IN-FOR-001 Law Enforcement /CounterIntelligence Forensics Analyst

Investigates cybersecurity events or crimes related to information technology (IT) systems, networks, and digital evidence.

Collects, processes, preserves, analyzes, and presents computer-related evidence in support of network vulnerability mitigation and/or criminal, fraud, counterintelligence, or law enforcement investigations.

Conducts detailed investigations on computer-based crimes establishing documentary or physical evidence, to include digital media and logs associated with cyber intrusion incidents.

Knowledges 42

Code	Description	Work Roles
K0001	Knowledge of computer networking concepts and protocols, and network security methodologies.	52
K0002	Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).	52
K0003	Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.	52
K0004	Knowledge of cybersecurity and privacy principles.	52
K0005	Knowledge of cyber threats and vulnerabilities.	52
K0006	Knowledge of specific operational impacts of cybersecurity lapses.	52
K0017	Knowledge of concepts and practices of processing digital forensic data.	2
K0021	Knowledge of data backup and recovery.	9
K0042	Knowledge of incident response and handling methodologies.	7
K0060	Knowledge of operating systems.	13
K0070	Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).	13
K0077	Knowledge of server and client operating systems.	4
K0078	Knowledge of server diagnostic tools and fault identification techniques.	2
K0107	Knowledge of Insider Threat investigations, reporting, investigative tools and laws/regulations.	4
K0109	Knowledge of physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage).	15
K0117	Knowledge of file system implementations (e.g., New Technology File System [NTFS], File Allocation Table [FAT], File Extension [EXT]).	3
K0118	Knowledge of processes for seizing and preserving digital evidence.	3
K0119	Knowledge of hacking methodologies.	2
K0122	Knowledge of investigative implications of hardware, Operating Systems, and network technologies.	2
K0123	Knowledge of legal governance related to admissibility (e.g. Rules of Evidence).	3
K0125	Knowledge of processes for collecting, packaging, transporting, and storing electronic evidence while maintaining chain of custody.	3
K0128	Knowledge of types and collection of persistent data.	3
K0131	Knowledge of web mail collection, searching/analyzing techniques, tools, and cookies.	3
K0132	Knowledge of which system files (e.g., log files, registry files, configuration files) contain relevant information and where to find those system files.	2
K0133	Knowledge of types of digital forensics data and how to recognize them.	2
K0134	Knowledge of deployable forensics.	2
K0145	Knowledge of security event correlation tools.	2
K0155	Knowledge of electronic evidence law.	3
K0156	Knowledge of legal rules of evidence and court procedure.	3
K0167	Knowledge of system administration, network, and operating system hardening techniques.	7
K0168	Knowledge of applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures.	11
K0179	Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).	19
K0182	Knowledge of data carving tools and techniques (e.g., Foremost).	2
K0183	Knowledge of reverse engineering concepts.	2
K0184	Knowledge of anti-forensics tactics, techniques, and procedures.	2
K0185	Knowledge of forensics lab design configuration and support applications (e.g., VMWare, Wireshark).	2
K0186	Knowledge of debugging procedures and tools.	2
K0187	Knowledge of file type abuse by adversaries for anomalous behavior.	2
K0188	Knowledge of malware analysis tools (e.g., Oily Debug, Ida Pro).	2
K0189	Knowledge of malware with virtual machine detection (e.g. virtual aware malware, debugger aware malware, and unpacked malware that looks for VM-related strings in your computer’s display device).	2
K0305	Knowledge of data concealment (e.g. encryption algorithms and steganography).	1
K0624	Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list)	13

Skills 19

Code	Description	Work Roles
S0032	Skill in developing, testing, and implementing network infrastructure contingency and recovery plans.	2
S0046	Skill in performing packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump).	1
S0047	Skill in preserving evidence integrity according to standard operating procedures or national standards.	4
S0062	Skill in analyzing memory dumps to extract information.	3
S0065	Skill in identifying and extracting data of forensic interest in diverse media (i.e., media forensics).	2
S0067	Skill in identifying, modifying, and manipulating applicable system components within Windows, Unix, or Linux (e.g., passwords, user accounts, files).	2
S0068	Skill in collecting, processing, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data.	3
S0069	Skill in setting up a forensic workstation.	2
S0071	Skill in using forensic tool suites (e.g., EnCase, Sleuthkit, FTK).	2
S0073	Skill in using virtual machines. (e.g., Microsoft Hyper-V, VMWare vSphere, Citrix XenDesktop/Server, Amazon Elastic Compute Cloud, etc.).	5
S0074	Skill in physically disassembling PCs.	2
S0075	Skill in conducting forensic analyses in multiple operating system environments (e.g., mobile device systems).	3
S0087	Skill in deep analysis of captured malicious code (e.g., malware forensics).	2
S0088	Skill in using binary analysis tools (e.g., Hexedit, command code xxd, hexdump).	3
S0089	Skill in one-way hash functions (e.g., Secure Hash Algorithm [SHA], Message Digest Algorithm [MD5]).	3
S0090	Skill in analyzing anomalous code as malicious or benign.	2
S0091	Skill in analyzing volatile data.	2
S0092	Skill in identifying obfuscation techniques.	2
S0093	Skill in interpreting results of debugger to ascertain tactics, techniques, and procedures.	2

Abilities 2

Code	Description	Work Roles
A0005	Ability to decrypt digital data collections.	2
A0175	Ability to examine digital media on multiple operating system platforms.	2

Tasks 10

Code	Description	Work Roles
T0308	Analyze incident data for emerging trends.	2
T0398	Perform file and registry monitoring on the running system after identifying intrusion via dynamic analysis.	2
T0401	Maintain deployable cyber defense toolkit (e.g., specialized cyber defense software/hardware) to support Incident Response Team mission.	2
T0403	Read, interpret, write, modify, and execute simple scripts (e.g., Perl, VBScript) on Windows and UNIX systems (e.g., those that perform tasks such as: parsing large data files, automating manual tasks, and fetching/processing remote data).	2
T0411	Identify and/or develop reverse engineering tools to enhance capabilities and detect vulnerabilities.	2
T0419	Acquire and maintain a working knowledge of constitutional issues which arise in relevant laws, regulations, policies, agreements, standards, procedures, or other issuances.	2
T0425	Analyze organizational cyber policy.	3
T0059	Develop a plan to investigate alleged crime, violation, or suspicious activity utilizing computers and the Internet.	2
T0096	Establish relationships, if applicable, between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies, vendors, public relations professionals).	2
T0220	Resolve conflicts in laws, regulations, policies, standards, or procedures.	6