AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Devon Ackerman

Devon Ackerman

…is the primary digital forensicator and incident responder behind the DFIR Definitive Compendium Project. Currently employed as a Managing Director with Kroll’s Global Cyber Risk practice, Devon (@AboutDFIR) is an authority on digital forensics and incident response and has extensive experience in the investigation and remediation of cyber-related threats and incidents from his years with the Federal Bureau of Investigation as well as in the private sector. Devon joined Kroll from the FBI, where he was a Supervisory Special Agent and Senior Digital Sciences Forensics Examiner in the Digital Evidence Field Operations Unit of Operational Technology Division. In this role, he had responsibility for oversight and coordination in FBI Digital Forensics-related field operations across the United States, spanning a variety of matters such as domestic terrorism, mass shootings, critical incident response events, and large-scale electronic evidence collections.  In addition, Devon has provided expert witness testimony in federal and state courts. Devon has collaborated on the development of a number of widely used forensic tools.  He was also the course material revision architect and co-author of approximately 80 hours of instructional material for the FBI’s CART Tech Certification program and Digital Evidence Extraction Technician (DExT) training curriculums. He has spoken at the annual SANS DFIR Summit, been awarded Digital Forensic Investigator of the Year, spoken on NPR’s Planet Money show, spoken on Jessica Hyde’s Cache Up, and has been published in PenTest Magazine. In addition to presenting on technical topics to colleagues, computer scientists, and forensic examiner trainees at the FBI Academy in Quantico, Devon has spoken at numerous industry and educational conferences. He began a career with the FBI in 2008, where he later co-founded the FBI’s first North Carolina Cyber Security and Intrusion Working Group (eShield). Before joining the FBI, Devon owned and operated his own technical services firm for six years, specializing in managing the technology and computer design needs of small to medium businesses.

In my prior role at Kroll, I led engagements for clients across a wide range of industries involving investigative digital forensics, intrusion response (unauthorized access), and malware analysis. I also served as a Senior Forensic Science Team Lead, where I conducted and oversaw digital evidence collection, triage, and preservation. My extensive cyber investigative experience included physical and cyber-based corporate espionage and sabotage investigations; ransomware and malware cyber intrusion events; unauthorized user access; PII and PHI compromise; malicious spear phishing and whaling campaigns; Office 365 and G Suite compromises and related log analytics; data destruction events; breach response; and other events involving misuse of networked endpoints and infrastructure. I joined Kroll from the FBI, where I was a Supervisory Special Agent and Senior Digital Sciences Forensics Examiner in the Digital Evidence Field Operations Unit. In this role, I oversaw and coordinated all FBI Digital Forensics-related field operations across the United States, spanning a variety of matters such as domestic terrorism, mass shootings, critical incident response events, and large-scale electronic evidence collections. I have also provided expert witness testimony in federal and state courts. During this time, I developed a number of forensic tools that are still widely used. I was also the course material revision architect and co-author for the FBI’s CART Tech Certification program and Digital Evidence Extraction Technician (DExT) training curriculums. I began my career with the FBI in 2008, where I co-founded the FBI’s first North Carolina Cyber Security and Intrusion Working Group (eShield).

Selected Media Appearances
  • “UnitedHealth Begins Testing Restored Change Healthcare Claims Platform”, Wall Street Journal Pro Cybersecurity
  • “Opportunism, Targeted Attacks, Outright Destruction and Possible Violence: The Changing Face of Cybercrime”, Enterprise Security
  • “Incident Response Meets Governance Risk and Compliance (GRC) in Digital Forensics”, GRC Outlook magazine
  • “It’s Cloud First, as Companies Scramble to Fix Latest Computer Bugs”, Wall Street Journal Pro Cybersecurity
  • “Forensically Sound Incident Response in Microsoft’s Office 365”, Forensic Lunch with David Cowen
  • “Devon Ackerman on Protecting the Castle Walls from Ransomware”, Cybercrime Radio Podcast (Cybercrime Magazine)
  • “Intel Corporation Security Flaw – Spectre and Meltdown”, Legaltech News
  • “Critical Computer Flaws Set up Security Challenge in Washington”, The Hill
  • “Massive Hack That Hit DLA Piper, Others May Be New Norm”, Law360
  • “Petya Ransomware Attack”, Wall Street Journal
  • “Your Law Firm Got Hacked. What Do You Do Now?”, Legaltech News 
Publications
  • Digital Forensics/Incident Response – The Definitive Compendium Project
  • Digital Evidence – A Critical Response Workflow
  • Special Agents in CART – Investigative Forensic Examiners
  • Computer Analysis Response Team – Professional Development Career Ladder
  • Representative Speaking Engagements and Presentations
  • “Forensics, Insider Threats, and the state of Cyber Law in America,” University of Chapel Hill, North Carolina
  • “The Emerging Law of Active Cyber Defense” panel for Privacy + Security Forum 2017, Washington, D.C.
  • “Cyber Threats and Trends for Data Centers,” Association for Computer Operations Management (AFCOM) 2017
  • “Enemy in the Ranks – Corporate Espionage,” Katalyst Summit 2017
  • “Cyber Threats and Trends for Elected Officials,” Illinois House of Representatives, Springfield, Illinois
  • “State of the Hack,” Contingency Planning Association of the Carolinas (CPAC), Charlotte, North Carolina
  • “Digital Forensics in the FBI,” to Belgian Federal Police delegation; also to New South Wales delegation
  • “Digital Forensic Capabilities of the 21st Century FBI,” to Turkish cyber leadership and accompanying foreign delegation officials; also to Bulgarian foreign delegation officials
  • “Digital Evidence and Federal Law,” Methodist University
  • “Cyber Threats and Trends,” North Carolina chapter, AFCOM
  • “Federal Cyber Law and Digital Forensics,” Campbell University
Education and Certifications
  • M.S., magna cum laude, Digital Forensic Science, Champlain College
  • B.S., magna cum laude, Computer & Information Systems, Digital Forensics emphasis, Champlain College
  • GIAC Certified Forensic Analyst (GCFA)
  • GIAC Certified Forensic Examiner (GCFE)
  • Certified Forensic Computer Examiner (CFCE)
  • Cyber Investigator Certification Program (CICP)
  • Certified Computer Examiner (CCE)
Affiliations and Memberships
  • International Association of Computer Investigative Specialists
  • International Society of Forensic Computer Examiners
  • FBI North Carolina Cyber Security and Intrusion Working Group (eShield)
  • Scientific Working Group on Digital Evidence (2013 – 2016)
  • FBI AccessData and Live Capture Subject Matter Expert Groups (2012 – 2016)
  • Anti-Phishing Working Group (2008 – 2013)
Awards and Recognition
  • Forensic 4:Cast 2018 Digital Forensic Investigator of the Year
  • Citation for Special Achievement, Director of the FBI
  • Certificate of Recognition, Operational Technology Division
  • Department of Defense Intelligence Award
  • SANS Lethal Forensicator Award
  • 2011 National Counterintelligence Award for Insider Threat Team
Forensic Tool Development – Collaboration
  • LECmd (Link .lnk Explorer) and PECmd (Prefetch .pf Explorer)
  • Registry Explorer and Windows Registry ShellBag Explorer
  • eMule Parser
  • FTK/LAB v5.1 Report Optimization Tool (underlying coding and styling adopted by AccessData Group Inc., as official in commercial releases >v5.1 of their forensic suite software)
  • osTriage v2 Live Response & Triage Tool
  • Sanderson Forensics’ Reconnoitre
  • FTK/LAB v4.0 and v5.0 Report Cleanup Tool

AboutDFIR.com Background

What launched in 2014 as a Google Sheet with single category of information tracking fewer than 30 DFIR-related certifications, the Digital Forensics / Incident Response – The Definitive Compendium Project has grown over the years into an expansive project worthy of its name.  Now consisting of more than 50 categories of DFIR-related information, it is one of the single, largest compendiums of DFIR information known to exist on the Internet where the content has been culled by its authors on a per/link and resource basis, not by taking from others.

The Digital Forensics and Incident Response industries are growing every month, if not every week. Whether you are looking for trends reports, wanting to learn, breaking into the scene, studying for a certification, or just maintaining your skill sets – AboutDFIR.com has you covered.  No one knows it all, no one is a master of it all, and all of us are constantly learning as technology adapts and evolves all around us.

In early 2017, Devon Ackerman and Mary Ellen Kennel worked together on behalf of the community to merge their independent projects.  This effectively grew the DFIR – Definitive Compendium with new categories to include Challenges & Capture the Flag training, DFIR Research, Annual Industry Reports, Threat Maps, Threat Intelligence, and Forensic Tools.  In addition, several thousand new items were reviewed and added to the Blogs, Social Resources, and Books pages.

The DFIR – Definitive Compendium Project is not simply a link repository though, but has been edited and administrated over the years with intentional precision.  Not everything that is authored, created, or tagged as “digital forensics” and “incident response” is worth an examiner or analysts’ time or furthermore, is accurate.  Examples of this include not referencing every tool that can possibly be used for forensics, but choosing tools that the editors have personally used, abused, and tested.  Not every script or custom tool needs to be added just because it exists – if one tool exists that does what 15 other scripts do independently, but the one tool works the most effectively and reliably, then it is more likely to be included.  Another example is that the editors of this project have specifically weeded out blogs that are not maintained (>2 years since last post) and books that are significantly out-of-date with evolving forensics.

A myriad of choices have gone into deciding what information should be included in order to maintain the usefulness of the project and to separate it from just being branded “another link repository.”

SourceComment
Twitter userfantastic work; I will 100% share this with my students. They all must check it. Thanks Devon.
Twitter usergreat work! An amazing one-stop DFIR resource!
LinkedIn userYou sir, are awesome! Great job!
LinkedIn userThis is a tremendous contribution! Thank you for creating and then sharing it!
LinkedIn userGreat resource well done!
LinkedIn userAwesome! Thanks for doing this!
LinkedIn userGreat Resource!!!! Well done!
Reddit userYay! As someone who is just starting to study this field I am very excited to have this resource available to me! Thanks!
Site userThe new site looks great by the way, good job 🙂
Reddit userOn a side note, I am thrilled to have discovered this site as well as the Reddit thread it seemingly developed from. Great job thus far and cheers to the future.
StudentIronically enough, the reason I came to Champlain in the first place was because of your spreadsheet from the IACIS listserv.
StudentStill being relatively new to the digital forensic field, [your site] has been a huge help in determining direction and avenues for new training & certs. Your efforts there are much appreciated. Love the new site by the way!