Cyber Forensics Analyst Lead

About The Position

Requirements

• 7+ years of experience in digital forensics, incident response, cyber investigations, SOC operations, threat analysis, or closely related cybersecurity roles.
• Proven experience leading formal cyber forensic investigations or incident-response forensic workstreams.
• Hands-on experience collecting, preserving, and analyzing digital evidence from enterprise systems, endpoints, logs, network sources, cloud platforms, or security tools.
• Strong understanding of forensic methodologies, chain of custody, evidence integrity, incident response lifecycle, and investigative documentation standards.
• Experience using forensic, EDR, SIEM, log analysis, or investigation tools such as EnCase, FTK, Magnet AXIOM, Autopsy/Sleuth Kit, Volatility, Velociraptor, Splunk, Sentinel, CrowdStrike, Microsoft Defender, or equivalent technologies.
• Excellent written and verbal communication skills, including the ability to produce defensible technical reports and brief stakeholders on findings and recommendations.

Responsibilities

• Lead end-to-end cyber forensic investigations, including intake, triage, scoping, evidence strategy, tasking, analysis coordination, and deliverable development.
• Define investigative objectives, data sources, timelines, roles, assumptions, and expected outputs for forensic activities.
• Ensure forensic investigations align with incident response priorities, legal and compliance requirements, organizational risk tolerance, and mission needs.
• Direct the collection, preservation, processing, and handling of digital evidence from endpoints, servers, cloud services, identity platforms, security tools, network devices, and other relevant sources.
• Ensure evidence integrity through documented chain-of-custody procedures, repeatable acquisition methods, secure storage, and defensible handling practices.
• Validate forensic acquisition approaches, tool outputs, and evidence handling procedures for completeness, accuracy, and admissibility where applicable.
• Oversee analysis of host artifacts, file systems, memory, logs, endpoint telemetry, malware indicators, authentication activity, network data, and other forensic evidence.
• Identify attack vectors, compromise timelines, persistence mechanisms, lateral movement, privilege escalation, data access, exfiltration indicators, and affected assets.
• Correlate forensic findings with SOC alerts, threat intelligence, SIEM data, EDR telemetry, vulnerability information, and incident response actions.
• Produce and review high-quality forensic reports, investigative timelines, evidence summaries, executive summaries, and technical findings.
• Translate forensic evidence into clear risk, impact, and business language for technical and non-technical audiences.
• Develop practical recommendations to support containment, eradication, recovery, control improvements, detection enhancements, and future prevention.
• Serve as the primary forensic point of contact during cybersecurity incidents, investigations, and follow-up analysis activities.
• Brief SOC leadership, program leadership, system owners, legal or compliance stakeholders, and technical teams on forensic status, findings, risks, and next steps.
• Coordinate with SOC analysts, threat hunters, threat intelligence analysts, engineers, and other responders while maintaining disciplined investigative practices.
• Lead and mentor forensic analysts and contributors, including assigning tasks, reviewing work products, and supporting professional development.
• Review evidence, analysis methods, timelines, conclusions, and reports for accuracy, consistency, completeness, and defensibility.
• Support standardization of forensic playbooks, evidence checklists, reporting templates, workflows, and quality-control practices.
• Maintain and improve forensic methodologies, tools, lab procedures, evidence repositories, and analysis workflows.
• Support lessons learned, after-action reviews, tabletop exercises, and readiness activities that improve investigative speed and quality.
• Stay current with evolving attacker tradecraft, forensic artifacts, operating systems, cloud platforms, endpoint technologies, and investigative best practices.