Digital Forensic & Incident Response Investigator - Contract to Hire

Elite Digital Forensics is a specialized digital forensics and cyber investigations company handling cases nationwide for individuals, businesses, law firms, MSPs We are expanding our ransomware and incident response capacity and are looking to build a long-term relationship with an experienced DFIR investigators.

This is a 1099 subcontractor role for as-needed cases, with the strong potential to grow into a steady stream of engagements as our partnerships and case volume scale.

Role Overview

We are seeking an experienced Digital Forensic and Incident Response (DFIR) Investigator with a strong background in ransomware incidents. You will be brought in on a case-by-case basis to support:

Ransomware and intrusion investigations

Forensic imaging and data collection

Log and artifact analysis

Timeline reconstruction and reporting for clients, counsel, and insurers

Most work will be performed remotely, with occasional on-site support possible depending on the case.

Key Responsibilities

Handle end-to-end DFIR work for ransomware and intrusion cases, including:

Triage, scoping, and initial technical review of incidents

Forensic preservation and imaging of endpoints, servers, and virtual environments

Collection and analysis of system, security, application, VPN, firewall, and EDR logs

Identification of patient zero, initial access vectors, and attacker movement

Investigation of lateral movement, data exfiltration indicators, and persistence

Timeline reconstruction of key events across multiple data sources

Prepare clear, defensible written findings:

Technical reports and supporting exhibits

Executive summaries understandable to non-technical stakeholders

Drafts suitable for use by legal counsel and cyber insurers

Coordinate with our team, MSP partners, counsel, and client IT staff in a professional, solutions-focused manner

Maintain proper chain of custody and documentation in line with forensic best practices

Participate in case review calls, debriefs, and strategy sessions as needed

Provide expert input on remediation and prevention recommendations

Required Skills and Experience

We are specifically looking for someone who can hit the ground running on ransomware and network-centric cases.

Demonstrated experience leading or heavily supporting DFIR investigations, including ransomware incidents

Strong technical background in:

Windows Server and Active Directory environments

Common enterprise architectures (VMware, Hyper-V, domain environments, shared storage)

Network fundamentals (firewalls, VPNs, IDS/IPS, basic packet analysis)

Hands-on experience with at least some of the following:

EDR platforms (e.g., SentinelOne, CrowdStrike, similar)

Log aggregation/SIEM tools

Forensic tools for imaging and analysis (e.g., X-Ways, AXIOM, EnCase, FTK, Cellebrite, or similar)

Proven ability to:

Work through large volumes of logs and artifacts to find relevant indicators

Reconstruct timelines and correlate events across multiple data sources

Explain complex technical findings clearly in writing and on calls

Solid understanding of:

Ransomware TTPs, initial access methods, common threat actor behavior

Basic cyber insurance expectations and what “empirical proof” and defensible documentation look like

Strong documentation skills and attention to detail

Ability to work independently as a contractor, manage time, and meet agreed deadlines

Nice-to-Have Experience

Experience working with MSPs or MSSPs during incident response

Prior work on cyber insurance panel or in insurer-driven engagements

Experience testifying or preparing reports for litigation or regulatory matters

Comfort interacting with attorneys, executives, and non-technical stakeholders

Relevant certifications (e.g., GCFA, GCFE, GNFA, GCIH, CCE, CFCE, CHFI, etc.) are a plus but not mandatory if your experience is strong and demonstrable

Engagement Details

Engagement type: 1099 independent contractor (subcontractor)

Workload: As-needed, case-by-case to start, with strong potential for recurring and increasing volume as we expand partnerships with MSPs and cyber insurers

Location: Remote for the majority of work; occasional on-site work may be requested but is not typical

Hours: Flexible, but you must be able to:

Respond promptly when brought into an active case

Start triage within a reasonable time window for active incidents

Compensation: Hourly rate, commensurate with experience and certifications; please provide your typical DFIR hourly rate and any different rates you use for expert testimony

What To Include In Your Proposal

Please include:

A brief summary of your DFIR and ransomware experience

One or two anonymized examples of:

The types of environments you have investigated (e.g., AD with 300 endpoints, VMware with X servers, etc.)

Your role in those investigations (lead, co-lead, analyst, etc.)

A short description of the tools you are most comfortable using (forensics, EDR, SIEM, log analysis)

Your standard hourly rate for:

DFIR investigation work

Report writing (if different)

Expert testimony (if applicable)

Any relevant certifications and jurisdictions where you have previously testified (if applicable)

Your availability (time zone and typical response time to new cases)

If this fits your background and you are interested in building a long-term relationship that could lead to a steady pipeline of forensic cases over time, please submit your proposal and portfolio of experience.

Apply tot his job