Job Description

Everforth ECS is seeking a Cyber Forensics Analyst Lead to work in our Portland, OR office. Please Note: This position is contingent upon contract award.

The Cyber Forensics Analyst Lead is responsible for leading digital forensics activities that support cybersecurity incident response, investigations, evidence preservation, and post-incident analysis. This role provides technical leadership, quality control, and stakeholder coordination across forensic collection, analysis, reporting, and remediation support to ensure findings are accurate, defensible, and actionable.

The ideal candidate combines deep digital forensics and incident response expertise with the ability to lead analysts, manage sensitive evidence, develop investigative timelines, and communicate technical findings clearly to operational, technical, legal, and executive stakeholders.

Key Responsibilities

Forensic Investigation Leadership & Planning

• Lead end-to-end cyber forensic investigations, including intake, triage, scoping, evidence strategy, tasking, analysis coordination, and deliverable development.

• Define investigative objectives, data sources, timelines, roles, assumptions, and expected outputs for forensic activities.

• Ensure forensic investigations align with incident response priorities, legal and compliance requirements, organizational risk tolerance, and mission needs.

Evidence Collection, Preservation & Chain of Custody

• Direct the collection, preservation, processing, and handling of digital evidence from endpoints, servers, cloud services, identity platforms, security tools, network devices, and other relevant sources.

• Ensure evidence integrity through documented chain-of-custody procedures, repeatable acquisition methods, secure storage, and defensible handling practices.

• Validate forensic acquisition approaches, tool outputs, and evidence handling procedures for completeness, accuracy, and admissibility where applicable.

Technical Forensic Analysis

• Oversee analysis of host artifacts, file systems, memory, logs, endpoint telemetry, malware indicators, authentication activity, network data, and other forensic evidence.

• Identify attack vectors, compromise timelines, persistence mechanisms, lateral movement, privilege escalation, data access, exfiltration indicators, and affected assets.

• Correlate forensic findings with SOC alerts, threat intelligence, SIEM data, EDR telemetry, vulnerability information, and incident response actions.

Reporting, Findings & Recommendations

• Produce and review high-quality forensic reports, investigative timelines, evidence summaries, executive summaries, and technical findings.

• Translate forensic evidence into clear risk, impact, and business language for technical and non-technical audiences.

• Develop practical recommendations to support containment, eradication, recovery, control improvements, detection enhancements, and future prevention.

Stakeholder Engagement & Incident Support

• Serve as the primary forensic point of contact during cybersecurity incidents, investigations, and follow-up analysis activities.

• Brief SOC leadership, program leadership, system owners, legal or compliance stakeholders, and technical teams on forensic status, findings, risks, and next steps.

• Coordinate with SOC analysts, threat hunters, threat intelligence analysts, engineers, and other responders while maintaining disciplined investigative practices.

Team Leadership, Quality Assurance & Mentorship

• Lead and mentor forensic analysts and contributors, including assigning tasks, reviewing work products, and supporting professional development.

• Review evidence, analysis methods, timelines, conclusions, and reports for accuracy, consistency, completeness, and defensibility.

• Support standardization of forensic playbooks, evidence checklists, reporting templates, workflows, and quality-control practices.

Continuous Improvement & Forensic Readiness

• Maintain and improve forensic methodologies, tools, lab procedures, evidence repositories, and analysis workflows.

• Support lessons learned, after-action reviews, tabletop exercises, and readiness activities that improve investigative speed and quality.

• Stay current with evolving attacker tradecraft, forensic artifacts, operating systems, cloud platforms, endpoint technologies, and investigative best practices.

Qualifications

• 7+ years of experience in digital forensics, incident response, cyber investigations, SOC operations, threat analysis, or closely related cybersecurity roles.
• Proven experience leading formal cyber forensic investigations or incident-response forensic workstreams.
• Hands-on experience collecting, preserving, and analyzing digital evidence from enterprise systems, endpoints, logs, network sources, cloud platforms, or security tools.
• Strong understanding of forensic methodologies, chain of custody, evidence integrity, incident response lifecycle, and investigative documentation standards.
• Experience using forensic, EDR, SIEM, log analysis, or investigation tools such as EnCase, FTK, Magnet AXIOM, Autopsy/Sleuth Kit, Volatility, Velociraptor, Splunk, Sentinel, CrowdStrike, Microsoft Defender, or equivalent technologies.
• Excellent written and verbal communication skills, including the ability to produce defensible technical reports and brief stakeholders on findings and recommendations.