IN-WRL-001
Cybercrime Investigation OPM Code: 221

Collects, processes, analyzes, and disseminates information from all sources of intelligence on foreign actors' cyberspace programs, intentions, capabilities, research and development, and operational activities.

Responsible for investigating cyberspace intrusion incidents and crimes. Applies tactics, techniques, and procedures for a full range of investigative tools and processes and appropriately balances the benefits of prosecution versus intelligence gathering.

Code Description Work Roles
T0173 Perform timeline analysis 3
T0193 Process crime scenes 1
T1090 Determine best methods for identifying the perpetrator(s) of a network intrusion 3
T1094 Conduct victim and witness interviews 1
T1095 Conduct suspect interrogations 1
T1137 Investigate suspicious activity and alleged digital crimes 1
T1187 Establish internal and external cross-team relationships 2
T1192 Conduct analysis of computer network attacks 1
T1196 Determine if security incidents are indicative of a violation of law that requires specific legal action 1
T1198 Identify data or intelligence of evidentiary value 1
T1199 Identify digital evidence for analysis 3
T1200 Identify elements of proof of cybersecurity crimes 1
T1207 Collect documentary or physical evidence of cyber intrusion incidents, investigations, and operations 2
T1241 Document cybersecurity incidents 2
T1242 Escalate incidents that may cause ongoing and immediate impact to the environment 2
T1324 Process digital evidence 4
T1325 Document digital evidence 4
T1439 Assess the behavior of individual victims, witnesses, or suspects during cybersecurity investigations 2
T1456 Determine the impact of threats on cybersecurity 1
T1477 Advise trial counsel as technical expert 1
T1505 Analyze cybersecurity threats for counter intelligence or criminal activity 1
T1510 Preserve digital evidence 3
T1526 Identify responsible parties for intrusions and other crimes 1
T1600 Prepare investigative reports 1
T1639 Assess target vulnerabilities and operational capabilities 1
T1712 Recommend potential courses of action 2
T2052 Disseminate investigative report findings 1
T2053 Deconflict investigative activity with other law enforcement agencies 1
T2054 Determine appropriate jurisdiction for legal action 1
T2055 Collect physical evidence of cyber intrusion incidents, investigations, and operations 1
Code Description Work Roles
K0674 Knowledge of computer networking protocols 40
K0675 Knowledge of risk management processes 41
K0676 Knowledge of cybersecurity laws and regulations 41
K0677 Knowledge of cybersecurity policies and procedures 41
K0678 Knowledge of privacy laws and regulations 41
K0679 Knowledge of privacy policies and procedures 41
K0680 Knowledge of cybersecurity principles and practices 40
K0681 Knowledge of privacy principles and practices 40
K0682 Knowledge of cybersecurity threats 40
K0683 Knowledge of cybersecurity vulnerabilities 40
K0684 Knowledge of cybersecurity threat characteristics 40
K0685 Knowledge of access control principles and practices 21
K0686 Knowledge of authentication and authorization tools and techniques 21
K0716 Knowledge of host access control (HAC) systems and software 10
K0717 Knowledge of network access control (NAC) systems and software 10
K0732 Knowledge of intrusion detection tools and techniques 4
K0744 Knowledge of operating system (OS) systems and software 16
K0751 Knowledge of system threats 40
K0752 Knowledge of system vulnerabilities 40
K0759 Knowledge of client and server architecture 16
K0770 Knowledge of system administration principles and practices 14
K0784 Knowledge of insider threat laws and regulations 7
K0785 Knowledge of insider threat tools and techniques 7
K0788 Knowledge of adversarial tactics principles and practices 3
K0789 Knowledge of adversarial tactics tools and techniques 3
K0790 Knowledge of adversarial tactics policies and procedures 3
K0795 Knowledge of digital evidence seizure policies and procedures 3
K0796 Knowledge of digital evidence preservation policies and procedures 3
K0800 Knowledge of evidence admissibility laws and regulations 7
K0802 Knowledge of chain of custody policies and procedures 4
K0804 Knowledge of persistent data principles and practices 3
K0821 Knowledge of federal agency roles and responsibilities 9
K0833 Knowledge of cyberattack actor characteristics 4
K0837 Knowledge of hardening tools and techniques 14
K0859 Knowledge of encryption tools and techniques 13
K0884 Knowledge of covert communication tools and techniques 2
K0892 Knowledge of cyber defense laws and regulations 13
K0899 Knowledge of crisis management protocols 1
K0900 Knowledge of crisis management processes 1
K0901 Knowledge of crisis management tools and techniques 1
K0909 Knowledge of abnormal physical and physiological behaviors 2
K0923 Knowledge of operating system structures and internals 7
K0962 Knowledge of targeting laws and regulations 11
K0963 Knowledge of exploitation laws and regulations 11
K0969 Knowledge of cyber-attack tools and techniques 7
K0983 Knowledge of computer networking principles and practices 39
K1014 Knowledge of network security principles and practices 40
K1079 Knowledge of web application security risks 13
K1138 Knowledge of cybersecurity standards and best practices 3
K1151 Knowledge of digital evidence cataloging tools and techniques 4
K1152 Knowledge of digital evidence extraction tools and techniques 4
K1153 Knowledge of digital evidence handling principles and practices 3
K1154 Knowledge of digital evidence packaging tools and techniques 4
K1155 Knowledge of digital evidence preservation tools and techniques 4
K1205 Knowledge of required reporting formats 3
K1312 Knowledge of human source tasking 1
K1313 Knowledge of disruption, dismantlement, and deterrence strategies 1
K1314 Knowledge of obfuscation tools and techniques 1
Code Description Work Roles
S0469 Skill in navigating the dark web 1
S0470 Skill in using the TOR network 1
S0471 Skill in examining digital media 1
S0477 Skill in identifying anomalous activity 2
S0479 Skill in evaluating supplier trustworthiness 6
S0509 Skill in evaluating security products 5
S0589 Skill in preserving digital evidence integrity 4
S0607 Skill in collecting digital evidence 4
S0608 Skill in processing digital evidence 4
S0609 Skill in transporting digital evidence 3
S0651 Skill in performing malware analysis 6
S0695 Skill in performing Open Source Intelligence (OSINT) research 1
S0807 Skill in solving problems 9
S0854 Skill in performing data analysis 8
S0856 Skill in performing digital evidence analysis 3
S0863 Skill in performing incident analysis 2
S0866 Skill in performing log file analysis 6
S0890 Skill in performing threat analysis 2
S0896 Skill in recognizing behavioral patterns 2