Digital Forensics and Incident Response

In today's state of cybersecurity, breaches are often not a matter of if, but when. Approximately one in four companies will experience a data breach within 24 months. This could be the result of a number of different threats, such as malware campaigns, foreign state-sponsored threat actors, cybercriminals looking to turn a quick profit-even insider threat. IBM's Cost of Data Breach Study indicates that having access to an outsourced incident response team typically accelerates the timeframe that events can be contained, which can be a significant factor in reducing the overall cost of a breach. Don't wait until it's too late. Schneider Downs digital forensics and incident response experts can be engaged ahead of a breach through a retainer contract or during emergency situations as needed.

Our team of Digital Forensics and Incident Response experts have experience helping clients respond to a multitude of threat vectors and attack types. Schneider Downs will work with you to determine the exact factors that led to the breach, assist you in recovery, and develop lessons learned to better mitigate these types of events down the road. This process allows for restoration of faith that your systems will be hardened against future attacks and preserve business relationships and public trust.


We have a defined process for assisting clients through response to a computer security incident:

  • Collect Initial Facts - Our team will gather initial facts and circumstances surrounding the computer incident(s) reported. We will collect information about the incident, such as date and time; systems affected; what these systems support; and how it was reported, what suspicious behaviors were detected. If malware is detected, we will capture information regarding the type of malware, a listing of systems where it was identified, and other related information about how the malware operates.

  • Scoping the Incident - Based on the initial facts, we will attempt to identify the scope of the incident. We will examine data, and gather and review preliminary evidence to help guide further course of action.

  • Data Collection - Our analysis will incorporate the use of data from various information sources, collected to preserve volatile evidence from key systems that can be analyzed later in the process. Our method will collect data from two general categories: 1) data that describes the current running state of the affected systems, such as network connections and running processes, and 2) a snapshot of important data that can help us identify what may have happened in the past (e.g. file listings, system logs, operating system data, etc.). This may include capturing read-only, full-disk images of affected systems and log files.

  • Data Analysis - Based on information captured in the previous phase, we will execute a plan to review available data for indicators of compromise and any other related activity that will allow us to render an opinion on the activities that have occurred on those systems. We will rely on the completeness and accuracy of the data provided by the client to perform this step.

  • Report - Based on the analysis performed, we will build a report for the client that identifies the following:

    • Facts Observed

    • Data Collected

    • Data Analysis Results

    • Listing of Limitations (if any)

    • Summary of Findings

    • Lessons Learned


Recovery and remediation is also a major component of the Schneider Downs Incident Response process. Our team has the experience to help you recover from major disruptions to your IT systems. We will help your organization:

  • Form and identify the remediation team;
  • Determine the timing and extent of remediation activities needed;
  • Develop and implement remediation posturing actions during the incident (password resets, two-factor deployments, etc.);
  • Develop and implement containment actions;
  • Develop and implement an eradication action plan;
  • Develop strategic recommendations for safe recovery;
  • Document and report on lessons learned.


From a forensics standpoint, our trained experts will use the most advanced technology and analysis methods in performing the following:

  • Ensure the incident or malware is contained and unable to breach additional systems;
  • Execute detailed analysis on production systems for malware or threat actor persistence;
  • Perform detailed forensic analysis of suspected compromised hosts;
  • Review all event logs and provide a detailed report on current auditing procedures;
  • Assess all network traffic and perform detailed threat analysis for potential malware command and control communications;
  • Review all Intrusion Detection Systems (IDS)/ or Intrusion Prevention System (IPS) alerts for malicious activity;
  • Perform static and dynamic malware analysis on discovered payloads executed on victim machines;
  • Provide a detailed list of recommended remediation procedures and long term cybersecurity enhancements;
  • Provide a detailed report on all discoveries.

Our malicious file analysis often leads to the identification of indicators of compromise (IOCs), such as IP addresses or domains communicating with the malware, Microsoft registry key modifications, identification of child or sub-processes that have been launched, code injections, and file names or other attributes of not just the malicious payloads, but the related affected files as well. With this information, we can help you track down other instances of the attack on other systems, or put preventative measures in place to block them from happening going forward.

case studies

big problem:
Ransomware attack halted a global manufacturer's operations.
big thinking:
Recover and secure the system – fast – save $1 million in ransom.
big problem:
High tax burden for family-owned franchisor.
big thinking:
Comprehensive planning for a 15% tax reduction.

our thoughts on

The Physical Side of Cybersecurity

At Schneider Downs, we always strive to uphold our responsibility to serve as trusted cybersecurity advisors to our clients and to the community at large.

read more >

Application to Receive Funding for On-Road and Class 8 Fleet Vehicle Projects in Pennsylvania Now Available!

As you know from our previous articles (Volkswagen Environmental Mitigation Trust Fund), Volkswagen is obligated to fund various environmental trusts for

read more >

Financial Fitness: Setting SMART Goals

This article was originally published in Wedgewood Life magazine and is reprinted with their permission. Happy New Year! As the calendar flips and a New

read more >

Good News Regarding Excess Business Losses For Your Pass-Through Construction Business

If you own a construction business, you know all too well that one or more bad contracts can make or break the financial results for the year. If you were

read more >

Financial Fitness - Are my personal finances on the right track?

This article was originally published in Wedgewood Life magazine and is reprinted with their permission. This is a frequently asked question by my clients

read more >

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office

One PPG Place, Suite 1700
Pittsburgh, PA 15222
p:412.261.3644     f:412.261.4876

Map of Columbus Office

65 East State Street, Suite 2000
Columbus, OH 43215
p:614.621.4060     f:614.621.4062