Performs digital forensic analysis on Windows, Apple Mac, and Linux based operating systems, in addition to the analysis of networking appliances including but not to, VPN and firewall appliances
Documents forensic findings in accordance with the standards set forth within the Arete Forensic Tracker and develop a master timeline and visual attack map of the events
Identifies additional sources (systems, logs, etc.) to collect based on the analysis and identifies gaps based on the lifecycle of attack
Works with the Security Operations Center (SOC) to leverage data from monitoring and alerts provided by installed applications and deployed EDR solutions to identify Indicators of Compromise (IOCs), Tactics, Techniques and Procedures (TTPs) for variants related to case
Delivers Forensics findings and updates to the team in a clear, concise manner through a narrative story outlining the timeline of events. Modifies delivery in-line with the call s audience and technical capabilities
Tracks findings and capture data points related to investigations to enhance and inform our threat intelligence
Raises technical constraints and issues within the Forensics team to identify detail of the incident and escalate to Forensic leadership
Maintains updated case analyst notes, the Forensic tracker, timeline and attack map for collaboration within the team in our centralized case location
Drafts detailed updates regarding investigative findings and conclusions drawn from analysis regarding the timing and mechanism of the initial intrusion, adversary actions, timeline of activity/lateral movement, and indicators of data access and/or exfiltration
Identifies, documents, and shares information such as critical IOCs or adversary TTP s as they uncovered with the Incident Response, Threat Intel, and Security Operations teams
Communicates identified IOCs to the Tiger Team in furtherance of the investigation, path to restoration/response, and for bolstering of Client s security posture
Employs the usage of incident-mapping frameworks such as MITRE s ATT&CK and Lockheed Martin s Cyber Kill Chain to help contextualize identified adversary actions/IOCs
Produces written incident, investigative updates and reports at the explicit direction of counsel partners
Communicates within the DFIR team and provide routine status updates within our case management platform
Works with cross-functional teams and collaborate to leverage threat intel TTPS/IOCs, information from our SOC/Threat Hunting team, and updates from our Negotiations teams to leverage the intelligence as part of the incident
Drafts reports and appendices based on the findings using the standard report templates
Accurately track and record time for forensic analysis
May perform other duties as assigned by management
SKILLS AND KNOWLEDGE
Deep understanding of Forensic artifacts, including (but not limited to) the analysis of operating system artifacts and the recovery of deleted items from multiple operating systems including Windows, Linux, Mac and RAM/memory forensics
Experience analyzing network and operating system log files including Windows Event logs, Unified Audit Logs, Firewall logs, VPN logs, etc.
Working knowledge of:
Windows disk and memory forensics
Network Security Monitoring (NSM), network traffic analysis, and log analysis
Unix or Linux disk and memory forensic
Experience and understanding of enterprise security controls
Experienced with EnCase, Axiom, FTK, X-Ways, SIFT, Splunk, Redline, Volatility, WireShark, TCP Dump, and other open-source forensic tools
Experience delivering technical findings to a non-technical audience, preferred
Provide findings in a confident, factual manner, preferred
Knowledge and experience in handling PII, PHI, sensitive, confidential and proprietary datasets, preferred
Experience with Cyber insurance investigations, preferred
