← back to jobs
> job detail
A
👽Other

Digital Forensics and Incident Analyst

Agile-Defense · Washington, D.C.
// classified as
Other (Adjacent or hard to classify.)
posted
1d ago
location
Washington, D.C.
languages
tools
> description
About Agile Defense
 
At Agile Defense we know that action defines the outcome and new challenges require new solutions. That’s why we always look to the future and embrace change with an unmovable spirit and the courage to build for what comes next.
 
Our vision is to bring adaptive innovation to support our nation's most important missions through the seamless integration of advanced technologies, elite minds, and unparalleled agility—leveraging a foundation of speed, flexibility, and ingenuity to strengthen and protect our nation’s vital interests.

Description

The Digital Forensics & Incident Analyst supports the Threat Analysis & Investigations (TA&I) function, analyzing digital evidence and investigating computer security incidents to derive information that supports system and network vulnerability mitigation. The analyst provides Tier 2 and Tier 3 support to the enterprise Security Operations Center (SOC) and coordinates with partner/enterprise security operations centers as required for incident response and advanced analysis. Aligned to the NICE Framework, the role identifies, collects, examines, and preserves digital evidence using controlled and documented analytical and investigative techniques in support of authorized requesting authorities — including oversight bodies, legal and general counsel offices, professional-responsibility offices, FOIA requests, and law enforcement partners. The analyst conducts digital analysis in response to investigations of computer-based crimes and cyber-intrusion incidents, leveraging enterprise forensic and live-monitoring tools while rigorously maintaining chain of custody. Incoming requests are logged into a case management application, and the analyst performs the analytical function supporting the appropriate authorities.

Essential Functions
  • Analyze log files, evidence, and other information to determine the best methods for identifying the perpetrator(s) of a network intrusion. (T0027)
  • Confirm what is known about an intrusion and discover new information via dynamic analysis. (T0036)
  • Provide technical summaries of findings in accordance with established reporting procedures, and deliver written analysis reports to requesting customers. (T0075)
  • Examine recovered data for information relevant to the matter at hand. (T0103)
  • Perform file signature analysis (T0167) and file system forensic analysis across implementations such as NTFS, FAT, and EXT. (T0286)
  • Collect and analyze intrusion artifacts (e.g., source code, malware, system configuration) and use discovered data to enable mitigation of potential cyber defense incidents. (T0432)
  • Conduct malware analysis in the event of a compromise, identify obfuscation techniques, and interpret debugging results to ascertain adversary tactics, techniques, and procedures.
  • Determine the extent of threats and recommend courses of action or countermeasures to mitigate risk; analyze crises to ensure public, personal, and resource protection.
  • Identify data concealment methods (e.g., encryption algorithms, steganography) and conduct memory dumps to extract information.
  • Conduct security event analysis and correlation using enterprise tooling, and apply network security architecture concepts (topology, protocols, components, defense-in-depth) to forensic analysis.
  • Determine physical computer components and architectures, conduct physical disassembly of systems, and identify/modify/manipulate system components within Windows, Unix, or Linux (e.g., passwords, user accounts, files).
  • Apply system administration, network, and operating-system hardening techniques, and use virtual machines (e.g., Hyper-V, VMware vSphere, Citrix Xen, Amazon EC2) in the course of analysis.
  • Conduct hashing for chain-of-custody and validation (e.g., SHA, MD5) and preserve evidence integrity according to standard operating procedures or national standards.
  • Support the full evidence lifecycle — collecting, packaging, transporting, and storing electronic evidence while maintaining chain of custody — and interpret insider-threat investigations, reporting, tools, and applicable laws/regulations.
  • Provide legal governance related to admissibility (e.g., Rules of Evidence) and advise on applicable laws and statutes (e.g., Titles 10, 18, 32, and 50, U.S. Code), Presidential Directives, and executive/administrative/criminal guidelines.
  • Provide risk-management recommendations and apply knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
  • Support forensic application updates and replacements as technology changes; develop workflow diagrams and requirements for continued case management application growth; and support contingency and recovery planning for enterprise forensic and case management applications.
  • Support solution evaluation and piloting — identify key technology components, review and update the System Design Document, assist the ISSO with assessment and authorization (A&A) functions to establish Authority to Test, pilot components to a limited user community, and deliver findings and recommendations to the TA&I Program Manager and staff for review.
Qualifications
  • U.S. citizenship and an active Top Secret (TS) security clearance.
  • Bachelor's degree in Cybersecurity, Computer Science, Digital Forensics, Information Systems, or a related field (additional experience may substitute for degree).
  • 7 years of hands-on digital forensics and incident response (DFIR) experience, ideally in federal or otherwise regulated environments.
  • Required certifications: CFIA and CFIH.
  • Demonstrated expertise with industry-standard forensic and analysis tools (e.g., EnCase, FTK, Autopsy/The Sleuth Kit, X-Ways, Volatility, Wireshark, YARA, and malware reverse-engineering tools such as Ghidra or IDA Pro).
  • Strong command of Windows, Unix, and Linux internals; file systems (NTFS, FAT, EXT); virtualization; and SIEM/event-correlation platforms.
  • Working knowledge of the NICE Framework, NIST guidance, MITRE ATT&CK, chain-of-custody standards, and Rules of Evidence.
  • Excellent technical writing and the ability to present findings clearly to legal, oversight, and investigative authorities.