Connect with Us

Incident Response and Forensics

The growth of technology has dramatically increased the risk of computer-related fraud and misconduct. When faced with investigative and dispute matters, it is important to understand the ways information can be stored, duplicated, corrupted and retrieved, and how best to manage it to ensure compliance with laws and regulation.

When your systems and networks have been breached, you need answers: "who’s response? How did they get in? What did they want? What did they take? How widespread is this attack?"

By only dealing with the isolated systems of an attack, like re-imaging a compromised system, organizations miss important signs that attacks are hiding in or spreading through a network. And the longer it takes to gather real answers, the more organizations stand to lose data, reputation, and damage to their brand.

With Brier & Thorn’s incident response and forensic analysis team, our clients build a strong, complete, fully integrated plan to eliminate all the blind spots between detection and remediation. The goal is to minimize damage, root out entrenched attacks, and block similar future attacks.


Why you should be doing them and how to achieve the most effective outcome from Incident Response tabletop exercises.


The ingredients for the perfect forensic lab: The tools, servers, and software that make up the perfect lab.


Brier & Thorn’s digital forensics and incident response professionals use powerful information technology tools, insightful information management approaches and forensic data analytics frameworks to help clients minimize risks, respond to investigative matters and optimize their business decisions. We provide on-demand, interactive analysis, reporting and exploration of data sets using advanced discovery processes and methodologies. We identify, collect, recover, reconstruct and preserve electronic evidence to help both the business and legal community translate data into actionable knowledge that can be used as meaningful testimony in legal proceedings or in response to shareholder or regulatory scrutiny.

 Our highly qualified and credentialed digital forensics personnel possess backgrounds in accounting, finance, anti-fraud, computer science, computer forensics, data acquisition and mining, law enforcement and investigations. Professional certifications include CFE, ACE, CFE, EnCE, MCSEm, CISA, CISSP, LAW, certified e-Discovery Administrator and iConnection Administrator.

Our forensic technology services include:

  • Computer forensics
  • E-Discovery
  • Data analytics
  • Expert testimony
  • Records and risk management
  • Incident response and data breach investigations


Brier & Thorn works with law firms, corporate internal audit, HR and legal departments, and others to help answer the questions:

  • What do we do? We’ve been hacked!
  • I’m involved in litigation? What now?
  • I think critical intellectual property is missing. How can I be sure?
  • How do we handle a sensitive employee matter?

When a crisis hits, you need the advice and counsel of professionals on the forefront of digital forensic examination techniques — advisors with deep knowledge of the industry and the latest trends and threats.

Brier & Thorn’s incident response team goes far beyond data collection and malware analysis to investigating your enterprise environment and discovering digital artifacts on laptops, desktops, USB devices, smartphones, tablets, servers and cloud locations.

We understand how volatile digital evidence is and the special handling required to protect its integrity and usability for legal proceedings. In the process, we help you:

  • Protect the evidence so it isn’t damaged, destroyed or otherwise compromised during the investigation
  • Establish and maintain a continuing chain of evidentiary custody, and perform due diligence to confirm evidence and processes comply with Federal Rules of Evidence, Rule 502 and Rule 26(b)
  • Acquire and examine devices known or suspected to be infected with malware, without putting other systems at risk

We focus not just on the immediate fraud or security event but also on the steps needed to prevent a similar event in the future.

With extensive experience and backgrounds in military, law enforcement and corporate investigations, Brier & Thorn professionals are qualified to provide expert consultation and/or testimony, as needed. Many team members hold industry certifications such as:

  • EnCase Certified Examiner
  • GIAC Certified Incident Handler
  • Certified Forensic Computer Examiner
  • Certified Ethical Hacker
  • Certified Information Security Systems Professional

To simplify pricing considerations, some basic services, including data collection, preliminary searching and data extraction can be performed on a fixed-fee basis. In addition, our secure, state-of-the-art computer forensics laboratory features the latest in digital forensics, investigative software and hardware solutions.



Our experts have responded to some of the most significant and industry-relevant security breaches over the last decade. Many companies listed on the Fortune 500 list have turned to us for critical help with their responses to Advanced Persistent Threat (APT) attacks.

Our firm’s incident response and forensic analysts are always ready and on-call to help our clients plan and manage global incident response. We believe in proactive responses to security events. Our response engineers are steeped in the areas of response, execution, forensic analysis, and response plan development.

Brier & Thorn subscribes to the National Institute of Standards and Technology (NIST) Special Publication 800-61 Incident Handling Procedure guide. The incident response process has several phases. The initial phase involves the activation of our incident response team remotely or on-site if required and containing the incident if it has been confirmed. During this phase, activity often cycles back to detection and analysis – to see if additional hosts have been affected by the threat.

Detection and Analysis

Incidents occur in countless ways. Brier & Thorn will analyze available evidence and make a determination of what attack vector was used to compromise the targeted assets. As different types of incidents merit different response strategies, Brier & Thorn will follow the agreed procedures for the identified attack vector used to compromise Client assets. Attack vectors include external/removable media; attrition; web; email; impersonation; improper usage; loss or theft of equipment; and other.

Once the attack vector has been determined, our incident handlers will determine if the compromise is still ongoing or if the threat agents no longer have access to the target assets.

The procedure our incident handlers will follow to maintain records about the status of the incident will include tracking the current status of the incident, an incident summary, indicators related to the incident, other related incidents, actions taken by all incident handlers, chain of custody, impact assessments related to the incident, contact information for other third-parties, a list of evidence gathered during the investigation, comments from our incident handlers, and the next steps to be taken.

Brier & Thorn’s incident response team will safeguard Client data and restrict access to it accordingly.

Containment Eradication and Recovery

Brier & Thorn understands that containment is important before an incident overwhelms resources or increases damage. Most incidents require containment, so that is an important consideration early in the course of our handling of the incident. Containment will provide time for developing a tailored remediation strategy that we will develop and execute on for Client. It will also ensure that if any financial loss is being experienced, or personally identifiable information (PII), subscriber related information, company secrets/trade information or payment card data is actively being compromised, that efforts are taken to prevent that ongoing loss of protected data.

Although the primary reason for gathering evidence during the incident is to resolve it, it may also be needed for legal proceedings. In such cases, Brier & Thorn will document how all evidence, including compromised Client assets, have been preserved. Evidence will be collected according to procedures that meet all applicable laws and regulations that have been developed from previous discussions with legal staff and appropriate law enforcement agencies so that evidence can be admissible in court.

As part of the incident handling process, our primary goal will be minimizing business impact. The following will be taken by our team quickly and efficiently to meet this primary mission: (1) Validating the attacking host’s IP address(es); researching the attacking host; using incident databases; and monitoring possible attacker communication channels.

If an insider is discovered as having been involved in the incident, Brier & Thorn will obtain authorization from Client to deploy appropriate monitoring applications to monitor the individual’s traffic and keystrokes on their local workstation and compile evidence for the criminal investigation for law enforcement.

Once a compromise has been validated, Brier & Thorn’s incident handlers will eradicate and assist Client in recovery. In this step, we will validate that all components of the incident have been eliminated, deleting malware and backdoors, and disabling breached accounts. Our incident handlers will ensure that the threat agents did not pivot to other hosts and that the integrity of any host in question is checked and verified.

Our incident handlers will provide expert guidance and/or take necessary (authorized) actions to restore systems to normal operation, confirm the systems are functioning normally, and if applicable, remediate vulnerabilities to prevent similar incidents.

Client Results

We share our clients’ ambitions working to understand their reality and deliver true results – focusing on strategic decisions and practical actions. We align our incentives with our clients’ objectives so they know we’re in this together as a closely-held partnership.


Malware quickly propagates across large laboratory. Brier & Thorn retained for immediate incident response and forensics work to stop malware propagation.


Bottling distributor retains Brier & Thorn to respond to credit card breach of eCommerce web sites.