IN-WRL-002
Digital Evidence Analysis OPM Code: 211

Collects, processes, analyzes, and disseminates information from all sources of intelligence on foreign actors' cyberspace programs, intentions, capabilities, research and development, and operational activities.

Responsible for identifying, collecting, examining, and preserving digital evidence using controlled and documented analytical and investigative techniques.

Code Description Work Roles
T0167 Perform file signature analysis 2
T0168 Perform data comparison against established database 2
T0172 Perform real-time forensic analysis (e.g., using Helix in conjunction with LiveView) 2
T0173 Perform timeline analysis 3
T0179 Perform static media analysis 2
T0182 Perform tier 1, 2, and 3 malware analysis 2
T1064 Determine data specifications 2
T1065 Determine data capacity requirements 3
T1090 Determine best methods for identifying the perpetrator(s) of a network intrusion 3
T1102 Identify intrusions 2
T1103 Analyze intrusions 2
T1104 Document what is known about intrusions 2
T1120 Create forensically sound duplicates of evidence 2
T1121 Decrypt seized data 2
T1159 Create technical summary of findings reports 2
T1175 Determine if digital media chain or custody processes meet Federal Rules of Evidence requirements 2
T1191 Determine relevance of recovered data 2
T1199 Identify digital evidence for analysis 3
T1207 Collect documentary or physical evidence of cyber intrusion incidents, investigations, and operations 2
T1253 Perform dynamic analysis on drives 2
T1256 Perform forensically sound image collection 2
T1282 Prepare digital media for imaging 2
T1301 Report forensic artifacts indicative of a particular operating system 2
T1322 Capture network traffic associated with malicious activities 2
T1323 Analyze network traffic associated with malicious activities 2
T1324 Process digital evidence 4
T1325 Document digital evidence 4
T1332 Produce incident findings reports 2
T1370 Collect intrusion artifacts 3
T1381 Scan digital media for viruses 2
T1382 Mount a drive image 2
T1383 Utilize deployable forensics toolkit 2
T1486 Process forensic images 2
T1516 Detect concealed data 1
T1542 Document original condition of digital evidence 1
T1607 Recover information from forensic data sources 2
T2012 Check network connections 1
T2013 Look for indicators of intrusions 1
T2014 Identify devices and networks on scene 1
T2015 Collect devices containing digital evidence 1
T2016 Identify areas of compromise 1
T2017 Acquire digital evidence 1
T2018 Create a digital footprint of raw or physical data 1
T2019 Process data into readable format 1
T2020 Prepare data for ingestion into application systems 1
T2021 Recover deleted or overwritten data files 1
T2022 Create derivative evidence from findings report 1
T2023 Serve as subject expert in training fact witnesses for testifying 1
T2024 Present factual causality to support attribution of criminal activity 1
T2025 Prepare technical materials for legal proceedings 1
T2026 Serve as liaison to prosecutors 1
T2027 Manage forensic laboratory accreditation processes 1
Code Description Work Roles
K0636 Knowledge of decryption tools and techniques 3
K0674 Knowledge of computer networking protocols 40
K0675 Knowledge of risk management processes 41
K0676 Knowledge of cybersecurity laws and regulations 41
K0677 Knowledge of cybersecurity policies and procedures 41
K0678 Knowledge of privacy laws and regulations 41
K0679 Knowledge of privacy policies and procedures 41
K0680 Knowledge of cybersecurity principles and practices 40
K0681 Knowledge of privacy principles and practices 40
K0682 Knowledge of cybersecurity threats 40
K0683 Knowledge of cybersecurity vulnerabilities 40
K0684 Knowledge of cybersecurity threat characteristics 40
K0696 Knowledge of digital forensic data principles and practices 4
K0697 Knowledge of encryption algorithm capabilities and applications 3
K0701 Knowledge of data backup and recovery policies and procedures 8
K0710 Knowledge of enterprise cybersecurity architecture principles and practices 20
K0724 Knowledge of incident response principles and practices 8
K0725 Knowledge of incident response tools and techniques 8
K0726 Knowledge of incident handling tools and techniques 8
K0744 Knowledge of operating system (OS) systems and software 16
K0751 Knowledge of system threats 40
K0752 Knowledge of system vulnerabilities 40
K0759 Knowledge of client and server architecture 16
K0760 Knowledge of server diagnostic tools and techniques 6
K0770 Knowledge of system administration principles and practices 14
K0778 Knowledge of enterprise information technology (IT) architecture principles and practices 20
K0786 Knowledge of physical computer components 4
K0787 Knowledge of computer peripherals 4
K0791 Knowledge of defense-in-depth principles and practices 19
K0793 Knowledge of file extensions 4
K0794 Knowledge of file system implementation principles and practices 3
K0795 Knowledge of digital evidence seizure policies and procedures 3
K0796 Knowledge of digital evidence preservation policies and procedures 3
K0797 Knowledge of ethical hacking tools and techniques 4
K0800 Knowledge of evidence admissibility laws and regulations 7
K0802 Knowledge of chain of custody policies and procedures 4
K0804 Knowledge of persistent data principles and practices 3
K0806 Knowledge of machine virtualization tools and techniques 6
K0808 Knowledge of system file characteristics 2
K0809 Knowledge of digital forensics data characteristics 3
K0810 Knowledge of deployable forensics principles and practices 3
K0812 Knowledge of digital communication systems and software 9
K0837 Knowledge of hardening tools and techniques 14
K0840 Knowledge of hardware reverse engineering tools and techniques 15
K0842 Knowledge of software reverse engineering tools and techniques 15
K0850 Knowledge of data carving tools and techniques 2
K0851 Knowledge of reverse engineering principles and practices 15
K0852 Knowledge of anti-forensics tools and techniques 2
K0853 Knowledge of forensics lab design principles and practices 2
K0854 Knowledge of forensics lab design systems and software 2
K0855 Knowledge of debugging tools and techniques 2
K0856 Knowledge of filename extension abuse 2
K0857 Knowledge of malware analysis tools and techniques 4
K0858 Knowledge of virtual machine detection tools and techniques 6
K0859 Knowledge of encryption tools and techniques 13
K0870 Knowledge of enterprise architecture (EA) reference models and frameworks 20
K0871 Knowledge of enterprise architecture (EA) principles and practices 20
K0892 Knowledge of cyber defense laws and regulations 13
K0911 Knowledge of remote access tools and techniques 2
K0914 Knowledge of binary analysis tools and techniques 3
K0915 Knowledge of network architecture principles and practices 21
K0916 Knowledge of malware analysis principles and practices 4
K0923 Knowledge of operating system structures and internals 7
K0941 Knowledge of data concealment tools and techniques 1
K0947 Knowledge of computer engineering principles and practices 14
K0962 Knowledge of targeting laws and regulations 11
K0963 Knowledge of exploitation laws and regulations 11
K0979 Knowledge of information searching tools and techniques 2
K0983 Knowledge of computer networking principles and practices 39
K1004 Knowledge of reporting policies and procedures 2
K1014 Knowledge of network security principles and practices 40
K1016 Knowledge of code obfuscation tools and techniques 2
K1055 Knowledge of digital forensics principles and practices 3
K1069 Knowledge of virtual machine tools and technologies 6
K1079 Knowledge of web application security risks 13
K1091 Knowledge of media forensics 2
K1092 Knowledge of digital forensics tools and techniques 2
K1115 Knowledge of Chain of Custody (CoC) processes and procedures 2
K1145 Knowledge of data encryption practices and principles 1
K1147 Knowledge of data integrity principles and practices 3
K1151 Knowledge of digital evidence cataloging tools and techniques 4
K1152 Knowledge of digital evidence extraction tools and techniques 4
K1153 Knowledge of digital evidence handling principles and practices 3
K1154 Knowledge of digital evidence packaging tools and techniques 4
K1155 Knowledge of digital evidence preservation tools and techniques 4
K1163 Knowledge of forensic image processing tools and techniques 2
K1175 Knowledge of network monitoring tools and techniques 2
K1220 Knowledge of steganography practices and principles 1
K1280 Knowledge of approved data processing tools and techniques 1
K1281 Knowledge of data types and characteristics 1
K1282 Knowledge of predication requirements 1
K1283 Knowledge of court exhibit processes 1
K1284 Knowledge of testing and calibration in laboratory environment 1
Code Description Work Roles
S0156 Skill in performing packet-level analysis 4
S0378 Skill in decrypting information 3
S0385 Skill in communicating complex concepts 9
S0431 Skill in applying critical thinking 5
S0472 Skill in developing virtual machines 6
S0476 Skill in identifying filename extension abuse 2
S0499 Skill in performing intelligence collection analysis 2
S0579 Skill in preparing reports 11
S0589 Skill in preserving digital evidence integrity 4
S0599 Skill in performing memory dump analysis 2
S0605 Skill in storing digital evidence 2
S0606 Skill in manipulating operating system components 3
S0607 Skill in collecting digital evidence 4
S0608 Skill in processing digital evidence 4
S0612 Skill in performing digital forensics analysis 3
S0622 Skill in implementing one-way hash functions 3
S0623 Skill in performing source code analysis 2
S0624 Skill in performing volatile data analysis 2
S0625 Skill in interpreting debugger results 2
S0651 Skill in performing malware analysis 6
S0854 Skill in performing data analysis 8
S0856 Skill in performing digital evidence analysis 3
S0857 Skill in performing dynamic analysis 3
S0860 Skill in performing file system forensic analysis 2
S0866 Skill in performing log file analysis 6
S0884 Skill in performing static malware analysis 2
S0935 Skill in live acquisition 1
S0936 Skill in deadbox acquisition 1
S0937 Skill in inspecting data for ingestion 1
S0938 Skill in interacting with live systems to identify active and historical networks 1