IN-INV-001 Cyber Crime Investigator

Investigates cybersecurity events or crimes related to information technology (IT) systems, networks, and digital evidence.

Applies tactics, techniques, and procedures for a full range of investigative tools and processes to include, but not limited to, interview and interrogation techniques, surveillance, counter surveillance, and surveillance detection, and appropriately balances the benefits of prosecution versus intelligence gathering.

Identifies, collects, examines, and preserves evidence using controlled and documented analytical and investigative techniques.

Knowledges 25

Code Description Work Roles
K0001 Knowledge of computer networking concepts and protocols, and network security methodologies. 52
K0002 Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). 52
K0003 Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy. 52
K0004 Knowledge of cybersecurity and privacy principles. 52
K0005 Knowledge of cyber threats and vulnerabilities. 52
K0006 Knowledge of specific operational impacts of cybersecurity lapses. 52
K0046 Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions. 4
K0070 Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code). 13
K0107 Knowledge of Insider Threat investigations, reporting, investigative tools and laws/regulations. 4
K0110 Knowledge of adversarial tactics, techniques, and procedures. 2
K0114 Knowledge of electronic devices (e.g., computer systems/components, access control devices, digital cameras, digital scanners, electronic organizers, hard drives, memory cards, modems, network components, networked appliances, networked home control devices, printers, removable storage devices, telephones, copiers, facsimile machines, etc.). 2
K0118 Knowledge of processes for seizing and preserving digital evidence. 3
K0123 Knowledge of legal governance related to admissibility (e.g. Rules of Evidence). 3
K0125 Knowledge of processes for collecting, packaging, transporting, and storing electronic evidence while maintaining chain of custody. 3
K0128 Knowledge of types and collection of persistent data. 3
K0144 Knowledge of social dynamics of computer attackers in a global context. 1
K0155 Knowledge of electronic evidence law. 3
K0156 Knowledge of legal rules of evidence and court procedure. 3
K0168 Knowledge of applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures. 11
K0209 Knowledge of covert communication techniques. 2
K0231 Knowledge of crisis management protocols, processes, and techniques. 1
K0244 Knowledge of physical and physiological behaviors that may indicate suspicious or abnormal activity. 1
K0251 Knowledge of the judicial process, including the presentation of facts and evidence. 1
K0351 Knowledge of applicable statutes, laws, regulations and policies governing cyber targeting and exploitation. 3
K0624 Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list) 13

Skills 4

Code Description Work Roles
S0047 Skill in preserving evidence integrity according to standard operating procedures or national standards. 4
S0068 Skill in collecting, processing, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data. 3
S0072 Skill in using scientific rules and methods to solve problems. 2
S0086 Skill in evaluating the trustworthiness of the supplier and/or product. 2

Abilities 2

Code Description Work Roles
A0174 Ability to find and navigate the dark web using the TOR network to locate markets and forums. 1
A0175 Ability to examine digital media on multiple operating system platforms. 2

Tasks 24

Code Description Work Roles
T0343 Analyze the crisis to ensure public, personal, and resource protection. 1
T0346 Assess the behavior of the individual victim, witness, or suspect as it relates to the investigation. 1
T0360 Determine the extent of threats and recommend courses of action or countermeasures to mitigate risks. 1
T0386 Provide criminal investigative support to trial counsel during the judicial process. 1
T0423 Analyze computer-generated threats for counter intelligence or criminal activity. 1
T0430 Gather and preserve evidence used on the prosecution of computer crimes. 1
T0433 Conduct analysis of log files, evidence, and other information to determine best methods for identifying the perpetrator(s) of a network intrusion or other crimes. 1
T0453 Determine and develop leads and identify sources of information to identify and/or prosecute the responsible parties to an intrusion or other crimes. 1
T0471 Document original condition of digital and/or associated evidence (e.g., via digital photographs, written reports, hash function checking). 1
T0479 Employ information technology (IT) systems and digital storage media to solve, investigate, and/or prosecute cybercrimes and fraud committed against people and property. 1
T0523 Prepare reports to document the investigation following legal standards and requirements. 1
T0031 Conduct interviews of victims and witnesses and conduct interviews or interrogations of suspects. 1
T0059 Develop a plan to investigate alleged crime, violation, or suspicious activity utilizing computers and the Internet. 2
T0096 Establish relationships, if applicable, between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies, vendors, public relations professionals). 2
T0103 Examine recovered data for information of relevance to the issue at hand. 2
T0104 Fuse computer network attack analyses with criminal and counterintelligence investigations and operations. 1
T0110 Identify and/or determine whether a security incident is indicative of a violation of law that requires specific legal action. 1
T0112 Identify data or intelligence of evidentiary value to support counterintelligence and criminal investigations. 1
T0113 Identify digital evidence for examination and analysis in such a way as to avoid unintentional alteration. 2
T0114 Identify elements of proof of the crime. 1
T0120 Identify, collect, and seize documentary or physical evidence, to include digital media and logs associated with cyber intrusion incidents, investigations, and operations. 1
T0193 Process crime scenes. 1
T0225 Secure the electronic device or information source. 1
T0241 Use specialized equipment and techniques to catalog, document, extract, collect, package, and preserve digital evidence. 2