Mari DeGrazia

Mari DeGrazia loves the satisfaction of solving a good puzzle. That fascination paired with her technical abilities has made digital forensics the perfect career fit. "There is nothing like the adrenaline rush of figuring out a tough case when you find that smoking gun or vital clue that will help solve it," she says. 

Today, Mari brings her puzzle-solving skills to her position as Senior Director of Incident Response at Kroll Cyber Security, where she leads high-profile incident response cases and helps clients find and respond to attackers in their environment. 

In her role as a SANS instructor for FOR500: Windows Forensic Analysis, Mari draws on nearly 20 years of experience in the IT industry, including 10 years in Digital Forensics and incident Response (DFIR). "I love teaching this topic because it is the cornerstone of forensics," she says.

Mari has taken SANS training courses herself and spoken at several SANS conferences, always coming away impressed with the quality of the instructors and the students alike. She cites that as one of the reasons she chose to become a SANS instructor. 

"SANS training is top notch, and the content is always relevant, up-to-date, and applicable to the real world," she explains. A strong believer in giving back to the community, Mari also appreciates SANS's offering of the SIFT workstation and webcasts, as well as its proactive support of women in the industry. 

A recent highlight of Mari's career was an invitation to be a keynote speaker at the Women in Cybersecurity Conference, where she shared her journey into forensics and passion for it with hundreds of women. 

Mari's varied professional background enables her to relate to students from various career paths who attend her courses. She has worked criminal and civil cases, including providing expert testimony, run her own business where she handled many cell phone cases, and managed a team of investigators for large breach cases in her current position. 

For Mari, it's important that her students gain a firm understanding of both the artifacts and the investigative process. "My goal is for every student to walk out and feel confident about working a Windows case," she says. 

Of course, keeping up with the constant changes in the industry can be a challenge. In her classes, Mari helps students overcome this hurdle by focusing not just on the tools but on sharing techniques and providing a solid understanding of the artifacts. She also encourages students to stay active in the field by attending training sessions and conferences, and by following blogs and the DFIR Twitter community. "There is no magic tool that will do everything for you," she says, "so there needs to be a clear grasp of the underlaying artifacts and not a complete reliance on tools."

A great example of going beyond the tools is a case where Mari discovered Google Analytics artifacts both inside cookies and within the cache artifacts. The Internet history was deleted, and the Google Analytics artifact was all she had, so Mari researched Google Analytics and wrote a tool, then released it to the community to use. "The Google Analytics artifact literally was the saving grace of that case," she explains. "Since then, I have had numerous people tell me the tool has helped them in their investigations as well."

In addition to being a published magazine author and technical editor for several digital forensics books, Mari maintains a blog on which she shares her research and findings. Her blog has been cited as one of the top 10 blogs in digital forensics, "I am passionate about what I do and am constantly digging to find answers to questions," she says.  

In her spare time, Mari enjoys working on Maker projects by volunteering monthly at a non-profit Maker lab for teens. "Each month I come up with a project for the kids to build with their hands, then code it," she says. "I love seeing their reactions and sense of accomplishment after they have completed the project." Mari's overarching goal is to introduce the teens to STEM and show them how fun it can be. 

Qualifications Summary

  • Senior Director of Incident Response at Kroll Cyber Security
  • Nearly 20 years of IT industry experience, including 10 years in DFIR
  • Keynote speaker at the 2017 Women in Cybersecurity Conference
  • Published magazine author and technical editor for several digital forensics books
  • Researches and writes tools and then shares them with the forensics community through her blog
  • Volunteer with a non-profit Maker lab for teens
  • Instructor for SANS FOR500: Windows Forensic Analysis

Get to Know Mari DeGrazia


  • GIAC Certified Forensic Examiner (GCFE)
  • Microsoft Certified Systems Engineer (MCSE)
  • Certified Computer Forensics Examiner (CCFE)
  • Computer Hacking Forensic Investigator (CHFI)
  • Access Data Mobile Phone Examiner (AME)
  • Forensics Tools: EnCase, FTK, Access Data Registry Viewer, IEF, X-Ways, MPE+, Cellebrite
  • Windows, Mac, PHP, MySQL, Python, Kali Linux


  • Investigating Windows Systems (Technical Editor)
  • Make: Magazine, Power Ranger: Remote Power Monitor, April/May 2018
  • EAA Sport Aviation, Controlling a Preheater with a Text Message (Raspberry Pi Project), 2017
  • EForensics Magazine, Trust but Verify: Why When and How, 2016
  • Windows Registry Forensics, SE (Technical Editor), 2016
  • Presentations and Speaking Engagements
  • Forgotten But Not Gone: Gathering NTFS Artifacts of Deletion, SANS Tactical Detection Summit, 2018
  • Finding and Decoding Malicious PowerShell Scripts, SANS DFIR Summit, 2018
  • Working with APFS, Internal Kroll Training, 2018
  • How to Work with Linux LVMs When Your Forensic Tools Don't, Internal Kroll Training, 2017
  • In the Director's Chair, Keynote, Women in Cyber Security Conference, 2017
  • Enemy at the Virtual Gates: An Introduction to Investigating E-Commerce Data Breaches, Techno Security & Digital Forensics Conference, Cactuscon, 2017
  • The Linux Analysis Platform, Techno Security & Digital Forensics Conference, 2017
  • Memory Forensics 101: X-Men vs. Magneto (workshop), Cactuscon, High Tech Crime Investigators Association, 2017
  • Finding and Decoding Malicious PowerShell Scripts (workshop), High Tech Crime Investigators Association, 2017, OSDFCon 2018
  • The Modern World of Breach Monetization (panel), International Association of Privacy Professionals, 2017
  • Panel on Cybersecurity, International Bar Association Summit, 2017
  • Hunting Evil with Timelines, High-Tech Crime Investigators Association, Cactuscon, 2016
  • Trust but Verify: Why, When and How, Sans Digital Forensics and Incident Response Summit, 2016
  • Supersize your Internet Timeline with Google Analytic Cookies, SANS Digital Forensics and Incident Response Summit, Techno Security & Digital Forensics Conference, and Open-Source Digital Forensics Conference, 2014?2015

Community Outreach

  • smARTMAKER Lab (monthly STEM Maker lab for teens), Organizer and Instructor, 2019
  • Willcox Maker Camp (STEM day camp for youth), Organizer and Instructor, July 2018
  • Raspberry Pi Bot Wars (STEM Community Event), Organizer and Coder, 2017
  • Raspberry Pi LED Holiday Party/Workshop (STEM Community Event), Organizer, 2016
  • CyberGirlz, Outreach to young girls interested in STEM, 2016