The Digital Forensics and Incident Response Analyst role contributes to the overall success of the Security function by providing digital forensics capability and advanced investigations support to respond to incidents impacting the department and schools. The role is responsible for conducting investigations into cybersecurity incidents, data breaches, insider threats, and other digital crimes and the provision of incident response support.
About the Role
The Digital Forensics and Incident Response Analyst role contributes to the overall success of the Security function by providing digital forensics capability and advanced investigations support to respond to incidents impacting the department and schools.
The role is responsible for conducting investigations into cybersecurity incidents, data breaches, insider threats, and other digital crimes and the provision of incident response support. Additionally, using enterprise DFIR tools, methodologies, specialized capability and a sound understanding of legal and regulatory requirements related to digital evidence, this role will setup and maintain a digital forensics lab to provide forensics investigations and response support to maintain the department's security posture.
This role requires strong analytical skills, technical expertise, and the ability to clearly communicate findings to technical and non-technical stakeholders.
Key Responsibilities
- Conduct digital forensic analysis to reconstruct cyberattack timelines and identify attacker techniques.
- Respond to cybersecurity incidents across the full lifecycle: detection, containment, eradication, and recovery.
- Collect and preserve digital evidence while maintaining proper chain of custody.
- Maintain and improve the digital forensics lab and tools.
- Use security tools (e.g., SIEM) and host-based investigations to analyse incidents.
- Perform threat hunting, threat intelligence analysis, and trend forecasting.
- Provide technical remediation recommendations and communicate findings.
- Collaborate with external incident response teams during major incidents.
- Produce technical and executive reports on investigations and threats.
- Support in enhancing the organisation's overall cybersecurity posture.
Skills & Capabilities
Digital Forensics
- Perform forensic analysis across Windows, Linux, macOS, and cloud environments.
- Build attack timelines and investigate attack vectors, malware behaviour, lateral movement, and data exfiltration.
- Capture and analyse network traffic for investigation and decryption.
- Examine disk images, memory dumps, logs, and system artifacts to determine incident details.
- Set up, maintain, and enhance the digital forensics lab.
- Use specialised forensic tools such as EnCase, FTK, Autopsy, X-Ways, Volatility, and KAPE.
Evidence Collection & Preservation
- Acquire and preserve digital evidence (disk, memory, logs, network traffic, cloud artifacts) while maintaining chain of custody, evidence integrity such that the evidence is legally defensible.
- Ensure forensic soundness using proper chain‑of‑custody procedures.
- Capture volatile data (RAM, running processes, network connections) when needed.
Threat Analysis & Investigation
- Perform static and dynamic malware analysis to understand malicious behaviour.
- Investigate security events to assess severity, impact, and required response.
- Conduct threat intelligence, threat hunting, and investigative analysis.
- Correlate alerts and events to detect active or emerging threats.
- Develop detection signatures, automations, and response improvements.
- Identify and integrate Indicators of Compromise (IOCs) into detection systems.
- Track attacker Tactics, Techniques, and Procedures (TTPs) using frameworks such as MITRE ATT&CK.
Incident Containment & Response
- Proven experience cyber incident response activities in a large, complex environment
- Work with security teams to isolate compromised systems.
- Recommend and implement containment strategies (e.g., blocking IPs, disabling accounts).
- Support eradication efforts such as malware removal or patching.
Documentation & Reporting
- Produce detailed forensic and incident reports for internal stakeholders, legal teams, and law enforcement when required.
- Document attack timelines, investigative findings, and evidence handling processes.
- Prepare situational and executive-level reports on cybersecurity incidents.
- Collaborate with SOC analysts, IT teams, threat intelligence, and management during investigations.
- Provide clear updates during active incidents and translate technical findings into business-friendly language.
- Demonstrate strong stakeholder engagement and communication skills to clearly explain technical issues.
Technical Expertise
- Strong knowledge of attacker tactics, techniques, and procedures (TTPs) using the MITRE ATT&CK framework, along with familiarity with the NIST Cybersecurity Framework, incident response frameworks, and threat modelling.
- Hands-on experience with digital forensics tools such as EnCase, FTK, Autopsy/The Sleuth Kit, X-Ways, Magnet AXIOM, Volatility, Wireshark, and mobile forensics tools like Cellebrite, GreyKey, and Oxygen.
- Experience working with security platforms including SIEM (Microsoft Sentinel, Splunk), EDR (Microsoft Defender), and ServiceNow.
- Proficient in scripting and automation using Python, Bash, PowerShell, and query languages such as KQL and SPL.
Qualifications & Certifications
- Bachelor's degree or Diploma in Digital Forensics or Cyber Security or a related field
- Minimum 3–4 years demonstrated experience in cyber incident response, digital forensics, or cyber security investigations within a large and complex environment
- Strong knowledge of file systems and operating systems (Windows, macOS, Linux)
- One or more certifications from the “Desirable Certifications” section
Desirable Certifications
- GIAC Certified Forensic Analyst (GCFA)
- EC-Council Computer Hacking Forensic Investigator (CHFI)
- Forensics tools specific vendor certifications
- CEH
- CISSP
- Security+
- SANS Digital Forensics or Incident Response certifications
About the Department
The department provides a wide range of learning and development support and services.
The department provides policy leadership, plans for the future of education in Victoria and leads key cross-sector collaboration. The department plays an important system steward role by providing support, guidance, oversight and assurance across early childhood and school education systems, as well as directly providing school education and 50 new early learning centres.
Further Information
For more details regarding this position please see attached position description for the capabilities to address in application.
The department values diversity and inclusion in all forms - gender, religion, ethnicity, LGBTIQ+, disability and neurodiversity. Aboriginal and Torres Strait Islander candidates are strongly encouraged to apply. For more information about our work, working for the Department, diversity and inclusion, and our employment conditions visit the Department website and our Diversity and Inclusion page
Applicants requiring adjustments can contact the nominated contact person.
Informat
ion about the Department of Education's operations and employment conditions can be located at www.education.vic.gov.au.
For further information pertaining to the role, please contact Ashok Sangra - Manager Security Threat and Response via [email protected]
Preferred applicants may be required to complete a police check and may be subject to other pre-employment checks. Information provided to the Department of Education will be treated in the strictest confidence.
Please let us know via phone or email if you require any adjustments to ensure your full participation in the recruitment process or if you need the ad or any attachments in an accessible format (e.g large print) due to any viewing difficulties or other accessibility requirements.
Applications close 11:59pm on Sunday 29th March 2026.