Forensics Analyst/Host Based Systems Analyst III (TS/SCI Required) - Military Veterans

at Mantech International Corporation

Arlington, Virginia

Secure our Nation, Ignite your Future

Become an integral part of a diverse team while working at an Industry Leading Organization, where our employees come first.  At ManTech International Corporation, you’ll help protect our national security while working on innovative projects that offer opportunities for advancement.

Currently, ManTech is seeking a motivated, career and customer-oriented Forensics Analyst/Host Based Systems Analyst III to join our team at the DHS Facility.

Responsibilities include, but are not limited to:

  • Provide Host-based Systems Support for Cybersecurity to include:
    • a) Perform forensic analysis on all common operating system environments, to include, but not limited to, Microsoft Windows, Mac OS, UNIX, Linux, Solaris, as well as embedded systems.
    • b) Perform ad-hoc data analysis to include but not limited to, on-the-fly onsite data integration and scripting (e.g., analyzing multiple log types for a new indicator, comparing aggregated logs to local machine logs).
    • c) Monitor open source channels (e.g., vendor sites, Computer Emergency Response Teams (CERTs), SysAdmin, Audit, Network, Security (SANS) Institute, Security Focus) to maintain a current understanding of Computer Network Defense (CND) threat condition and determine which security issues may have an impact on the enterprise.
    • d) Analyze digital media (e.g., logs, code, phones, hard drives, memory dumps, etc.) to determine attack vectors and develop mitigation techniques.
    • e) Ability to conduct memory forensics in large networks and being able to carve memory and conduct analysis to find malicious activity only resident in memory.
    • f) Receive and analyze alerts from various sources within the enterprise and determine possible causes of such alerts.
    • g) Track and document Computer Network Defense (CND) hunts and incidents from initial detection through final resolution.
    • h) Collect intrusion artifacts (e.g., source code, malware, and Trojans) and use discovered data to enable mitigation of potential CND hunts and incidents within the enterprise.
    • i) Perform forensically sound collection of images and inspect to discern possible mitigation/remediation on enterprise systems.
    • j) Perform real-time CND hunt and incident handling (e.g., forensic collections, intrusion correlation/tracking, threat analysis, and direct system remediation) tasks to support deployable hunt and incident response teams.
    • k) Develop and disseminate engagement reports, technical reports and briefs based on analytic findings.
    • l) Correlate incident data to identify specific vulnerabilities and make recommendations that enable expeditious remediation.
    • m) Maintain readiness to divert and deploy teams of contract resources to provide on-site support and assistance in the event of an exercise or cyber incident.
    • n) Identify and document tactics, techniques and procedures used by an attacker to gain unauthorized access.
    • o) Assist in development of procedures and processes to analyze and categorize digital media.
    • p) Follow industry standard forensic best practices while imaging, preserving, transporting and handling electronic data and associated physical devices.
    • q) Participate in inter-agency sponsored community of interest analysis groups, conduct and participate in technical briefings and exchanges.
    • r) Develop tips, indicators, warnings and actionable information.
    • s) Support the development and evaluation of performance metrics.
    • t) Assist with preservation and duplication of original media obtained from the Government’s (e.g., NCCIC, HIRT, NCATS) customers.
    • u) Assist with maintaining the readiness of all fly-away kits, storage media and forensic VM analyst images.
    • v) Develop new processes, procedures and analytic methods.
    • w) Develop mitigation recommendations and methods.

Basic Qualifications:

  • Use leading edge technology and industry standard forensic tools and procedures to provide insight into the cause and effect of suspected cyber intrusions
  • Follow proper evidence handling procedures and chain of custody protocols
  • Produce written reports documenting digital forensic findings
  • Determine programs that have been executed, find files that have been changed on disk and in memory
  • Use timestamps and logs (host and network) to develop authoritative timelines of activity
  • Find evidence of deleted files and hidden data
  • Identify and document case relevant file-system artifacts (browser histories, account usage and USB histories, etc.)
  • Create forensically sound duplicates of evidence (forensic image) to use for data recovery and analysis
  • Perform all-source research for similar or related network events or incidents
  • Skill in identifying different classes of attacks and attack stages
  • Knowledge of system and application security threats and vulnerabilities
  • Knowledge in proactive analysis of systems and networks, to include creating trust levels of critical resources

Preferred Qualifications:

Level I

  • (Minimum 3 years host-based investigations or digital forensics experience with a High school diploma; or a Bachelor’s degree in a technical discipline from an accredited college or university in Computer Science, Cybersecurity, Computer Engineering, or related discipline, and with a minimum 1 year of host-based investigations or digital forensics experience)
  • Proficiency at Level I includes all basic qualifications mentioned above in addition to the following:
    • Assist in preliminary analysis by tracing an activity to its source and documenting findings for input into a forensic report
    • Document original condition of digital and/or associated evidence by taking photographs and collecting hash information
    • Assist team members in imaging digital media
    • Assist in gathering, accessing and assessing evidence from electronic devices using forensic tools and knowledge of operating systems
    • Use hashing algorithms to validate forensic images
    • Work with mentor to identify and understand adversary TTPs
    • Assist team members in analyzing the behaviors of malicious software
    • Under direct guidance and coaching, locate critical items in various file systems to aid more senior personnel in their analysis
    • Perform analysis of log files from a variety of sources to identify possible threats to computer security

Level II

  • (4-6 years host investigations or digital forensics experience with a High school diploma; or a Bachelor’s degree in a technical discipline from an accredited college or university in Computer Science, Cybersecurity, Computer Engineering, or related discipline, and with 2-4 years of host-based investigations or digital forensics experience)
  • Proficiency at Level II includes all skills defined at Level I in addition to the following:
    • Acquire/collect computer artifacts (e.g., malware, user activity, link files, etc.) from systems in support of onsite engagements
    • Assess evidentiary value by triaging electronic devices
    • Correlate forensic findings with network events to further develop an intrusion narrative
    • When available, collect and document system state information (running processes, network connections, etc.) prior to imaging
    • Perform incident triage from a forensic perspective to include determination of scope, urgency and potential impact.
    • Track and document forensic analysis from initial involvement through final resolution
    • Collect, process, preserve, analyze and present computer related evidence
    • Coordinate with others within the Government and with customer personnel to validate/investigate alerts or other preliminary findings
    • Conduct analysis of forensic images and other available evidence and drafts forensic write-ups for inclusion in reports and other written products
    • Assist to document and publish Computer Network Defense guidance and reports on incident findings to appropriate constituencies

Level III

  • (7-9 years host investigations or digital forensics experience with a High school diploma; or a Bachelor’s degree in a technical discipline from an accredited college or university in Computer Science, Cybersecurity, Computer Engineering, or related discipline, and with 5-7 years of host-based investigations or digital forensics experience)
  • Proficiency Level III includes all skills defined at Level II in addition to the following:
    • Assist with leading and coordinating forensic teams in preliminary investigation
    • Plan, coordinate and direct the inventory, examination and comprehensive technical analysis of computer related evidence
    • Distill analytic findings into executive summaries and in-depth technical reports
    • Serve as technical forensics liaison to stakeholders and explain investigation details to include forensic methodologies and protocols
    • Track and document on-site incident response activities and provide updates to leadership throughout the engagement
    • Evaluate, extract and analyze suspected malicious code

Security Clearance Requirements:

  • TS/SCI

Physical Requirements:

  • Office work, typically sedentary with some movement around the office.

ManTech International Corporation, as well as its subsidiaries proactively fulfills its role as an equal opportunity employer. We do not discriminate against any employee or applicant for employment because of race, color, sex, religion, age, sexual orientation, gender identity and expression, national origin, marital status, physical or mental disability, status as a Disabled Veteran, Recently Separated Veteran, Active Duty Wartime or Campaign Badge Veteran, Armed Forces Services Medal, or any other characteristic protected by law.

If you require a reasonable accommodation to apply for a position with ManTech through its online applicant system, please contact ManTech's Corporate EEO Department at (703) 218-6000. ManTech is an affirmative action/equal opportunity employer - minorities, females, disabled and protected veterans are urged to apply. ManTech's utilization of any external recruitment or job placement agency is predicated upon its full compliance with our equal opportunity/affirmative action policies. ManTech does not accept resumes from unsolicited recruiting firms. We pay no fees for unsolicited services.

If you are a qualified individual with a disability or a disabled veteran, you have the right to request an accommodation if you are unable or limited in your ability to use or access as a result of your disability. To request an accommodation please click and provide your name and contact information.

Arlington, Virginia

ManTech was founded in 1968 to provide advanced technological services to the United States government. We began with a single contract with the U.S. Navy to develop war-gaming models for the submarine community. Over the years, our government's technology needs have increased dramatically in scope and sophistication, and we have grown to meet that challenge.


For more than 4 decades, we kept a careful eye on where emerging technologies were taking the government, and we developed the resources to master those technologies—by staying close to our customers and anticipating their needs, hiring talented professionals to propel us into the future, and acquiring companies with proven capabilities.


Today, we are a multi-billion-dollar public company that provides the innovation, adaptability, and critical thinking our government needs for success in defense, intelligence, law enforcement, science, administration, health, and other fields—throughout the nation and in many countries throughout the world. We are now applying the lessons learned in the unforgiving arena of national security to help the private sector protect networks and critical information.

Similar jobs