Digital Forensics & Incident Response (DFIR) Analyst
Digital Forensics & Incident Response (DFIR) Analyst Direct hire role, preferably based in one of the following areas: Fresno / Albany / Charlotte, but strong candidates from other locations will be considered. No 3rd parties please, no sponsorship. Role Summary The DFIR Analyst supports incident response and forensic investigations across enterprise endpoints, servers, cloud platforms, identity systems, and network/security telemetry. This role focuses on evidence acquisition and preservation, triage and analysis, timeline development, and clear technical documentation suitable for operational and counsel-directed matters. The DFIR Analyst works under senior practitioner guidance and is expected to operate with rigor, discretion, and strong attention to detail.
Responsibilities
- Support active incident response investigations including ransomware, business email compromise, unauthorized access, insider activity, fraud, and data exposure scenarios.
- Collect, preserve, and document evidence in accordance with established procedures (e.g., chain-of-custody, evidence tracking, access controls).
- Perform endpoint and server triage and analysis (Windows/macOS/Linux) including artifact collection, event log review, persistence review, and user/process activity analysis.
- Analyze identity and access activity in Microsoft 365/Azure AD (Entra ID) and related audit sources (e.g., Unified Audit Log, sign-in logs, mailbox audit where available).
- Review telemetry from EDR, SIEM, firewall/proxy, DNS, email security, and cloud logging sources to identify relevant activity and indicators.
- Develop and validate timelines from multiple sources (endpoint artifacts, cloud logs, network telemetry, email events).
- Support IOC handling (ingest, normalize, pivot) and assist with scoping, containment validation, and recovery support under direction of incident leads.
- Produce clear written documentation of work performed, data sources reviewed, observed results, and limitations/constraints (e.g., log retention gaps, access limitations).
- Maintain secure handling of sensitive data, including appropriate storage, access control, and transfer procedures.
- Participate in an on-call rotation for urgent response (after onboarding), including off-hours triage support.
Required Qualifications
- 3+ years of relevant experience in DFIR, SOC analysis, threat hunting, or security engineering with demonstrated investigative work.
- Hands-on familiarity with common Windows artifacts and logs (e.g., Security/System logs, PowerShell logs, registry artifacts, scheduled tasks, services, user profiles).
- Working knowledge of Microsoft 365 security/audit data sources and identity concepts (e.g., sign-ins, conditional access concepts, MFA, mailbox rules, OAuth app risk).
- Experience working with at least one EDR platform (e.g., CrowdStrike, Microsoft Defender, SentinelOne, Carbon Black) and log/search workflows in a SIEM.
- Strong technical writing skills: ability to document actions taken and results observed in a factual, precise, and organized manner.
- Ability to manage multiple concurrent tasks under time pressure while maintaining accuracy and defensibility.
- United_States Citizen, based in the US, preferably in Fresno, Albany or Charlotte area, but other areas will be considered for a strong candidate.
Preferred Qualifications
- Experience with forensic tooling (e.g., Magnet AXIOM, EnCase, FTK, X-Ways, KAPE, Velociraptor, GRR) and acquisition methods.
- Familiarity with cloud forensic workflows (Azure/M365, AWS, Google Workspace) and common logging/retention constraints.
- Experience supporting counsel-directed investigations or working in regulated environments (healthcare, finance, public sector).
- Scripting/automation skills (PowerShell, Python) for evidence collection, parsing, and repeatable analysis.
- Certifications (any of the following are a plus): GCFA, GCIH, GNFA, GCFR, EnCE, Security+.
Apply tot his job Apply To this Job Apply tot his job Apply To this Job