IN-FOR-002 Cyber Defense Forensics Analyst

Investigates cybersecurity events or crimes related to information technology (IT) systems, networks, and digital evidence.

Collects, processes, preserves, analyzes, and presents computer-related evidence in support of network vulnerability mitigation and/or criminal, fraud, counterintelligence, or law enforcement investigations.

Analyzes digital evidence and investigates computer security incidents to derive useful information in support of system/network vulnerability mitigation.

Knowledges 46

Code Description Work Roles
K0001 Knowledge of computer networking concepts and protocols, and network security methodologies. 52
K0002 Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). 52
K0003 Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy. 52
K0004 Knowledge of cybersecurity and privacy principles. 52
K0005 Knowledge of cyber threats and vulnerabilities. 52
K0006 Knowledge of specific operational impacts of cybersecurity lapses. 52
K0018 Knowledge of encryption algorithms 11
K0021 Knowledge of data backup and recovery. 9
K0042 Knowledge of incident response and handling methodologies. 7
K0060 Knowledge of operating systems. 13
K0070 Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code). 13
K0077 Knowledge of server and client operating systems. 4
K0078 Knowledge of server diagnostic tools and fault identification techniques. 2
K0109 Knowledge of physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage). 15
K0117 Knowledge of file system implementations (e.g., New Technology File System [NTFS], File Allocation Table [FAT], File Extension [EXT]). 3
K0118 Knowledge of processes for seizing and preserving digital evidence. 3
K0119 Knowledge of hacking methodologies. 2
K0122 Knowledge of investigative implications of hardware, Operating Systems, and network technologies. 2
K0123 Knowledge of legal governance related to admissibility (e.g. Rules of Evidence). 3
K0125 Knowledge of processes for collecting, packaging, transporting, and storing electronic evidence while maintaining chain of custody. 3
K0128 Knowledge of types and collection of persistent data. 3
K0131 Knowledge of web mail collection, searching/analyzing techniques, tools, and cookies. 3
K0132 Knowledge of which system files (e.g., log files, registry files, configuration files) contain relevant information and where to find those system files. 2
K0133 Knowledge of types of digital forensics data and how to recognize them. 2
K0134 Knowledge of deployable forensics. 2
K0145 Knowledge of security event correlation tools. 2
K0155 Knowledge of electronic evidence law. 3
K0156 Knowledge of legal rules of evidence and court procedure. 3
K0167 Knowledge of system administration, network, and operating system hardening techniques. 7
K0168 Knowledge of applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures. 11
K0179 Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). 19
K0182 Knowledge of data carving tools and techniques (e.g., Foremost). 2
K0183 Knowledge of reverse engineering concepts. 2
K0184 Knowledge of anti-forensics tactics, techniques, and procedures. 2
K0185 Knowledge of forensics lab design configuration and support applications (e.g., VMWare, Wireshark). 2
K0186 Knowledge of debugging procedures and tools. 2
K0187 Knowledge of file type abuse by adversaries for anomalous behavior. 2
K0188 Knowledge of malware analysis tools (e.g., Oily Debug, Ida Pro). 2
K0189 Knowledge of malware with virtual machine detection (e.g. virtual aware malware, debugger aware malware, and unpacked malware that looks for VM-related strings in your computer’s display device). 2
K0224 Knowledge of system administration concepts for operating systems such as but not limited to Unix/Linux, IOS, Android, and Windows operating systems. 5
K0254 Knowledge of binary analysis. 1
K0255 Knowledge of network architecture concepts including topology, protocols, and components. 1
K0301 Knowledge of packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump). 3
K0304 Knowledge of concepts and practices of processing digital forensic data. 1
K0347 Knowledge and understanding of operational design. 3
K0624 Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list) 13

Skills 22

Code Description Work Roles
S0032 Skill in developing, testing, and implementing network infrastructure contingency and recovery plans. 2
S0047 Skill in preserving evidence integrity according to standard operating procedures or national standards. 4
S0062 Skill in analyzing memory dumps to extract information. 3
S0065 Skill in identifying and extracting data of forensic interest in diverse media (i.e., media forensics). 2
S0067 Skill in identifying, modifying, and manipulating applicable system components within Windows, Unix, or Linux (e.g., passwords, user accounts, files). 2
S0068 Skill in collecting, processing, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data. 3
S0069 Skill in setting up a forensic workstation. 2
S0071 Skill in using forensic tool suites (e.g., EnCase, Sleuthkit, FTK). 2
S0073 Skill in using virtual machines. (e.g., Microsoft Hyper-V, VMWare vSphere, Citrix XenDesktop/Server, Amazon Elastic Compute Cloud, etc.). 5
S0074 Skill in physically disassembling PCs. 2
S0075 Skill in conducting forensic analyses in multiple operating system environments (e.g., mobile device systems). 3
S0087 Skill in deep analysis of captured malicious code (e.g., malware forensics). 2
S0088 Skill in using binary analysis tools (e.g., Hexedit, command code xxd, hexdump). 3
S0089 Skill in one-way hash functions (e.g., Secure Hash Algorithm [SHA], Message Digest Algorithm [MD5]). 3
S0090 Skill in analyzing anomalous code as malicious or benign. 2
S0091 Skill in analyzing volatile data. 2
S0092 Skill in identifying obfuscation techniques. 2
S0093 Skill in interpreting results of debugger to ascertain tactics, techniques, and procedures. 2
S0131 Skill in analyzing malware. 2
S0132 Skill in conducting bit-level analysis. 1
S0133 Skill in processing digital evidence, to include protecting and making legally sound copies of evidence. 1
S0156 Skill in performing packet-level analysis. 3

Abilities 2

Code Description Work Roles
A0005 Ability to decrypt digital data collections. 2
A0043 Ability to conduct forensic analyses in and for both Windows and Unix/Linux environments. 1

Tasks 39

Code Description Work Roles
T0279 Serve as technical expert and liaison to law enforcement personnel and explain incident details as required. 2
T0285 Perform virus scanning on digital media. 1
T0286 Perform file system forensic analysis. 1
T0287 Perform static analysis to mount an "image" of a drive (without necessarily having the original drive). 1
T0288 Perform static malware analysis. 1
T0289 Utilize deployable forensics toolkit to support operations as necessary. 1
T0312 Coordinate with intelligence analysts to correlate threat assessment data. 2
T0396 Process image with appropriate tools depending on analyst’s goals. 1
T0397 Perform Windows registry analysis. 1
T0398 Perform file and registry monitoring on the running system after identifying intrusion via dynamic analysis. 2
T0399 Enter media information into tracking database (e.g., Product Tracker Tool) for digital media that has been acquired. 1
T0400 Correlate incident data and perform cyber defense reporting. 1
T0401 Maintain deployable cyber defense toolkit (e.g., specialized cyber defense software/hardware) to support Incident Response Team mission. 2
T0432 Collect and analyze intrusion artifacts (e.g., source code, malware, and system configuration) and use discovered data to enable mitigation of potential cyber defense incidents within the enterprise. 1
T0532 Review forensic images and other data sources (e.g., volatile data) for recovery of potentially relevant information. 1
T0546 Write and publish cyber defense recommendations, reports, and white papers on incident findings to appropriate constituencies. 1
T0027 Conduct analysis of log files, evidence, and other information to determine best methods for identifying the perpetrator(s) of a network intrusion. 1
T0036 Confirm what is known about an intrusion and discover new information, if possible, after identifying intrusion via dynamic analysis. 1
T0048 Create a forensically sound duplicate of the evidence (i.e., forensic image) that ensures the original evidence is not unintentionally modified, to use for data recovery and analysis processes. This includes, but is not limited to, hard drives, floppy diskettes, CDs, PDAs, mobile phones, GPS, and all tape formats. 1
T0049 Decrypt seized data using technical means. 1
T0075 Provide technical summary of findings in accordance with established reporting procedures. 1
T0087 Ensure that chain of custody is followed for all digital media acquired in accordance with the Federal Rules of Evidence. 1
T0103 Examine recovered data for information of relevance to the issue at hand. 2
T0113 Identify digital evidence for examination and analysis in such a way as to avoid unintentional alteration. 2
T0165 Perform dynamic analysis to boot an “image” of a drive (without necessarily having the original drive) to see the intrusion as the user may have seen it, in a native environment. 1
T0167 Perform file signature analysis. 1
T0168 Perform hash comparison against established database. 1
T0172 Perform real-time forensic analysis (e.g., using Helix in conjunction with LiveView). 1
T0173 Perform timeline analysis. 1
T0175 Perform real-time cyber defense incident handling (e.g., forensic collections, intrusion correlation and tracking, threat analysis, and direct system remediation) tasks to support deployable Incident Response Teams (IRTs). 2
T0179 Perform static media analysis. 1
T0182 Perform tier 1, 2, and 3 malware analysis. 1
T0190 Prepare digital media for imaging by ensuring data integrity (e.g., write blockers in accordance with standard operating procedures). 1
T0212 Provide technical assistance on digital evidence matters to appropriate personnel. 1
T0216 Recognize and accurately report forensic artifacts indicative of a particular operating system. 1
T0238 Extract data using data carving techniques (e.g., Forensic Tool Kit [FTK], Foremost). 1
T0240 Capture and analyze network traffic associated with malicious activities using network monitoring tools. 1
T0241 Use specialized equipment and techniques to catalog, document, extract, collect, package, and preserve digital evidence. 2
T0253 Conduct cursory binary analysis. 1