Digital Forensic & Incident Response Investigator - Contract to Hire

Elite Digital Forensics is a specialized digital forensics and cyber investigations company handling cases nationwide for individuals, businesses, law firms, MSPs We are expanding our ransomware and incident response capacity and are looking to build a long-term relationship with an experienced DFIR investigators. This is a 1099 subcontractor role for as-needed cases, with the strong potential to grow into a steady stream of engagements as our partnerships and case volume scale. Role OverviewWe are seeking an experienced Digital Forensic and Incident Response (DFIR) Investigator with a strong background in ransomware incidents.You will be brought in on a case-by-case basis to support:Ransomware and intrusion investigationsForensic imaging and data collectionLog and artifact analysisTimeline reconstruction and reporting for clients, counsel, and insurersMost work will be performed remotely, with occasional on-site support possible depending on the case. Key ResponsibilitiesHandle end-to-end DFIR work for ransomware and intrusion cases, including:Triage, scoping, and initial technical review of incidentsForensic preservation and imaging of endpoints, servers, and virtual environmentsCollection and analysis of system, security, application, VPN, firewall, and EDR logsIdentification of patient zero, initial access vectors, and attacker movementInvestigation of lateral movement, data exfiltration indicators, and persistenceTimeline reconstruction of key events across multiple data sourcesPrepare clear, defensible written findings:Technical reports and supporting exhibitsExecutive summaries understandable to non-technical stakeholdersDrafts suitable for use by legal counsel and cyber insurersCoordinate with our team, MSP partners, counsel, and client IT staff in a professional, solutions-focused mannerMaintain proper chain of custody and documentation in line with forensic best practicesParticipate in case review calls, debriefs, and strategy sessions as neededProvide expert input on remediation and prevention recommendationsRequired Skills and ExperienceWe are specifically looking for someone who can hit the ground running on ransomware and network-centric cases.Demonstrated experience leading or heavily supporting DFIR investigations, including ransomware incidentsStrong technical background in:Windows Server and Active Directory environmentsCommon enterprise architectures (VMware, Hyper-V, domain environments, shared storage)Network fundamentals (firewalls, VPNs, IDS/IPS, basic packet analysis)Hands-on experience with at least some of the following:EDR platforms (e.g., SentinelOne, CrowdStrike, similar)Log aggregation/SIEM toolsForensic tools for imaging and analysis (e.g., X-Ways, AXIOM, EnCase, FTK, Cellebrite, or similar)Proven ability to:Work through large volumes of logs and artifacts to find relevant indicatorsReconstruct timelines and correlate events across multiple data sourcesExplain complex technical findings clearly in writing and on callsSolid understanding of:Ransomware TTPs, initial access methods, common threat actor behaviorBasic cyber insurance expectations and what “empirical proof” and defensible documentation look likeStrong documentation skills and attention to detailAbility to work independently as a contractor, manage time, and meet agreed deadlinesNice-to-Have ExperienceExperience working with MSPs or MSSPs during incident responsePrior work on cyber insurance panel or in insurer-driven engagementsExperience testifying or preparing reports for litigation or regulatory mattersComfort interacting with attorneys, executives, and non-technical stakeholdersRelevant certifications (e.g., GCFA, GCFE, GNFA, GCIH, CCE, CFCE, CHFI, etc.) are a plus but not mandatory if your experience is strong and demonstrableEngagement DetailsEngagement type: 1099 independent contractor (subcontractor)Workload: As-needed, case-by-case to start, with strong potential for recurring and increasing volume as we expand partnerships with MSPs and cyber insurersLocation:Remote for the majority of work; occasional on-site work may be requested but is not typicalHours: Flexible, but you must be able to:Respond promptly when brought into an active caseStart triage within a reasonable time window for active incidentsCompensation: Hourly rate, commensurate with experience and certifications; please provide your typical DFIR hourly rate and any different rates you use for expert testimonyWhat To Include InYour ProposalPlease include:A brief summary of your DFIR and ransomware experienceOne or two anonymized examples of:The types of environments you have investigated (e.g., AD with 300 endpoints, VMware with X servers, etc.)Your role in those investigations (lead, co-lead, analyst, etc.)A short description of the tools you are most comfortable using (forensics, EDR, SIEM, log analysis)Your standard hourly rate for:DFIR investigation workReport writing (if different)Expert testimony (if applicable)Any relevant certifications and jurisdictions where you have previously testified (if applicable)Your availability (time zone and typical response time to new cases)If this fits your background and you are interested in building a long-term relationship that could lead to a steady pipeline of forensic cases over time, please submit your proposal and portfolio of experience.Apply tot his job