Digital Forensic & Incident Response Investigator - Contract to Hire

Elite Digital Forensics is a specialized digital forensics and cyber investigations company handling cases nationwide for individuals, businesses, law firms, MSPs We are expanding our ransomware and incident response capacity and are looking to build a long-term relationship with an experienced DFIR investigators. This is a 1099 subcontractor role for as-needed cases, with the strong potential to grow into a steady stream of engagements as our partnerships and case volume scale. Role Overview We are seeking an experienced Digital Forensic and Incident Response (DFIR) Investigator with a strong background in ransomware incidents. You will be brought in on a case-by-case basis to support: Ransomware and intrusion investigations Forensic imaging and data collection Log and artifact analysis Timeline reconstruction and reporting for clients, counsel, and insurers Most work will be performed remotely, with occasional on-site support possible depending on the case. Key Responsibilities Handle end-to-end DFIR work for ransomware and intrusion cases, including: Triage, scoping, and initial technical review of incidents Forensic preservation and imaging of endpoints, servers, and virtual environments Collection and analysis of system, security, application, VPN, firewall, and EDR logs Identification of patient zero, initial access vectors, and attacker movement Investigation of lateral movement, data exfiltration indicators, and persistence Timeline reconstruction of key events across multiple data sources Prepare clear, defensible written findings: Technical reports and supporting exhibits Executive summaries understandable to non-technical stakeholders Drafts suitable for use by legal counsel and cyber insurers Coordinate with our team, MSP partners, counsel, and client IT staff in a professional, solutions-focused manner Maintain proper chain of custody and documentation in line with forensic best practices Participate in case review calls, debriefs, and strategy sessions as needed Provide expert input on remediation and prevention recommendations Required Skills and Experience We are specifically looking for someone who can hit the ground running on ransomware and network-centric cases. Demonstrated experience leading or heavily supporting DFIR investigations, including ransomware incidents Strong technical background in: Windows Server and Active Directory environments Common enterprise architectures (VMware, Hyper-V, domain environments, shared storage) Network fundamentals (firewalls, VPNs, IDS/IPS, basic packet analysis) Hands-on experience with at least some of the following: EDR platforms (e.g., SentinelOne, CrowdStrike, similar) Log aggregation/SIEM tools Forensic tools for imaging and analysis (e.g., X-Ways, AXIOM, EnCase, FTK, Cellebrite, or similar) Proven ability to: Work through large volumes of logs and artifacts to find relevant indicators Reconstruct timelines and correlate events across multiple data sources Explain complex technical findings clearly in writing and on calls Solid understanding of: Ransomware TTPs, initial access methods, common threat actor behavior Basic cyber insurance expectations and what “empirical proof” and defensible documentation look like Strong documentation skills and attention to detail Ability to work independently as a contractor, manage time, and meet agreed deadlines Nice-to-Have Experience Experience working with MSPs or MSSPs during incident response Prior work on cyber insurance panel or in insurer-driven engagements Experience testifying or preparing reports for litigation or regulatory matters Comfort interacting with attorneys, executives, and non-technical stakeholders Relevant certifications (e.g., GCFA, GCFE, GNFA, GCIH, CCE, CFCE, CHFI, etc.) are a plus but not mandatory if your experience is strong and demonstrable Engagement Details Engagement type: 1099 independent contractor (subcontractor) Workload: As-needed, case-by-case to start, with strong potential for recurring and increasing volume as we expand partnerships with MSPs and cyber insurers Location: Remote for the majority of work; occasional on-site work may be requested but is not typical Hours: Flexible, but you must be able to: Respond promptly when brought into an active case Start triage within a reasonable time window for active incidents Compensation: Hourly rate, commensurate with experience and certifications; please provide your typical DFIR hourly rate and any different rates you use for expert testimony What To Include In Your Proposal Please include: A brief summary of your DFIR and ransomware experience One or two anonymized examples of: The types of environments you have investigated (e.g., AD with 300 endpoints, VMware with X servers, etc.) Your role in those investigations (lead, co-lead, analyst, etc.) A short description of the tools you are most comfortable using (forensics, EDR, SIEM, log analysis) Your standard hourly rate for: DFIR investigation work Report writing (if different) Expert testimony (if applicable) Any relevant certifications and jurisdictions where you have previously testified (if applicable) Your availability (time zone and typical response time to new cases) If this fits your background and you are interested in building a long-term relationship that could lead to a steady pipeline of forensic cases over time, please submit your proposal and portfolio of experience. Apply tot his job