Senior Digital Forensic Investigator

CohesitySanta Clara, CA
Onsite

About The Position

Cohesity is a leader in AI-powered data security and management. We are seeking a Senior Digital Forensic Investigator to serve as the operational manager of our Santa Clara Forensic Laboratory. This role combines hands-on forensic expertise with lab management and operational leadership. The successful candidate will oversee all aspects of the lab's forensic acquisition, imaging, and chain-of-custody operations, while independently executing complex investigations and supporting both the Investigations & Forensics team and Security Incident Response Team (SIRT). This role is based on-site at our Santa Clara facility, with minimum 3 days/week in the lab. Lab management responsibilities include maintaining forensic equipment, managing evidence intake and processing workflows, ensuring strict adherence to chain-of-custody protocols, administering forensic licensing and compliance standards, training team members on proper evidence handling procedures, and supporting Bay Area field operations. You will exercise strong independent judgment, communicate with precision, and maintain the highest standards of evidentiary integrity — your work directly impacts the defensibility of investigations and litigation outcomes.

Requirements

  • 7+ years of progressive experience in digital forensics, cybersecurity investigations, or a closely related discipline.
  • Demonstrated expertise conducting insider threat, data exfiltration, and employee misconduct investigations in enterprise environments.
  • Proficiency with enterprise forensic platforms: Magnet AXIOM Cyber, Cellebrite Endpoint Collector and Endpoint Investigator, and Sumuri Recon or comparable tooling.
  • Strong working knowledge of forensic imaging standards and acquisition methodologies — including write-blocking, hash verification, and documented chain of custody — consistent with industry frameworks such as ACPO, SWGDE, or equivalent.
  • Hands-on proficiency with EDR platforms — particularly CrowdStrike Falcon — for behavioral analysis, process telemetry, and forensic artifact review.
  • Strong working knowledge of Microsoft 365 forensics: Exchange Online mail flow and Recoverable Items, Azure AD sign-in and audit logs, Purview Compliance, and MDE.
  • Solid understanding of endpoint forensics across Windows and macOS: file system artifacts, registry analysis, prefetch/MRU data, browser forensics, and OS-level event logs.
  • Working knowledge of cloud and SaaS forensic investigation: OAuth and SAML authentication flows, conditional access logs, cloud storage access patterns, and admin audit trails.
  • Familiarity with network-layer investigation fundamentals: DNS, proxy, VPN, and firewall log analysis sufficient to reconstruct data movement and access patterns.
  • Proficiency in Google SecOps/Chronicle (YARA-L) for investigation and threat hunting.
  • Experience using device management platforms (JAMF, Intune, SCCM) for custodian device attribution and asset profiling in the context of investigations.
  • Proven ability to produce legally defensible, executive-quality investigation reports with precise evidentiary grounding.
  • Experience supporting eDiscovery processes, including ESI collection, legal hold execution, and custodian data scoping.
  • Demonstrated hands-on experience using large language model (LLM) platforms — such as Anthropic Claude or Microsoft Copilot — to augment investigative, analytical, or reporting workflows.
  • Ability to design and implement structured prompting frameworks, analysis pipelines, or automation logic that apply AI to forensic use cases such as timeline synthesis, log triage, anomaly narration, or report generation.
  • Comfort evaluating AI-generated output critically — understanding where LLM reasoning aids investigation and where human judgment must govern evidentiary conclusions.
  • Experience or strong aptitude for building lightweight investigative tooling using Python, PowerShell, or similar, with AI as a reasoning or enrichment layer.
  • Demonstrated ability to leverage AI tools to enhance productivity, streamline workflows, and support decision making.
  • Absolute discretion and professional confidentiality — without exception.
  • The ability to operate independently with minimal oversight, making sound judgments under ambiguity.
  • Strong analytical and critical thinking skills; comfort working with incomplete or conflicting data.
  • Clear, precise written and verbal communication — you know how to write for a legal audience without over-qualifying.
  • A bias toward evidence: you document what the data shows, and you resist pressure to overreach beyond what the evidence supports.
  • Comfort engaging with executives, legal counsel, HR leadership, and external parties in a professional, measured manner.
  • A collaborative mindset — this team is small, trusted, and operates as a unit.
  • Must have English language proficiency (Can interact with a degree of fluency when speaking, reading, and writing in a professional and specialized setting).

Nice To Haves

  • Experience working within or directly supporting corporate Legal, HR, or Ethics functions on sensitive employment or litigation matters.
  • Solid grounding in incident response methodology — including initial triage, scoping, containment sequencing, and post-incident analysis — with experience leading or co-leading high-impact security incidents.
  • Proficiency in Google SecOps/Chronicle and Splunk (SPL).
  • Familiarity with Zscaler proxy log analysis and cloud access security broker (CASB) telemetry.
  • Prior experience testifying or providing declarations in legal, arbitration, or regulatory proceedings.
  • Relevant certifications: GCFE, GCFA, EnCE, CFCE, CISSP, or equivalent.

Responsibilities

  • Lead and execute end-to-end digital forensic investigations across endpoint, cloud, email, identity, and SaaS environments.
  • Conduct deep-dive analysis for insider threat, data exfiltration, IP theft, fraud, employee misconduct, and ethics matter investigations.
  • Support SIRT as the Advanced Forensic Tier on high-severity security incidents — establishing attribution, root cause, and precise forensic timelines.
  • Perform forensic imaging and acquisition of endpoints and storage media in accordance with established forensic standards and chain of custody protocols, ensuring evidence integrity from collection through analysis.
  • Conduct structured forensic analysis using industry-standard platforms including Magnet AXIOM Cyber, Cellebrite Endpoint Collector, Cellebrite Endpoint Investigator, and Sumuri Recon.
  • Collect, preserve, and analyze digital evidence in a forensically sound manner, maintaining chain of custody and evidentiary integrity throughout.
  • Produce executive-quality investigation reports suitable for HR proceedings, legal review, litigation support, and regulatory disclosure.
  • Manage the Santa Clara Forensic Laboratory as the day-to-day operational lead: oversee evidence intake, storage, processing workflows, and maintain strict adherence to chain-of-custody protocols and forensic standards.
  • Maintain forensic hardware, software, and tools (Magnet AXIOM, Cellebrite, Sumuri, write blockers, imaging devices, etc.) to ensure consistent availability and compliance with licensing and certification requirements.
  • Train and mentor team members on proper evidence handling, forensic imaging procedures, and chain-of-custody protocols; ensure compliance with internal standards and external legal/regulatory requirements.
  • Support field evidence collection operations across the Bay Area, including onsite imaging at corporate facilities and remote locations as needed.
  • Execute eDiscovery collections from Exchange/O365, cloud platforms, and endpoints in response to legal holds and regulatory requests.
  • Work closely with Legal to scope, collect, and produce electronically stored information (ESI) with defensible methodology.
  • Apply custodian-level data scoping, deduplication, and privilege filtering aligned with counsel’s requirements.
  • Perform advanced log analysis in Google SecOps/Chronicle (YARA-L) and Splunk (SPL).
  • Extract and correlate forensic artifacts from CrowdStrike Falcon EDR telemetry across endpoint and cloud workloads.
  • Query device management platforms (JAMF, Intune, SCCM) to build custodian device profiles and establish asset attribution in support of investigations.
  • Analyze authentication and access events across identity platforms including Azure AD, Okta, and Zscaler.
  • Contribute to the development and refinement of internal forensic tooling, detection playbooks, and investigative frameworks.
  • Design and build AI-assisted investigative workflows using platforms such as Anthropic Claude, Microsoft Copilot, and related enterprise AI tools.
  • Develop prompt engineering frameworks, structured analysis pipelines, and automation logic that apply large language models to forensic triage, timeline reconstruction, and report drafting.
  • Evaluate emerging AI capabilities for investigative applicability and lead proof-of-concept development within the team’s forensic environment.
  • Document and operationalize AI-augmented workflows so that investigative capability is repeatable, auditable, and defensible.
  • Partner with HR, Legal, and Ethics teams as a trusted technical advisor, translating complex forensic findings into clear, actionable conclusions.
  • Maintain strict confidentiality and exercise mature judgment when handling matters involving current and former employees at all organizational levels.
  • Provide testimony or declarations in support of legal proceedings where required.

Benefits

  • health and wellness benefits
  • vacation
  • paid holidays and refresh days
  • 401(k) retirement plan
  • life and disability insurance coverages
© 2026 Teal Labs, Inc
Privacy PolicyTerms of Service