DFIR Analyst.

A digital-forensics and incident-response specialist who investigates intrusions end-to-end — preserving evidence, building timelines from endpoint, cloud, and network telemetry, identifying TTPs, and supporting eradication and legal proceedings. Pertenece a la categoría de Roles y carreras en ciberseguridad.

A digital-forensics and incident-response specialist who investigates intrusions end-to-end — preserving evidence, building timelines from endpoint, cloud, and network telemetry, identifying TTPs, and supporting eradication and legal proceedings.

A DFIR (Digital Forensics and Incident Response) analyst is the practitioner role most associated with active intrusion investigation. The job spans the full lifecycle: scoping an incident with stakeholders, preserving volatile evidence (RAM, EDR snapshots, cloud audit logs), imaging endpoints, parsing artifacts (Windows event logs, $UsnJrnl, MFT, Amcache, Prefetch, shellbags, Mac unified logs, Linux journald, browser history, registry hives), reconstructing timelines, correlating with network and SaaS telemetry, identifying ATT&CK TTPs and the threat actor, supporting containment and eradication, and writing the post-incident report. DFIR work also includes courtroom-quality evidence handling for litigation or law-enforcement referrals, malware reverse engineering when needed, and threat-intelligence feedback to the broader defender community. Common tooling: KAPE, Velociraptor, EZ Tools, Volatility, Magnet AXIOM, EnCase, X-Ways, Plaso/log2timeline, the Sleuth Kit, Wireshark, and SIEM/EDR-native search. Frequent certifications include GIAC GCFA / GCFE / GNFA / GREM, SANS FOR-series courses, and increasingly cloud-DFIR badges (GCIH, AWS/Azure-specific).

Las defensas contra DFIR Analyst combinan habitualmente controles técnicos y prácticas operativas, como se detalla en la definición.

Nombres alternativos comunes: Incident responder, Forensic analyst, Forensic investigator.