Robert Lehman Email and Phone Number

Conducts substantive analysis of digital media, including mobile and host-baseddevices, to develop evidence in the specialty area of computer forensics. Receives and maintains theintegrity of evidence, independently plans, organizes and devises approaches necessary to obtainuseful computer forensic information from the evidence submitted, taking into consideration therequirements established by agency regulation, federal law and Uniformed Code of Military Justice.Provide testimony as a qualified Expert Witness in US Military criminal proceedings.

Perform Incident Response and Triage on all security escalations/detections to determine scope, severity, prioritization and, if immediately possible, root cause. Triage will include the safe gathering and assessment of all relevant available/observable event/incident data as evidence, and includes review of all internal knowledge bases for historical precedent or patterns. Correlate event/incident data (network and host-based) from as many sources as practical to confirm and/or validate status as: event of interest (suspicious, but unexplained warranting further investigation), explainable/non-incident (false-positive), or true incident (occurrence with potential or actual adverse effects). Perform analysis to recognize/distinguish and qualify real versus non-incidents, malicious or suspicious activity patterns, known malicious tools, tactics and processes (TTPs). Perform digital media analysis of systems as required, to include the following, but not limited to, disk image, volatile memory, processes, ports / protocols, potentially malicious software, etc. Perform packet capture of network traffic in support of a potential security incident. The current tools DHS utilizes for this activity are Wireshark or TCPDump.

Perform Incident Response and Triage on all security escalations/detections to determine scope, severity, prioritization and, if immediately possible, root cause. Triage will include the safe gathering and assessment of all relevant available/observable event/incident data as evidence, and includes review of all internal knowledge bases for historical precedent or patterns. Correlate event/incident data (network and host-based) from as many sources as practical to confirm and/or validate status as: event of interest (suspicious, but unexplained warranting further investigation), explainable/non-incident (false-positive), or true incident (occurrence with potential or actual adverse effects). Perform analysis to recognize/distinguish and qualify real versus non-incidents, malicious or suspicious activity patterns, known malicious tools, tactics and processes (TTPs). Perform digital media analysis of systems as required, to include the following, but not limited to, disk image, volatile memory, processes, ports / protocols, potentially malicious software, etc. Perform packet capture of network traffic in support of a potential security incident.  The current tools DHS utilizes for this activity are Wireshark or TCPDump.