PD-WRL-002
Digital ForensicsĀ  OPM Code: 212

Protects against, identifies, and analyzes risks to technology systems or networks. Includes investigation of cybersecurity events or crimes related to technology systems and networks.

Responsible for analyzing digital evidence from computer security incidents to derive useful information in support of system and network vulnerability mitigation.

Code Description Work Roles
T0167 Perform file signature analysis 2
T0168 Perform data comparison against established database 2
T0172 Perform real-time forensic analysis (e.g., using Helix in conjunction with LiveView) 2
T0173 Perform timeline analysis 3
T0179 Perform static media analysis 2
T0182 Perform tier 1, 2, and 3 malware analysis 2
T0397 Perform Windows registry analysis 1
T1020 Determine the operational and safety impacts of cybersecurity lapses 37
T1051 Set up a forensic workstation 1
T1084 Identify anomalous network activity 9
T1090 Determine best methods for identifying the perpetrator(s) of a network intrusion 3
T1102 Identify intrusions 2
T1103 Analyze intrusions 2
T1104 Document what is known about intrusions 2
T1118 Identify vulnerabilities 7
T1119 Recommend vulnerability remediation strategies 8
T1120 Create forensically sound duplicates of evidence 2
T1121 Decrypt seized data 2
T1159 Create technical summary of findings reports 2
T1175 Determine if digital media chain or custody processes meet Federal Rules of Evidence requirements 2
T1191 Determine relevance of recovered data 2
T1199 Identify digital evidence for analysis 3
T1253 Perform dynamic analysis on drives 2
T1260 Perform real-time cyber defense incident handling 2
T1282 Prepare digital media for imaging 2
T1301 Report forensic artifacts indicative of a particular operating system 2
T1322 Capture network traffic associated with malicious activities 2
T1323 Analyze network traffic associated with malicious activities 2
T1324 Process digital evidence 4
T1325 Document digital evidence 4
T1370 Collect intrusion artifacts 3
T1371 Mitigate potential cyber defense incidents 2
T1372 Advise law enforcement personnel as technical expert 2
T1381 Scan digital media for viruses 2
T1382 Mount a drive image 2
T1383 Utilize deployable forensics toolkit 2
T1387 Validate intrusion detection system alerts 2
T1407 Correlate threat assessment data 2
T1486 Process forensic images 2
T1487 Perform file and registry monitoring on running systems 1
T1488 Enter digital media information into tracking databases 1
T1489 Correlate incident data 7
T1490 Prepare cyber defense toolkits 1
T1510 Preserve digital evidence 3
T1607 Recover information from forensic data sources 2
T1617 Prepare cyber defense reports 2
Code Description Work Roles
K0018 Knowledge of encryption algorithms 10
K0635 Knowledge of decryption 2
K0636 Knowledge of decryption tools and techniques 3
K0637 Knowledge of data repositories 2
K0674 Knowledge of computer networking protocols 40
K0675 Knowledge of risk management processes 41
K0676 Knowledge of cybersecurity laws and regulations 41
K0677 Knowledge of cybersecurity policies and procedures 41
K0678 Knowledge of privacy laws and regulations 41
K0679 Knowledge of privacy policies and procedures 41
K0680 Knowledge of cybersecurity principles and practices 40
K0681 Knowledge of privacy principles and practices 40
K0682 Knowledge of cybersecurity threats 40
K0683 Knowledge of cybersecurity vulnerabilities 40
K0684 Knowledge of cybersecurity threat characteristics 40
K0696 Knowledge of digital forensic data principles and practices 4
K0697 Knowledge of encryption algorithm capabilities and applications 3
K0701 Knowledge of data backup and recovery policies and procedures 8
K0710 Knowledge of enterprise cybersecurity architecture principles and practices 20
K0724 Knowledge of incident response principles and practices 8
K0725 Knowledge of incident response tools and techniques 8
K0726 Knowledge of incident handling tools and techniques 8
K0744 Knowledge of operating system (OS) systems and software 16
K0751 Knowledge of system threats 40
K0752 Knowledge of system vulnerabilities 40
K0759 Knowledge of client and server architecture 16
K0760 Knowledge of server diagnostic tools and techniques 6
K0761 Knowledge of Fault Detection and Diagnostics (FDD) tools and techniques 5
K0770 Knowledge of system administration principles and practices 14
K0778 Knowledge of enterprise information technology (IT) architecture principles and practices 20
K0786 Knowledge of physical computer components 4
K0787 Knowledge of computer peripherals 4
K0791 Knowledge of defense-in-depth principles and practices 19
K0793 Knowledge of file extensions 4
K0794 Knowledge of file system implementation principles and practices 3
K0795 Knowledge of digital evidence seizure policies and procedures 3
K0796 Knowledge of digital evidence preservation policies and procedures 3
K0797 Knowledge of ethical hacking tools and techniques 4
K0800 Knowledge of evidence admissibility laws and regulations 7
K0802 Knowledge of chain of custody policies and procedures 4
K0804 Knowledge of persistent data principles and practices 3
K0806 Knowledge of machine virtualization tools and techniques 6
K0807 Knowledge of web mail tools and techniques 1
K0808 Knowledge of system file characteristics 2
K0809 Knowledge of digital forensics data characteristics 3
K0810 Knowledge of deployable forensics principles and practices 3
K0812 Knowledge of digital communication systems and software 9
K0817 Knowledge of event correlation tools and techniques 1
K0837 Knowledge of hardening tools and techniques 14
K0840 Knowledge of hardware reverse engineering tools and techniques 15
K0842 Knowledge of software reverse engineering tools and techniques 15
K0850 Knowledge of data carving tools and techniques 2
K0851 Knowledge of reverse engineering principles and practices 15
K0852 Knowledge of anti-forensics tools and techniques 2
K0853 Knowledge of forensics lab design principles and practices 2
K0854 Knowledge of forensics lab design systems and software 2
K0855 Knowledge of debugging tools and techniques 2
K0856 Knowledge of filename extension abuse 2
K0857 Knowledge of malware analysis tools and techniques 4
K0858 Knowledge of virtual machine detection tools and techniques 6
K0859 Knowledge of encryption tools and techniques 13
K0870 Knowledge of enterprise architecture (EA) reference models and frameworks 20
K0871 Knowledge of enterprise architecture (EA) principles and practices 20
K0892 Knowledge of cyber defense laws and regulations 13
K0914 Knowledge of binary analysis tools and techniques 3
K0915 Knowledge of network architecture principles and practices 21
K0916 Knowledge of malware analysis principles and practices 4
K0923 Knowledge of operating system structures and internals 7
K0939 Knowledge of packet-level analysis tools and techniques 3
K0959 Knowledge of operational design principles and practices 1
K0962 Knowledge of targeting laws and regulations 11
K0963 Knowledge of exploitation laws and regulations 11
K0977 Knowledge of intelligence collection management tools and techniques 1
K0979 Knowledge of information searching tools and techniques 2
K0980 Knowledge of intelligence collection sources 1
K0983 Knowledge of computer networking principles and practices 39
K1004 Knowledge of reporting policies and procedures 2
K1014 Knowledge of network security principles and practices 40
K1016 Knowledge of code obfuscation tools and techniques 2
K1055 Knowledge of digital forensics principles and practices 3
K1069 Knowledge of virtual machine tools and technologies 6
K1079 Knowledge of web application security risks 13
K1091 Knowledge of media forensics 2
K1092 Knowledge of digital forensics tools and techniques 2
K1115 Knowledge of Chain of Custody (CoC) processes and procedures 2
K1147 Knowledge of data integrity principles and practices 3
K1151 Knowledge of digital evidence cataloging tools and techniques 4
K1152 Knowledge of digital evidence extraction tools and techniques 4
K1153 Knowledge of digital evidence handling principles and practices 3
K1154 Knowledge of digital evidence packaging tools and techniques 4
K1155 Knowledge of digital evidence preservation tools and techniques 4
K1163 Knowledge of forensic image processing tools and techniques 2
K1175 Knowledge of network monitoring tools and techniques 2
K1193 Knowledge of packet analysis tools and techniques 2
Code Description Work Roles
S0156 Skill in performing packet-level analysis 4
S0378 Skill in decrypting information 3
S0472 Skill in developing virtual machines 6
S0473 Skill in maintaining virtual machines 5
S0474 Skill in finding system files 1
S0475 Skill in recognizing digital forensics data 2
S0476 Skill in identifying filename extension abuse 2
S0491 Skill in processing digital forensic data 1
S0499 Skill in performing intelligence collection analysis 2
S0575 Skill in developing network infrastructure contingency and recovery plans 2
S0576 Skill in testing network infrastructure contingency and recovery plans 2
S0579 Skill in preparing reports 11
S0589 Skill in preserving digital evidence integrity 4
S0599 Skill in performing memory dump analysis 2
S0603 Skill in identifying forensics data in diverse media 1
S0604 Skill in extracting forensics data in diverse media 1
S0605 Skill in storing digital evidence 2
S0606 Skill in manipulating operating system components 3
S0607 Skill in collecting digital evidence 4
S0608 Skill in processing digital evidence 4
S0609 Skill in transporting digital evidence 3
S0611 Skill in disassembling Personal Computers (PCs) 1
S0612 Skill in performing digital forensics analysis 3
S0621 Skill in performing binary analysis 2
S0622 Skill in implementing one-way hash functions 3
S0623 Skill in performing source code analysis 2
S0624 Skill in performing volatile data analysis 2
S0625 Skill in interpreting debugger results 2
S0651 Skill in performing malware analysis 6
S0652 Skill in performing bit-level analysis 1
S0653 Skill in creating digital evidence copies 1
S0671 Skill in implementing network infrastructure contingency and recovery plans 2
S0678 Skill in administering operating systems 2
S0821 Skill in collaborating with internal and external stakeholders 9
S0854 Skill in performing data analysis 8
S0856 Skill in performing digital evidence analysis 3
S0857 Skill in performing dynamic analysis 3
S0860 Skill in performing file system forensic analysis 2
S0866 Skill in performing log file analysis 6
S0875 Skill in performing network traffic packet analysis 2
S0882 Skill in performing static analysis 1
S0884 Skill in performing static malware analysis 2