Jobs · Information Technology · California

Senior Digital Forensic Investigator

Cohesity · Santa Clara, CA · Yesterday
Information Technology$177k–$197k/yrFull-time

About the role

The Senior Digital Forensic Investigator will serve as the operational manager of our Santa Clara Forensic Laboratory. This role combines hands-on forensic expertise with lab management and operational leadership.

Responsibilities

  • Lead and execute end-to-end digital forensic investigations across endpoint, cloud, email, identity, and SaaS environments.
  • Conduct deep-dive analysis for insider threat, data exfiltration, IP theft, fraud, employee misconduct, and ethics matter investigations.
  • Support SIRT as the Advanced Forensic Tier on high-severity security incidents—establishing attribution, root cause, and precise forensic timelines.
  • Perform forensic imaging and acquisition of endpoints and storage media in accordance with established forensic standards and chain of custody protocols, ensuring evidence integrity from collection through analysis.
  • Conduct structured forensic analysis using industry-standard platforms including Magnet AXIOM Cyber, Cellebrite Endpoint Collector, Cellebrite Endpoint Investigator, and Sumuri Recon.
  • Collect, preserve, and analyze digital evidence in a forensically sound manner, maintaining chain of custody and evidentiary integrity throughout.
  • Produce executive-quality investigation reports suitable for HR proceedings, legal review, litigation support, and regulatory disclosure.
  • Manage the Santa Clara Forensic Laboratory as the day-to-day operational lead: oversee evidence intake, storage, processing workflows, and maintain strict adherence to chain-of-custody protocols and forensic standards.
  • Maintain forensic hardware, software, and tools (Magnet AXIOM, Cellebrite, Sumuri, write blockers, imaging devices, etc.) to ensure consistent availability and compliance with licensing and certification requirements.
  • Train and mentor team members on proper evidence handling, forensic imaging procedures, and chain-of-custody protocols; ensure compliance with internal standards and external legal/regulatory requirements.
  • Support field evidence collection operations across the Bay Area, including onsite imaging at corporate facilities and remote locations as needed.
  • Execute eDiscovery collections from Exchange/O365, cloud platforms, and endpoints in response to legal holds and regulatory requests.
  • Work closely with Legal to scope, collect, and produce electronically stored information (ESI) with defensible methodology.
  • Perform advanced log analysis in Google SecOps/Chronicle (YARA-L) and Splunk (SPL).
  • Extract and correlate forensic artifacts from CrowdStrike Falcon EDR telemetry across endpoint and cloud workloads.
  • Query device management platforms (JAMF, Intune, SCCM) to build custodian device profiles and establish asset attribution in support of investigations.
  • Analyze authentication and access events across identity platforms including Azure AD, Okta, and Zscaler.
  • Contribute to the development and refinement of internal forensic tooling, detection playbooks, and investigative frameworks.
  • Design and build AI-assisted investigative workflows using platforms such as Anthropic Claude, Microsoft Copilot, and related enterprise AI tools.
  • Evaluate emerging AI capabilities for investigative applicability and lead proof-of-concept development within the team’s forensic environment.
  • Partner with HR, Legal, and Ethics teams as a trusted technical advisor, translating complex forensic findings into clear, actionable conclusions.
  • Maintain strict confidentiality and exercise mature judgment when handling matters involving current and former employees at all organizational levels.
  • Provide testimony or declarations in support of legal proceedings where required.

Requirements

This role requires 7+ years of progressive experience in digital forensics, cybersecurity investigations, or a closely related discipline. Demonstrated expertise conducting insider threat, data exfiltration, and employee misconduct investigations in enterprise environments. Proficiency with enterprise forensic platforms: Magnet AXIOM Cyber, Cellebrite Endpoint Collector and Endpoint Investigator, and Sumuri Recon or comparable tooling. Strong working knowledge of forensic imaging standards and acquisition methodologies— including write-blocking, hash verification, and documented chain of custody—consistent with industry frameworks such as ACPO, SWGDE, or equivalent. Hands-on proficiency with EDR platforms—particularly CrowdStrike Falcon— for behavioral analysis, process telemetry, and forensic artifact review. Solid understanding of endpoint forensics across Windows and macOS: file system artifacts, registry analysis, prefetch/MRU data, browser forensics, and OS-level event logs. Working knowledge of cloud and SaaS forensic investigation: OAuth and SAML authentication flows, conditional access logs, cloud storage access patterns, and admin audit trails. Familiarity with network-layer investigation fundamentals: DNS, proxy, VPN, and firewall log analysis sufficient to reconstruct data movement and access patterns. Experience using device management platforms (JAMF, Intune, SCCM) for custodian device attribution and asset profiling in the context of investigations. Proven ability to produce legally defensible, executive-quality investigation reports with precise evidentiary grounding. Experience supporting eDiscovery processes, including ESI collection, legal hold execution, and custodian data scoping.

Qualifications

Experience working within or directly supporting corporate Legal, HR, or Ethics functions on sensitive employment or litigation matters. Solid grounding in incident response methodology— including initial triage, scoping, containment sequencing, and post-incident analysis— with experience leading or co-leading high-impact security incidents. Proficiency in Google SecOps/Chronicle and Splunk (SPL). Familiarity with Zscaler proxy log analysis and cloud access security broker (CASB) telemetry. Prior experience testifying or providing declarations in legal, arbitration, or regulatory proceedings. Relevant certifications: GCFE, GCFA, EnCE, CFCE, CISSP, or equivalent.

Skills

Demonstrated expertise conducting insider threat, data exfiltration, and employee misconduct investigations in enterprise environments. Proficiency with enterprise forensic platforms: Magnet AXIOM Cyber, Cellebrite Endpoint Collector and Endpoint Investigator, and Sumuri Recon or comparable tooling. Strong working knowledge of forensic imaging standards and acquisition methodologies— including write-blocking, hash verification, and documented chain of custody—consistent with industry frameworks such as ACPO, SWGDE, or equivalent. Hands-on proficiency with EDR platforms—particularly CrowdStrike Falcon— for behavioral analysis, process telemetry, and forensic artifact review. Solid understanding of endpoint forensics across Windows and macOS: file system artifacts, registry analysis, prefetch/MRU data, browser forensics, and OS-level event logs. Working knowledge of cloud and SaaS forensic investigation: OAuth and SAML authentication flows, conditional access logs, cloud storage access patterns, and admin audit trails. Familiarity with network-layer investigation fundamentals: DNS, proxy, VPN, and firewall log analysis sufficient to reconstruct data movement and access patterns. Experience using device management platforms (JAMF, Intune, SCCM) for custodian device attribution and asset profiling in the context of investigations. Proven ability to produce legally defensible, executive-quality investigation reports with precise evidentiary grounding. Experience supporting eDiscovery processes, including ESI collection, legal hold execution, and custodian data scoping. AI Capability Building — Required This team actively develops AI-augmented investigative workflows. The ability to build with AI tools is a core requirement, not a nice-to-have. Demonstrated hands-on experience using large language model (LLM) platforms—such as Anthropic Claude or Microsoft Copilot— to augment investigative, analytical, or reporting workflows. Ability to design and implement structured prompting frameworks, analysis pipelines, or automation logic that apply AI to forensic use cases such as timeline synthesis, log triage, anomaly narration, or report generation. Comfort evaluating AI-generated output critically—understanding where LLM reasoning aids investigation and where human judgment must govern evidentiary conclusions. Experience or strong aptitude for building lightweight investigative tooling using Python, PowerShell, or similar, with AI as a reasoning or enrichment layer. Demonstrated ability to leverage AI tools to enhance productivity, streamline workflows, and support decision making.

Benefits

Commensurate with experience.

Pay

TBD

Schedule

Based on-site at our Santa Clara facility, with minimum 3 days/week in the lab.

Similar jobs