Digital Forensics and Incident Response

Digital Forensics and Incident Response (DFIR) is one of our core services with offerings covering all major operating systems, virtual machine platforms, cloud providers, and mobile.

We’ll work with your tools and don’t insist on using our technical stack unless there isn’t sufficient visibility for response. If you don’t have tooling (e.g. EDR, SIEM) we have software available we can deploy immediately without additional costs or license procurement.

Our involvement in incidents is usually in one of the following capacities:

  • Full incident management and technical execution. We are called in to respond when an incident occurs. We are debriefed, obtain access to the valuable data sources, devise a game plan, prioritize response tasks, tackle containment, identify root cause, and document gaps along with recommendations. These incidents are frequently delivered under the guidance of outside counsel and carefully kept under attorney client privilege. Example incidents that fall under this category are domain-wide breaches, ransomware, or significant data exfiltration. IntrusionOps has worked in this capacity for multi-national Fortune 500 companies and start-ups alike. We have primary responders for cases that made international news, involving well-known APT, governments, and notable ransomware operators. We have worked with many major law firms, cyber insurers, law enforcement agencies (federal, city, and state), and negotiation firms.

  • Incident Assistance. If you are handling an incident internally, or are using another vendor, there may be occasions where you wish to delegate tasks. This occurs if your in-house team is managing multiple incidents, there’s some subject matter technical expertise you need, or you’re in the midst of a large incident and need to provide relief for you team.

  • Image Acquisition. We can assist with acquiring images across all major cloud providers, and physical disk acquisition of all major operating systems, mobile, or virtual machines. We can provide onsite assistance in some circumstances.

  • Image Analysis. If you’ve already completed image acquisition, we can assist by conducting the investigation, and analyzing the data.


We are self sufficient on most incidents but have valuable partnerships when needed. Our partnerships include law firms if our clients need referrals, law enforcement, threat intelligence firms, tactical remediation teams (e.g. rebuild large production Active Directory domain), and EDR vendors so we can rapidly deploy necessary software if the victim’s network doesn’t have sufficient visibility. Note that we do not take e-Discovery cases but can provide referrals to other firms that do.