DFIR Analyst.

A digital-forensics and incident-response specialist who investigates intrusions end-to-end — preserving evidence, building timelines from endpoint, cloud, and network telemetry, identifying TTPs, and supporting eradication and legal proceedings. 它属于网络安全的 角色与职业 分类。

A digital-forensics and incident-response specialist who investigates intrusions end-to-end — preserving evidence, building timelines from endpoint, cloud, and network telemetry, identifying TTPs, and supporting eradication and legal proceedings.

A DFIR (Digital Forensics and Incident Response) analyst is the practitioner role most associated with active intrusion investigation. The job spans the full lifecycle: scoping an incident with stakeholders, preserving volatile evidence (RAM, EDR snapshots, cloud audit logs), imaging endpoints, parsing artifacts (Windows event logs, $UsnJrnl, MFT, Amcache, Prefetch, shellbags, Mac unified logs, Linux journald, browser history, registry hives), reconstructing timelines, correlating with network and SaaS telemetry, identifying ATT&CK TTPs and the threat actor, supporting containment and eradication, and writing the post-incident report. DFIR work also includes courtroom-quality evidence handling for litigation or law-enforcement referrals, malware reverse engineering when needed, and threat-intelligence feedback to the broader defender community. Common tooling: KAPE, Velociraptor, EZ Tools, Volatility, Magnet AXIOM, EnCase, X-Ways, Plaso/log2timeline, the Sleuth Kit, Wireshark, and SIEM/EDR-native search. Frequent certifications include GIAC GCFA / GCFE / GNFA / GREM, SANS FOR-series courses, and increasingly cloud-DFIR badges (GCIH, AWS/Azure-specific).

针对 DFIR Analyst 的防御通常结合技术控制与运营实践,详见上方完整定义。

常见的别称包括: Incident responder, Forensic analyst, Forensic investigator。