Forensic Analyst

Security Services

The Security Services Department’s overall mission is to ensure a safe and secure environment and protect MIT Lincoln Laboratory at all facilities in which staff members perform their mission of research and development. To accomplish this mission, this department formulates and implements policies, plans, and actions designed to protect facilities against threats of vandalism, accidental destruction, and sabotage; and safeguards personnel, classified and unclassified information systems, personal identifiable information, property, and other assets from exploitation and recruitment by foreign intelligence agencies.

The Security Services Department’s (SSD) Forensic Analysis Center (FAC) is a Tier-3 technical analysis section within the Information Security Group. It provides specialized technical and operational threat intelligence and analysis capabilities in support of many challenging technical security issues within the organization.  FAC team members are encouraged to meet their full human potential and professional growth by being provided career opportunities that challenge and maximize the limits of their existing skill sets. FAC staff members maintain proficiency through a wide variety of training opportunities, collaborative efforts and the analysis of difficult problems in support of national security.

The IT Forensic Analyst collaborates with other highly skilled technical analysts experienced in a wide variety of related disciplines that together comprise a select group of “Cyber Hunters”, focused on identifying and mitigating malicious or anomalous activity across all enterprise networks.  Using both existing tools and working in collaboration with Laboratory Cyber Research staff on new detection techniques, the IT Forensics Analyst is responsible for analysis and discovery of computer intrusion data by conducting and/or supervising enterprise-level digital forensic activities.  The analyst will also conduct internal investigations, data identification and recovery and investigations of alleged policy violations, including insider threat activity.  Must be able to rapidly perform a variety of technical tasks including network traffic analysis, network and host system forensics, malware analysis, signature generation, etc.  The position requires a high level of technical expertise and the ability to provide articulate written reports and tailored remediation and counter-measure recommendations to other cyber incident handlers.

Primary Duties:

Forensic Investigations (Host and Network):

Conducts and/or supervises computer forensic examinations to include the collection, preservation, processing, and analysis of digital evidence.  Substantiates or disproves investigative allegations through adherence to the highest level of industry standards associated with the forensic examination of digital media.  Investigates suspected or identified violations of Laboratory policies and procedures, government regulations or directives and applicable laws by conducting detailed investigations and cursory staff interviews and completing appropriate investigative reports.

Malicious/Anomalous Activity Discovery:

Hunts for malicious or anomalous activity across the enterprise, using both existing tools and experimenting with new detection techniques.  Acts in coordination with Laboratory incident handlers and research staff to lead the development and implementation of an advanced analysis and search capability focused on identifying potentially sophisticated APT and Insider Threat activities within the organization.  Maintains the ability to rapidly perform a variety of technical tasks including network traffic analysis, system forensics, malware analysis, and signature generation before moving on to the next area of focus within the enterprise.  Provides tailored remediation and counter-measure recommendations to network defenders.

Cyber Incident Response:

Leads rapidly evolving incident response engagements as a key technical expert and member of the Computer Security Incident Response Team (CSIRT), assisting and responding to incidents in coordination with network defenders.  Acts as subject matter expert on forensic artifacts (network and host-based) as they pertain to system compromises and malware infections.  Provides written summaries and analysis of incidents for management review.

Cyber Threat Intelligence Analysis / Staff Awareness:

Works to identify potential and actual cyber threats to DoD, Laboratory and sponsor information, systems and networks.  Continually coordinates with law enforcement and intelligence agencies, as well as other industry partners to exchange and share information.  Provide briefings to Laboratory staff members as required.

Cyber Research Collaboration:

Works in collaboration with cyber research staff across the Laboratory to help shape software research and development objectives

Preferred competencies:

  • Highly motivated, interested in the fields of cyber defense and cyber research
  • Inquisitive, and able to research new highly technical subjects
  • Excellent communication skills
  • Prior incident response experience
  • Experience with forensic tools including EnCase, FTK, NetWitness, WireShark, or similar
  • Familiar with sound forensic principles, techniques, and processes.
  • Malware analysis skills, with a general understanding of reverse engineering techniques.
  • Advanced understanding of Windows internals and Windows networks.
  • Understanding of enterprise networks, security infrastructure, and common network protocols
  • Moderate understanding of Mac OSX and/or Linux systems
  • Able to distill complex technical subjects into business terms for decision makers
  • Substantial experience with and knowledge of typical attack vectors, network exploitation techniques, and exfiltration channels
  • Experience in host and network-based signature development
  • Experience with one or more programming languages, preferably at least one high level and one low level language. Examples include Perl, Python, Ruby, Java, C, and x86 ASM
  • Penetration testing experience
  • Experience with mobile device (iOS/Android) security environments
  • Desired industry certifications include EnCE, CFCE, GCFE, GCFA, GREM, GCIH, CEH, and CISSP


  • Bachelor’s degree in Computer Science, Information Technology, Computer Information Systems
  • A minimum of 3 years of experience conducting computer forensic examinations, malware analysis and incident response
  • Familiarity with the operation of and forensic artifacts associated with modern operating systems (Windows, Mac OS X, Linux) is required
  • Technical experience and skills, course work completed towards a degree, and industry IT certifications may be considered substitutes for education and DoD security experience.
  • Ability to conduct research and development (R&D) of computer forensic and intrusion analysis methods and procedures, malware analysis activities, and complete case reports
  • Excellent written and oral communication skills as well as customer service skills are required.
  • This position may require infrequent local and overnight travel
  • The successful candidate will be subject to pre-employment investigation and must meet all eligibility requirements for access to classified information including compartmented programs.
  • Ability to obtain and maintain a government security clearance is required

MIT Lincoln Laboratory is an Equal Employment Opportunity (EEO) employer. All qualified applicants will receive consideration for employment and will not be discriminated against on the basis of race, color, religion, sex, sexual orientation, gender identity, national origin, age, veteran status, disability status, or genetic information; U.S. citizenship is required.


Leave a Reply