Digital Forensics & Incident Response (DFIR) Analyst

Direct hire role that can be based in any of the following areas: Fresno / Albany / Charlotte. No 3rd parties please, no sponsorship.

Summary

Will support incident response and forensic investigations across enterprise endpoints, servers, cloud platforms, identity systems, and network/security telemetry. This role focuses on evidence acquisition and preservation, triage and analysis, timeline development, and clear technical documentation suitable for operational and counsel-directed matters. The DFIR Analyst works under senior practitioner guidance and is expected to operate with rigor, discretion, and strong attention to detail. 

Responsibilities

-      Support active incident response investigations including ransomware, business email compromise, unauthorized access, insider activity, fraud, and data exposure scenarios.

-      Collect, preserve, and document evidence in accordance with established procedures (e.g., chain-of-custody, evidence tracking, access controls).

-      Perform endpoint and server triage and analysis (Windows/macOS/Linux) including artifact collection, event log review, persistence review, and user/process activity analysis.

-      Analyze identity and access activity in Microsoft 365/Azure AD (Entra ID) and related audit sources (e.g., Unified Audit Log, sign-in logs, mailbox audit where available).

-      Review telemetry from EDR, SIEM, firewall/proxy, DNS, email security, and cloud logging sources to identify relevant activity and indicators.

-      Develop and validate timelines from multiple sources (endpoint artifacts, cloud logs, network telemetry, email events).

-      Support IOC handling (ingest, normalize, pivot) and assist with scoping, containment validation, and recovery support under direction of incident leads.

-      Produce clear written documentation of work performed, data sources reviewed, observed results, and limitations/constraints (e.g., log retention gaps, access limitations).

-      Maintain secure handling of sensitive data, including appropriate storage, access control, and transfer procedures.

-      Participate in an on-call rotation for urgent response (after onboarding), including off-hours triage support.

Requirements

-      3+ years of relevant experience in DFIR, SOC analysis, threat hunting, or security engineering with demonstrated investigative work.

-      Hands-on familiarity with common Windows artifacts and logs (e.g., Security/System logs, PowerShell logs, registry artifacts, scheduled tasks, services, user profiles).

-      Working knowledge of Microsoft 365 security/audit data sources and identity concepts (e.g., sign-ins, conditional access concepts, MFA, mailbox rules, OAuth app risk).

-      Experience working with at least one EDR platform (e.g., CrowdStrike, Microsoft Defender, SentinelOne, Carbon Black) and log/search workflows in a SIEM.

-      Strong technical writing skills: ability to document actions taken and results observed in a factual, precise, and organized manner.

-      Ability to manage multiple concurrent tasks under time pressure while maintaining accuracy and defensibility.

-      U.S. Citizen, based in the US, preferably in Fresno, Albany or Charlotte area.

Preferred

-      Experience with forensic tooling (e.g., Magnet AXIOM, EnCase, FTK, X-Ways, KAPE, Velociraptor, GRR) and acquisition methods.

-      Familiarity with cloud forensic workflows (Azure/M365, AWS, Google Workspace) and common logging/retention constraints.

-      Experience supporting counsel-directed investigations or working in regulated environments (healthcare, finance, public sector).

-      Scripting/automation skills (PowerShell, Python) for evidence collection, parsing, and repeatable analysis.

-      Certifications (any of the following are a plus): GCFA, GCIH, GNFA, GCFR, EnCE, Security+.