CISA Cyber Defense Forensics Analyst

This role analyzes digital evidence and investigates computer security incidents to derive useful information in support of system/network vulnerability mitigation.

Personnel performing this role may unofficially or alternatively be called:

  • Computer Forensic Analyst
  • Computer Network Defense (CND) Forensic Analyst
  • Digital Forensic Examiner
  • Cyber Forensic Analyst
  • Forensic Analyst (Cryptologic)
  • Forensic Technician
  • Network Forensic Examiner
  • Host Forensic Examiner

Skill Community: Cybersecurity
Category: Investigate
Specialty Area: Digital Forensics
Work Role Code: 212


Core Tasks

  • Conduct analysis of log files, evidence, and other information to determine best methods for identifying the perpetrator(s) of a network intrusion. (T0027)
  • Confirm what is known about an intrusion and discover new information, if possible, after identifying intrusion via dynamic analysis. (T0036)
  • Provide technical summary of findings in accordance with established reporting procedures. (T0075)
  • Examine recovered data for information of relevance to the issue at hand. (T0103)
  • Perform file signature analysis. (T0167)
  • Perform file system forensic analysis. (T0286)
  • Collect and analyze intrusion artifacts (e.g., source code, malware, and system configuration) and use discovered data to enable mitigation of potential cyber defense incidents within the enterprise. (T0432)

Core Competencies

  • Computer Forensics
  • Computer Network Defense
  • Software Testing and Evaluation
  • System Administration
  • Threat Analysis

Core Knowledge, Skills and Abilities (KSAs)

  • Knowledge of investigative implications of hardware, Operating Systems, and network technologies. (K0122)
  • Knowledge of data carving tools and techniques (e.g., Foremost). (K0182)
  • Knowledge of anti-forensics tactics, techniques, and procedures. (K0184)
  • Knowledge of concepts and practices of processing digital forensic data. (K0304)
  • Skill in preserving evidence integrity according to standard operating procedures or national standards. (S0047)
  • Skill in using forensic tool suites (e.g., EnCase, Sleuthkit, FTK). (S0071)
  • Skill in conducting forensic analyses in multiple operating system environments (e.g., mobile device systems). (S0075)
  • Skill in analyzing anomalous code as malicious or benign. (S0090)
  • Skill in analyzing volatile data. (S0091)
  • Skill in processing digital evidence, to include protecting and making legally sound copies of evidence. (S0133)
  • Ability to conduct forensic analyses in and for both Windows and Unix/Linux environments. (A0043)
  • Skill in identifying obfuscation techniques. (S0092)
  • Skill in interpreting results of debugger to ascertain tactics, techniques, and procedures. (S0093)
  • Skill in conducting bit-level analysis. (S0132)
  • Skill in analyzing memory dumps to extract information. (S0062)
  • Knowledge of reverse engineering concepts. (K0183)
  • Knowledge of malware analysis tools (e.g., Oily Debug, Ida Pro). (K0188)
  • Knowledge of binary analysis. (K0254)
  • Skill in deep analysis of captured malicious code (e.g., malware forensics). (S0087)
  • Skill in using binary analysis tools (e.g., Hexedit, command code xxd, hexdump). (S0088)
  • Skill in analyzing malware. (S0131)

Join the Mission

CISA is always searching for diverse, talented, and highly motivated professionals to continue its mission of securing the nation’s critical infrastructure. CISA is more than a great place to work; our workforce tackles the risks and threats that matter most to the nation, our families, and communities.

To join this mission, visit USAJOBs and/or the DHS Cybersecurity Service to view job announcements and to access the application. Be sure to tailor your resume to the specific job announcement, attach relevant documents, and complete all required assessments. 

When applying for CISA’s cyber positions, please review CISA’s cyber roles above and update your resume to align your experience with the listed competencies. Your resume must also show demonstrated cyber/IT related experience in:

  • Attention to Detail
  • Customer Service
  • Oral Communication
  • Problem Solving

To receive email notifications when new CISA positions are announced, set up a “saved search” on USAJOBs with keyword “Cybersecurity and Infrastructure Security Agency.”

Individuals eligible for special hiring authorities may also be considered during CISA’s one-stop hiring events or by emailing or

Was this webpage helpful?  Yes  |  Somewhat  |  No