Cyber Defense Forensics Analyst

Work Role ID: 212  |  Workforce Element: Cybersecurity

What does this work role do? Analyzes digital evidence and investigates computer security incidents to derive useful information in support of system/network vulnerability mitigation.

CORE KSATs
KSAT ID Description KSAT
22 * Knowledge of computer networking concepts and protocols, and network security methodologies. Knowledge
24A Knowledge of basic concepts and practices of processing digital forensic data. Knowledge
108 * Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). Knowledge
217 Skill in preserving evidence integrity according to standard operating procedures or national standards. Skill
302 Knowledge of investigative implications of hardware, Operating Systems, and network technologies. Knowledge
350 Skill in analyzing memory dumps to extract information. Skill
381 Skill in using forensic tool suites (e.g., EnCase, Sleuthkit, FTK). Skill
438A Collect and analyze intrusion artifacts (e.g., source code, malware, and system configuration) and use discovered data to enable mitigation of potential cyber defense incidents within the enterprise. Task
447 Conduct analysis of log files, evidence, and other information in order to determine best methods for identifying the perpetrator(s) of a network intrusion. Task
463 Confirm what is known about an intrusion and discover new information, if possible, after identifying intrusion via dynamic analysis. Task
541 Provide technical summary of findings in accordance with established reporting procedures. Task
613 Examine recovered data for information of relevance to the issue at hand. Task
752 Perform file signature analysis. Task
890 Skill in conducting forensic analyses in multiple operating system environments (e.g., mobile device systems). Skill
1082 Perform file system forensic analysis. Task
1086 Knowledge of data carving tools and techniques (e.g., Foremost). Knowledge
1087 Skill in deep analysis of captured malicious code (e.g., malware forensics). Skill
1088 Skill in using binary analysis tools (e.g., Hexedit, command code xxd, hexdump). Skill
1089 Knowledge of reverse engineering concepts. Knowledge
1092 Knowledge of anti-forensics tactics, techniques, and procedures. Knowledge
1096 Knowledge of malware analysis tools (e.g., Oily Debug, Ida Pro). Knowledge
1098 Skill in analyzing anomalous code as malicious or benign. Skill
1099 Skill in analyzing volatile data. Skill
1100 Skill in identifying obfuscation techniques. Skill
1101 Skill in interpreting results of debugger to ascertain tactics, techniques, and procedures. Skill
1157 * Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity. Knowledge
1158 * Knowledge of cybersecurity principles. Knowledge
1159 * Knowledge of cyber threats and vulnerabilities. Knowledge
6810 Knowledge of binary analysis. Knowledge
6850 Skill in analyzing malware. Skill
6860 Skill in conducting bit-level analysis. Skill
6870 Skill in processing digital evidence, to include protecting and making legally sound copies of evidence. Skill
6890 Ability to conduct forensic analyses in and for both Windows and Unix/Linux environments. Ability
6900 * Knowledge of specific operational impacts of cybersecurity lapses. Knowledge
6935 * Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). Knowledge
6938 * Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments. Knowledge
ADDITIONAL KSATs
KSAT ID Description KSAT
25 Knowledge of encryption algorithms (e.g., Internet Protocol Security [IPSEC], Advanced Encryption Standard [AES], Generic Routing Encapsulation [GRE], Internet Key Exchange [IKE], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], Triple Data Encryption Standard [3DES]). Knowledge
29 Knowledge of data backup, types of backups (e.g., full, incremental), and recovery concepts and tools. Knowledge
61 Knowledge of incident response and handling methodologies. Knowledge
90 Knowledge of operating systems. Knowledge
105 Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code). Knowledge
113 Knowledge of server and client operating systems. Knowledge
114 Knowledge of server diagnostic tools and fault identification techniques. Knowledge
139 Knowledge of the common networking protocols (e.g., TCP/IP), services (e.g., web, mail, Domain Name Server), and how they interact to provide network communications. Knowledge
193 Skill in developing, testing, and implementing network infrastructure contingency and recovery plans. Skill
214A Skill in performing packet-level analysis. Skill
264 Knowledge of basic physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage). Knowledge
287 Knowledge of file system implementations (e.g., New Technology File System [NTFS], File Allocation Table [FAT], File Extension [EXT]). Knowledge
290 Knowledge of processes for seizing and preserving digital evidence (e.g., chain of custody). Knowledge
294 Knowledge of hacking methodologies in Windows or Unix/Linux environment. Knowledge
310 Knowledge of legal governance related to admissibility (e.g., Federal Rules of Evidence). Knowledge
316 Knowledge of processes for collecting, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data. Knowledge
340 Knowledge of types and collection of persistent data. Knowledge
345 Knowledge of web mail collection, searching/analyzing techniques, tools, and cookies. Knowledge
346 Knowledge of which system files (e.g., log files, registry files, configuration files) contain relevant information and where to find those system files. Knowledge
360 Skill in identifying and extracting data of forensic interest in diverse media (i.e., media forensics). Skill
364 Skill in identifying, modifying, and manipulating applicable system components within Windows, Unix, or Linux (e.g., passwords, user accounts, files). Skill
369 Skill in collecting, processing, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data. Skill
374 Skill in setting up a forensic workstation. Skill
386 Skill in using virtual machines. Skill
389 Skill in physically disassembling PCs. Skill
480 Create a forensically sound duplicate of the evidence (i.e., forensic image) that ensures the original evidence is not unintentionally modified, to use for data recovery and analysis processes. This includes, but is not limited to, hard drives, floppy diskettes, CD, PDA, mobile phones, GPS, and all tape formats. Task
482 Decrypt seized data using technical means. Task
573 Ensure chain of custody is followed for all digital media acquired in accordance with the Federal Rules of Evidence. Task
636 Identify digital evidence for examination and analysis in such a way as to avoid unintentional alteration. Task
749 Perform dynamic analysis to boot an “image” of a drive (without necessarily having the original drive) to see the intrusion as the user may have seen it, in a native environment. Task
753 Perform hash comparison against established database. Task
758 Perform real-time forensic analysis (e.g., using Helix in conjunction with LiveView). Task
759 Perform timeline analysis. Task
762 Perform real-time cyber defense incident handling (e.g., forensic collections, intrusion correlation and tracking, threat analysis, and direct system remediation) tasks to support deployable Incident Response Teams (IRTs). Task
768 Perform static media analysis. Task
771 Perform tier 1, 2, and 3 malware analysis. Task
786 Prepare digital media for imaging by ensuring data integrity (e.g., write blockers in accordance with standard operating procedures). Task
817 Provide technical assistance on digital evidence matters to appropriate personnel. Task
825 Recognize and accurately report forensic artifacts indicative of a particular operating system. Task
839A Review forensic images and other data sources (e.g., volatile data) for recovery of potentially relevant information. Task
868A Use data carving techniques (e.g., FTK-Foremost) to extract data for further analysis. Task
870 Capture and analyze network traffic associated with malicious activities using network monitoring tools. Task
871 Use specialized equipment and techniques to catalog, document, extract, collect, package, and preserve digital evidence. Task
882A Write and publish cyber defense recommendations, reports, and white papers on incident findings to appropriate constituencies. Task
888 Knowledge of types of digital forensics data and how to recognize them. Knowledge
889 Knowledge of deployable forensics. Knowledge
908 Ability to decrypt digital data collections. Ability
923 Knowledge of security event correlation tools. Knowledge
944 Conduct cursory binary analysis. Task
983 Knowledge of legal rules of evidence and court procedure. Knowledge
1031 Serve as technical expert and liaison to law enforcement personnel and explain incident details as required. Task
1033 Knowledge of basic system administration, network, and operating system hardening techniques. Knowledge
1036 Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed. Knowledge
1072 Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). Knowledge
1081 Perform virus scanning on digital media. Task
1083 Perform static analysis to mount an “image” of a drive (without necessarily having the original drive). Task
1084 Perform static malware analysis. Task
1085 Utilize deployable forensics tool kit to support operations as necessary. Task
1091 Skill in one way hash functions (e.g., Secure Hash Algorithm [SHA], Message Digest Algorithm [MD5]). Skill
1093 Knowledge of common forensics tool configuration and support applications (e.g., VMWare, WIRESHARK). Knowledge
1094 Knowledge of debugging procedures and tools. Knowledge
1095 Knowledge of how different file types can be used for anomalous behavior. Knowledge
1097 Knowledge of virtual machine aware malware, debugger aware malware, and packing. Knowledge
2179 Coordinate with intelligence analysts to correlate threat assessment data. Task
3461 Knowledge of relevant laws, legal authorities, restrictions, and regulations pertaining to cyber defense activities. Knowledge
3513 Knowledge of system administration concepts for Unix/Linux and/or Windows operating systems. Knowledge
5690 Process image with appropriate tools depending on analyst’s goals. Task
5700 Perform Windows registry analysis. Task
5720 Perform file and registry monitoring on the running system after identifying intrusion via dynamic analysis. Task
5730 Enter media information into tracking database (e.g. Product Tracker Tool) for digital media that has been acquired. Task
5740 Correlate incident data and perform cyber defense reporting. Task
5760 Maintain deployable cyber defense toolkit (e.g. specialized cyber defense software/hardware) to support IRT mission. Task
6210 Knowledge of cloud service models and possible limitations for an incident response. Knowledge
6820 Knowledge of network architecture concepts including topology, protocols, and components. Knowledge