of forensic tools that are still widely used. He was also the course material revision architect and co-author for the FBI’s CART Tech Certification program and Digital Evidence Extraction Technician (DExT) training curriculums. He began his career with the FBI in 2008, where he co-founded the FBI’s first North Carolina Cyber Security and Intrusion Working Group (eShield).

Selected Media Appearances
  • “UnitedHealth Begins Testing Restored Change Healthcare Claims Platform”, Wall Street Journal Pro Cybersecurity
  • “Opportunism, Targeted Attacks, Outright Destruction and Possible Violence: The Changing Face of Cybercrime”, Enterprise Security
  • “Incident Response Meets Governance Risk and Compliance (GRC) in Digital Forensics”, GRC Outlook magazine
  • “It’s Cloud First, as Companies Scramble to Fix Latest Computer Bugs”, Wall Street Journal Pro Cybersecurity
  • “Forensically Sound Incident Response in Microsoft’s Office 365”, Forensic Lunch with David Cowen
  • “Devon Ackerman on Protecting the Castle Walls from Ransomware”, Cybercrime Radio Podcast (Cybercrime Magazine)
  • “Intel Corporation Security Flaw – Spectre and Meltdown”, Legaltech News
  • “Critical Computer Flaws Set up Security Challenge in Washington”, The Hill
  • “Massive Hack That Hit DLA Piper, Others May Be New Norm”, Law360
  • “Petya Ransomware Attack”, Wall Street Journal
  • “Your Law Firm Got Hacked. What Do You Do Now?”, Legaltech News 

  • Digital Forensics/Incident Response - The Definitive Compendium Project
  • Digital Evidence - A Critical Response Workflow
  • Special Agents in CART - Investigative Forensic Examiners
  • Computer Analysis Response Team - Professional Development Career Ladder
  • Representative Speaking Engagements and Presentations
  • “Forensics, Insider Threats, and the state of Cyber Law in America,” University of Chapel Hill, North Carolina
  • “The Emerging Law of Active Cyber Defense” panel for Privacy + Security Forum 2017, Washington, D.C.
  • “Cyber Threats and Trends for Data Centers,” Association for Computer Operations Management (AFCOM) 2017
  • “Enemy in the Ranks - Corporate Espionage,” Katalyst Summit 2017
  • “Cyber Threats and Trends for Elected Officials,” Illinois House of Representatives, Springfield, Illinois
  • “State of the Hack,” Contingency Planning Association of the Carolinas (CPAC), Charlotte, North Carolina
  • “Digital Forensics in the FBI,” to Belgian Federal Police delegation; also to New South Wales delegation
  • “Digital Forensic Capabilities of the 21st Century FBI,” to Turkish cyber leadership and accompanying foreign delegation officials; also to Bulgarian foreign delegation officials
  • “Digital Evidence and Federal Law,” Methodist University
  • “Cyber Threats and Trends,” North Carolina chapter, AFCOM
  • “Federal Cyber Law and Digital Forensics,” Campbell University

Education and Certifications
  • M.S., magna cum laude, Digital Forensic Science, Champlain College
  • B.S., magna cum laude, Computer & Information Systems, Digital Forensics emphasis, Champlain College
  • GIAC Certified Forensic Analyst (GCFA)
  • GIAC Certified Forensic Examiner (GCFE)
  • Certified Forensic Computer Examiner (CFCE)
  • Cyber Investigator Certification Program (CICP)
  • Certified Computer Examiner (CCE)

Affiliations and Memberships
  • International Association of Computer Investigative Specialists
  • International Society of Forensic Computer Examiners
  • FBI North Carolina Cyber Security and Intrusion Working Group (eShield)
  • Scientific Working Group on Digital Evidence (2013 - 2016)
  • FBI AccessData and Live Capture Subject Matter Expert Groups (2012 - 2016)
  • Anti-Phishing Working Group (2008 - 2013)

Awards and Recognition
  • Forensic 4:Cast 2018 Digital Forensic Investigator of the Year
  • Citation for Special Achievement, Director of the FBI
  • Certificate of Recognition, Operational Technology Division
  • Department of Defense Intelligence Award
  • SANS Lethal Forensicator Award
  • 2011 National Counterintelligence Award for Insider Threat Team

Forensic Tool Development - Collaboration
  • LECmd (Link .lnk Explorer) and PECmd (Prefetch .pf Explorer)
  • Registry Explorer and Windows Registry ShellBag Explorer
  • eMule Parser
  • FTK/LAB v5.1 Report Optimization Tool (underlying coding and styling adopted by AccessData Group Inc., as official in commercial releases >v5.1 of their forensic suite software)
  • osTriage v2 Live Response & Triage Tool
  • Sanderson Forensics’ Reconnoitre
  • FTK/LAB v4.0 and v5.0 Report Cleanup Tool

Cyber Risk Assessments

Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.

Incident Response and Litigation Support

Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle.

24x7 Endpoint Detection and Response

Intelligent Endpoint detection and response: Maximum confidence in data security


Proactively monitor, detect and respond to threats virtually anywhere – on endpoints and throughout the surface, deep and dark web.