25 |
Knowledge of encryption algorithms (e.g., Internet Protocol Security [IPSEC], Advanced Encryption Standard [AES], Generic Routing Encapsulation [GRE], Internet Key Exchange [IKE], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], Triple Data Encryption Standard [3DES]). |
Knowledge |
29 |
Knowledge of data backup, types of backups (e.g., full, incremental), and recovery concepts and tools. |
Knowledge |
61 |
Knowledge of incident response and handling methodologies. |
Knowledge |
90 |
Knowledge of operating systems. |
Knowledge |
105 |
Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code). |
Knowledge |
113 |
Knowledge of server and client operating systems. |
Knowledge |
114 |
Knowledge of server diagnostic tools and fault identification techniques. |
Knowledge |
139 |
Knowledge of the common networking protocols (e.g., TCP/IP), services (e.g., web, mail, Domain Name Server), and how they interact to provide network communications. |
Knowledge |
193 |
Skill in developing, testing, and implementing network infrastructure contingency and recovery plans. |
Skill |
214A |
Skill in performing packet-level analysis. |
Skill |
264 |
Knowledge of basic physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage). |
Knowledge |
287 |
Knowledge of file system implementations (e.g., New Technology File System [NTFS], File Allocation Table [FAT], File Extension [EXT]). |
Knowledge |
290 |
Knowledge of processes for seizing and preserving digital evidence (e.g., chain of custody). |
Knowledge |
294 |
Knowledge of hacking methodologies in Windows or Unix/Linux environment. |
Knowledge |
310 |
Knowledge of legal governance related to admissibility (e.g., Federal Rules of Evidence). |
Knowledge |
316 |
Knowledge of processes for collecting, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data. |
Knowledge |
340 |
Knowledge of types and collection of persistent data. |
Knowledge |
345 |
Knowledge of web mail collection, searching/analyzing techniques, tools, and cookies. |
Knowledge |
346 |
Knowledge of which system files (e.g., log files, registry files, configuration files) contain relevant information and where to find those system files. |
Knowledge |
360 |
Skill in identifying and extracting data of forensic interest in diverse media (i.e., media forensics). |
Skill |
364 |
Skill in identifying, modifying, and manipulating applicable system components within Windows, Unix, or Linux (e.g., passwords, user accounts, files). |
Skill |
369 |
Skill in collecting, processing, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data. |
Skill |
374 |
Skill in setting up a forensic workstation. |
Skill |
386 |
Skill in using virtual machines. |
Skill |
389 |
Skill in physically disassembling PCs. |
Skill |
480 |
Create a forensically sound duplicate of the evidence (i.e., forensic image) that ensures the original evidence is not unintentionally modified, to use for data recovery and analysis processes. This includes, but is not limited to, hard drives, floppy diskettes, CD, PDA, mobile phones, GPS, and all tape formats. |
Task |
482 |
Decrypt seized data using technical means. |
Task |
573 |
Ensure chain of custody is followed for all digital media acquired in accordance with the Federal Rules of Evidence. |
Task |
636 |
Identify digital evidence for examination and analysis in such a way as to avoid unintentional alteration. |
Task |
749 |
Perform dynamic analysis to boot an “image” of a drive (without necessarily having the original drive) to see the intrusion as the user may have seen it, in a native environment. |
Task |
753 |
Perform hash comparison against established database. |
Task |
758 |
Perform real-time forensic analysis (e.g., using Helix in conjunction with LiveView). |
Task |
759 |
Perform timeline analysis. |
Task |
762 |
Perform real-time cyber defense incident handling (e.g., forensic collections, intrusion correlation and tracking, threat analysis, and direct system remediation) tasks to support deployable Incident Response Teams (IRTs). |
Task |
768 |
Perform static media analysis. |
Task |
771 |
Perform tier 1, 2, and 3 malware analysis. |
Task |
786 |
Prepare digital media for imaging by ensuring data integrity (e.g., write blockers in accordance with standard operating procedures). |
Task |
817 |
Provide technical assistance on digital evidence matters to appropriate personnel. |
Task |
825 |
Recognize and accurately report forensic artifacts indicative of a particular operating system. |
Task |
839A |
Review forensic images and other data sources (e.g., volatile data) for recovery of potentially relevant information. |
Task |
868A |
Use data carving techniques (e.g., FTK-Foremost) to extract data for further analysis. |
Task |
870 |
Capture and analyze network traffic associated with malicious activities using network monitoring tools. |
Task |
871 |
Use specialized equipment and techniques to catalog, document, extract, collect, package, and preserve digital evidence. |
Task |
882A |
Write and publish cyber defense recommendations, reports, and white papers on incident findings to appropriate constituencies. |
Task |
888 |
Knowledge of types of digital forensics data and how to recognize them. |
Knowledge |
889 |
Knowledge of deployable forensics. |
Knowledge |
908 |
Ability to decrypt digital data collections. |
Ability |
923 |
Knowledge of security event correlation tools. |
Knowledge |
944 |
Conduct cursory binary analysis. |
Task |
983 |
Knowledge of legal rules of evidence and court procedure. |
Knowledge |
1031 |
Serve as technical expert and liaison to law enforcement personnel and explain incident details as required. |
Task |
1033 |
Knowledge of basic system administration, network, and operating system hardening techniques. |
Knowledge |
1036 |
Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed. |
Knowledge |
1072 |
Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). |
Knowledge |
1081 |
Perform virus scanning on digital media. |
Task |
1083 |
Perform static analysis to mount an “image” of a drive (without necessarily having the original drive). |
Task |
1084 |
Perform static malware analysis. |
Task |
1085 |
Utilize deployable forensics tool kit to support operations as necessary. |
Task |
1091 |
Skill in one way hash functions (e.g., Secure Hash Algorithm [SHA], Message Digest Algorithm [MD5]). |
Skill |
1093 |
Knowledge of common forensics tool configuration and support applications (e.g., VMWare, WIRESHARK). |
Knowledge |
1094 |
Knowledge of debugging procedures and tools. |
Knowledge |
1095 |
Knowledge of how different file types can be used for anomalous behavior. |
Knowledge |
1097 |
Knowledge of virtual machine aware malware, debugger aware malware, and packing. |
Knowledge |
2179 |
Coordinate with intelligence analysts to correlate threat assessment data. |
Task |
3461 |
Knowledge of relevant laws, legal authorities, restrictions, and regulations pertaining to cyber defense activities. |
Knowledge |
3513 |
Knowledge of system administration concepts for Unix/Linux and/or Windows operating systems. |
Knowledge |
5690 |
Process image with appropriate tools depending on analyst’s goals. |
Task |
5700 |
Perform Windows registry analysis. |
Task |
5720 |
Perform file and registry monitoring on the running system after identifying intrusion via dynamic analysis. |
Task |
5730 |
Enter media information into tracking database (e.g. Product Tracker Tool) for digital media that has been acquired. |
Task |
5740 |
Correlate incident data and perform cyber defense reporting. |
Task |
5760 |
Maintain deployable cyber defense toolkit (e.g. specialized cyber defense software/hardware) to support IRT mission. |
Task |
6210 |
Knowledge of cloud service models and possible limitations for an incident response. |
Knowledge |
6820 |
Knowledge of network architecture concepts including topology, protocols, and components. |
Knowledge |