Forensics Analyst

Work Role ID: 211 | Workforce Element: Cyberspace Enablers (Support) Legal / Law Enforcement

What does this work role do? Conducts deep-dive investigations on computer-based crimes establishing documentary or physical evidence, to include digital media and logs associated with cyber intrusion incidents.

CORE KSATs

KSAT ID	Description	KSAT
22	* Knowledge of computer networking concepts and protocols, and network security methodologies.	Knowledge
24	Knowledge of concepts and practices of processing digital forensic data.	Knowledge
25A	Knowledge of encryption algorithms, stenography, and other forms of data concealment.	Knowledge
61	Knowledge of incident response and handling methodologies.	Knowledge
90	Knowledge of operating systems.	Knowledge
108	* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).	Knowledge
217	Skill in preserving evidence integrity according to standard operating procedures or national standards.	Skill
264	Knowledge of basic physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage).	Knowledge
287	Knowledge of file system implementations (e.g., New Technology File System [NTFS], File Allocation Table [FAT], File Extension [EXT]).	Knowledge
302	Knowledge of investigative implications of hardware, Operating Systems, and network technologies.	Knowledge
310	Knowledge of legal governance related to admissibility (e.g., Federal Rules of Evidence).	Knowledge
316	Knowledge of processes for collecting, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data.	Knowledge
350	Skill in analyzing memory dumps to extract information.	Skill
381	Skill in using forensic tool suites (e.g., EnCase, Sleuthkit, FTK).	Skill
389	Skill in physically disassembling PCs.	Skill
447	Conduct analysis of log files, evidence, and other information in order to determine best methods for identifying the perpetrator(s) of a network intrusion.	Task
480	Create a forensically sound duplicate of the evidence (i.e., forensic image) that ensures the original evidence is not unintentionally modified, to use for data recovery and analysis processes. This includes, but is not limited to, hard drives, floppy diskettes, CD, PDA, mobile phones, GPS, and all tape formats.	Task
482A	Detect and analyze encrypted data, stenography, alternate data streams and other forms of concealed data.	Task
541	Provide technical summary of findings in accordance with established reporting procedures.	Task
564A	Document original condition of digital and/or associated evidence (e.g., via digital photographs, written reports, hash function checking).	Task
573	Ensure chain of custody is followed for all digital media acquired in accordance with the Federal Rules of Evidence.	Task
613	Examine recovered data for information of relevance to the issue at hand.	Task
636	Identify digital evidence for examination and analysis in such a way as to avoid unintentional alteration.	Task
749	Perform dynamic analysis to boot an “image” of a drive (without necessarily having the original drive) to see the intrusion as the user may have seen it, in a native environment.	Task
752	Perform file signature analysis.	Task
753	Perform hash comparison against established database.	Task
768	Perform static media analysis.	Task
786	Prepare digital media for imaging by ensuring data integrity (e.g., write blockers in accordance with standard operating procedures).	Task
817	Provide technical assistance on digital evidence matters to appropriate personnel.	Task
839A	Review forensic images and other data sources (e.g., volatile data) for recovery of potentially relevant information.	Task
871	Use specialized equipment and techniques to catalog, document, extract, collect, package, and preserve digital evidence.	Task
888	Knowledge of types of digital forensics data and how to recognize them.	Knowledge
890	Skill in conducting forensic analyses in multiple operating system environments (e.g., mobile device systems).	Skill
982	Knowledge of electronic evidence law.	Knowledge
1081	Perform virus scanning on digital media.	Task
1082	Perform file system forensic analysis.	Task
1083	Perform static analysis to mount an “image” of a drive (without necessarily having the original drive).	Task
1085	Utilize deployable forensics tool kit to support operations as necessary.	Task
1086	Knowledge of data carving tools and techniques (e.g., Foremost).	Knowledge
1092	Knowledge of anti-forensics tactics, techniques, and procedures.	Knowledge
1093	Knowledge of common forensics tool configuration and support applications (e.g., VMWare, WIRESHARK).	Knowledge
1157	* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.	Knowledge
1158	* Knowledge of cybersecurity principles.	Knowledge
1159	* Knowledge of cyber threats and vulnerabilities.	Knowledge
6900	* Knowledge of specific operational impacts of cybersecurity lapses.	Knowledge
6935	* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).	Knowledge
6938	* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.	Knowledge

ADDITIONAL KSATs

KSAT ID	Description	KSAT
29	Knowledge of data backup, types of backups (e.g., full, incremental), and recovery concepts and tools.	Knowledge
105	Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).	Knowledge
113	Knowledge of server and client operating systems.	Knowledge
114	Knowledge of server diagnostic tools and fault identification techniques.	Knowledge
139	Knowledge of the common networking protocols (e.g., TCP/IP), services (e.g., web, mail, Domain Name Server), and how they interact to provide network communications.	Knowledge
193	Skill in developing, testing, and implementing network infrastructure contingency and recovery plans.	Skill
214	Skill in performing packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump).	Skill
290	Knowledge of processes for seizing and preserving digital evidence (e.g., chain of custody).	Knowledge
294	Knowledge of hacking methodologies in Windows or Unix/Linux environment.	Knowledge
340	Knowledge of types and collection of persistent data.	Knowledge
345	Knowledge of web mail collection, searching/analyzing techniques, tools, and cookies.	Knowledge
346	Knowledge of which system files (e.g., log files, registry files, configuration files) contain relevant information and where to find those system files.	Knowledge
360	Skill in identifying and extracting data of forensic interest in diverse media (i.e., media forensics).	Skill
364	Skill in identifying, modifying, and manipulating applicable system components within Windows, Unix, or Linux (e.g., passwords, user accounts, files).	Skill
369	Skill in collecting, processing, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data.	Skill
374	Skill in setting up a forensic workstation.	Skill
386	Skill in using virtual machines.	Skill
438A	Collect and analyze intrusion artifacts (e.g., source code, malware, and system configuration) and use discovered data to enable mitigation of potential cyber defense incidents within the enterprise.	Task
463	Confirm what is known about an intrusion and discover new information, if possible, after identifying intrusion via dynamic analysis.	Task
649	Identify, collect, and seize documentary or physical evidence, to include digital media and logs associated with cyber intrusion incidents, investigations, and operations.	Task
758	Perform real-time forensic analysis (e.g., using Helix in conjunction with LiveView).	Task
759	Perform timeline analysis.	Task
771	Perform tier 1, 2, and 3 malware analysis.	Task
792	Process crime scenes.	Task
825	Recognize and accurately report forensic artifacts indicative of a particular operating system.	Task
868	Extract data using data carving techniques (e.g., Forensic Tool Kit [FTK], Foremost).	Task
870	Capture and analyze network traffic associated with malicious activities using network monitoring tools.	Task
882	Write and publish cyber defense techniques, guidance, and reports on incident findings to appropriate constituencies.	Task
889	Knowledge of deployable forensics.	Knowledge
908	Ability to decrypt digital data collections.	Ability
923	Knowledge of security event correlation tools.	Knowledge
944	Conduct cursory binary analysis.	Task
983	Knowledge of legal rules of evidence and court procedure.	Knowledge
1033	Knowledge of basic system administration, network, and operating system hardening techniques.	Knowledge
1036	Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed.	Knowledge
1072	Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).	Knowledge
1084	Perform static malware analysis.	Task
1087	Skill in deep analysis of captured malicious code (e.g., malware forensics).	Skill
1088	Skill in using binary analysis tools (e.g., Hexedit, command code xxd, hexdump).	Skill
1089	Knowledge of reverse engineering concepts.	Knowledge
1091	Skill in one way hash functions (e.g., Secure Hash Algorithm [SHA], Message Digest Algorithm [MD5]).	Skill
1094	Knowledge of debugging procedures and tools.	Knowledge
1095	Knowledge of how different file types can be used for anomalous behavior.	Knowledge
1096	Knowledge of malware analysis tools (e.g., Oily Debug, Ida Pro).	Knowledge
1097	Knowledge of virtual machine aware malware, debugger aware malware, and packing.	Knowledge
1098	Skill in analyzing anomalous code as malicious or benign.	Skill
1099	Skill in analyzing volatile data.	Skill
1100	Skill in identifying obfuscation techniques.	Skill
1101	Skill in interpreting results of debugger to ascertain tactics, techniques, and procedures.	Skill
6210	Knowledge of cloud service models and possible limitations for an incident response.	Knowledge
6918	Ability to apply cybersecurity strategy to cloud computing service and deployment models, identifying proper architecture for different operating environments.	Ability