Forensic Malware Analyst – San Antonio


The Forensic Malware Analyst enables accurate, timely and thorough execution of computer forensics on suspected and confirmed compromised AF systems to determine the method of intrusion and corrective actions to be taken to prevent or detect similar future activities.


Advanced knowledge of Intrusion Detection System/Intrusion Prevention System (IDS/IPS), network security monitoring (NSM), endpoint protection and detection, and static-dynamic digital forensic investigation and analysis technologies currently in use by Department of Defense and Federal Government Agencies; intermediate experience with the network communication function standards in the Open Systems Interconnection (OSI) model such as data link layer, network layer, addressing, subnetting, protocols, ports, services, and applications associated with the Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Domain Name Service (DNS), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and the Hypertext Transfer Protocol (HTTP).


*Track evidence inventory for intake and releasing to the forensics laboratory. This includes insuring proper handling and maintenance of evidence and chain of custody records.

*Apply best principles and practices IAW CJCSM 65-10.01B Enclosure A in retrieving, recovering, and preserving digital evidence.

*Utilize forensic tools such as, but not limited to; EnCase, FTK, FireEye, etc. and other systems as required.

*Conduct analysis of metadata.

*Conduct forensic examinations of digital media from a variety of sources including preservation, acquisition, and analysis of digital evidence with the goal of developing forensically sound evidence.

*Confirm malicious activity when new information is identified through forensic analysis.

*Investigate network and computer intrusions to identify root cause and generate indicators of compromise and document all findings in the investigation/incident log for each file.

*Perform software reverse engineering of suspected malicious files to verify if system compromise occurred document all findings in the investigation/incident log for each file.

*Perform memory forensics & malware reverse engineering, analysis, and extract Indicators of Compromise (IOC).

*Parse through gigabytes of log data utilizing native Unix/Linux command line tools.

*Create and run scripts that will collect and analyze logs utilizing Unix/Linux commands.

*Analyze data from multiple sources including Linux/Unix/Windows operating systems, TCP/IP and PCAP.

*Perform Hard Drive Analysis of suspected/confirmed infected or exploited systems and document all findings in the investigation/incident log for each hard drive with no more than a 5% error rate.

*Develop methods to identify, contain, log, and analyze malware-based activities on AF AIS and networks.

*Provide support to AF network administrators on the installation and analysis of packet sniffers on their network topology by reporting the functionality status upon request.

*Generate forensic reports and synopses presenting complex technical processes and findings clearly and concisely to technical and non-technical.

*Collaborate with leadership and external agencies, including Counter-Intelligence activities/agencies, OSI, FBI, and other security agencies, to include Incident Responders, as well as other forensic analysts.

*Provide AF OSI DCO technical support to law enforcement and counter- intelligence activities.

*Coordinate transfer of investigation to AF OSI if it is determined during an investigation that a law was broken.

*Support and/or augment Incident Response deployment with same day notice. This travel will allow responders to retrieve hard drives or miscellaneous storage media, isolate system(s) for additional investigation, and perform other on-site Incident Response actions.

*Set up a monitor or “cage” at the on-site location as needed.

*Provide OJT to other contractor employees, military, and/or civilian personnel, and ensure continuity folders/working aids are updated.

*Create and document metrics for reporting and analysis to improve weapon system processes and mission execution.

*Conduct Behavioral, Static, and Dynamic analysis of hard drives, and files.

*Provide requested forensic information to operational flight commander as it relates to the Host Detection processes and procedures.


*Must meet IAT Level III certification (CASP+ CE, CCNP Security, CISA, CISSP (or Associate), GCED, GCIH, or CCSP)

*Required GIAC certifications:  GCFE and GREM


*Must have active TS/SCI

*Must be available for shift work