IN-INV-001 Cyber Crime Investigator

Investigates cybersecurity events or crimes related to information technology (IT) systems, networks, and digital evidence.

Applies tactics, techniques, and procedures for a full range of investigative tools and processes to include, but not limited to, interview and interrogation techniques, surveillance, counter surveillance, and surveillance detection, and appropriately balances the benefits of prosecution versus intelligence gathering.

Identifies, collects, examines, and preserves evidence using controlled and documented analytical and investigative techniques.

Knowledges 25

Code	Description	Work Roles
K0001	Knowledge of computer networking concepts and protocols, and network security methodologies.	52
K0002	Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).	52
K0003	Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.	52
K0004	Knowledge of cybersecurity and privacy principles.	52
K0005	Knowledge of cyber threats and vulnerabilities.	52
K0006	Knowledge of specific operational impacts of cybersecurity lapses.	52
K0046	Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions.	4
K0070	Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).	13
K0107	Knowledge of Insider Threat investigations, reporting, investigative tools and laws/regulations.	4
K0110	Knowledge of adversarial tactics, techniques, and procedures.	2
K0114	Knowledge of electronic devices (e.g., computer systems/components, access control devices, digital cameras, digital scanners, electronic organizers, hard drives, memory cards, modems, network components, networked appliances, networked home control devices, printers, removable storage devices, telephones, copiers, facsimile machines, etc.).	2
K0118	Knowledge of processes for seizing and preserving digital evidence.	3
K0123	Knowledge of legal governance related to admissibility (e.g. Rules of Evidence).	3
K0125	Knowledge of processes for collecting, packaging, transporting, and storing electronic evidence while maintaining chain of custody.	3
K0128	Knowledge of types and collection of persistent data.	3
K0144	Knowledge of social dynamics of computer attackers in a global context.	1
K0155	Knowledge of electronic evidence law.	3
K0156	Knowledge of legal rules of evidence and court procedure.	3
K0168	Knowledge of applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures.	11
K0209	Knowledge of covert communication techniques.	2
K0231	Knowledge of crisis management protocols, processes, and techniques.	1
K0244	Knowledge of physical and physiological behaviors that may indicate suspicious or abnormal activity.	1
K0251	Knowledge of the judicial process, including the presentation of facts and evidence.	1
K0351	Knowledge of applicable statutes, laws, regulations and policies governing cyber targeting and exploitation.	3
K0624	Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list)	13

Skills 4

Code	Description	Work Roles
S0047	Skill in preserving evidence integrity according to standard operating procedures or national standards.	4
S0068	Skill in collecting, processing, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data.	3
S0072	Skill in using scientific rules and methods to solve problems.	2
S0086	Skill in evaluating the trustworthiness of the supplier and/or product.	2

Abilities 2

Code	Description	Work Roles
A0174	Ability to find and navigate the dark web using the TOR network to locate markets and forums.	1
A0175	Ability to examine digital media on multiple operating system platforms.	2

Tasks 24

Code	Description	Work Roles
T0343	Analyze the crisis to ensure public, personal, and resource protection.	1
T0346	Assess the behavior of the individual victim, witness, or suspect as it relates to the investigation.	1
T0360	Determine the extent of threats and recommend courses of action or countermeasures to mitigate risks.	1
T0386	Provide criminal investigative support to trial counsel during the judicial process.	1
T0423	Analyze computer-generated threats for counter intelligence or criminal activity.	1
T0430	Gather and preserve evidence used on the prosecution of computer crimes.	1
T0433	Conduct analysis of log files, evidence, and other information to determine best methods for identifying the perpetrator(s) of a network intrusion or other crimes.	1
T0453	Determine and develop leads and identify sources of information to identify and/or prosecute the responsible parties to an intrusion or other crimes.	1
T0471	Document original condition of digital and/or associated evidence (e.g., via digital photographs, written reports, hash function checking).	1
T0479	Employ information technology (IT) systems and digital storage media to solve, investigate, and/or prosecute cybercrimes and fraud committed against people and property.	1
T0523	Prepare reports to document the investigation following legal standards and requirements.	1
T0031	Conduct interviews of victims and witnesses and conduct interviews or interrogations of suspects.	1
T0059	Develop a plan to investigate alleged crime, violation, or suspicious activity utilizing computers and the Internet.	2
T0096	Establish relationships, if applicable, between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies, vendors, public relations professionals).	2
T0103	Examine recovered data for information of relevance to the issue at hand.	2
T0104	Fuse computer network attack analyses with criminal and counterintelligence investigations and operations.	1
T0110	Identify and/or determine whether a security incident is indicative of a violation of law that requires specific legal action.	1
T0112	Identify data or intelligence of evidentiary value to support counterintelligence and criminal investigations.	1
T0113	Identify digital evidence for examination and analysis in such a way as to avoid unintentional alteration.	2
T0114	Identify elements of proof of the crime.	1
T0120	Identify, collect, and seize documentary or physical evidence, to include digital media and logs associated with cyber intrusion incidents, investigations, and operations.	1
T0193	Process crime scenes.	1
T0225	Secure the electronic device or information source.	1
T0241	Use specialized equipment and techniques to catalog, document, extract, collect, package, and preserve digital evidence.	2