Investigation
IN-WRL-001

Cybercrime Investigation

Responsible for investigating cyberspace intrusion incidents and crimes. Applies tactics, techniques, and procedures for a full range of investigative tools and processes and appropriately balances the benefits of prosecution versus intelligence gathering.

  • T0193: Process crime scenes
  • T1020: Determine the operational and safety impacts of cybersecurity lapses
  • T1090: Determine best methods for identifying the perpetrator(s) of a network intrusion
  • T1094: Conduct victim and witness interviews
  • T1095: Conduct suspect interrogations
  • T1137: Investigate suspicious activity and alleged digital crimes
  • T1187: Establish internal and external cross-team relationships
  • T1191: Determine relevance of recovered data
  • T1192: Conduct analysis of computer network attacks
  • T1196: Determine if security incidents are indicative of a violation of law that requires specific legal action
  • T1198: Identify data or intelligence of evidentiary value
  • T1199: Identify digital evidence for analysis
  • T1200: Identify elements of proof of cybersecurity crimes
  • T1207: Collect documentary or physical evidence of cyber intrusion incidents, investigations, and operations
  • T1241: Document cybersecurity incidents
  • T1242: Escalate incidents that may cause ongoing and immediate impact to the environment
  • T1324: Process digital evidence
  • T1325: Document digital evidence
  • T1439: Assess the behavior of individual victims, witnesses, or suspects during cybersecurity investigations
  • T1456: Determine the impact of threats on cybersecurity
  • T1457: Implement threat countermeasures
  • T1477: Advise trial counsel as technical expert
  • T1505: Analyze cybersecurity threats for counter intelligence or criminal activity
  • T1510: Preserve digital evidence
  • T1526: Identify responsible parties for intrusions and other crimes
  • T1542: Document original condition of digital evidence
  • T1551: Prosecute cybercrimes and fraud committed against people and property
  • T1600: Prepare investigative reports
  • T1639: Assess target vulnerabilities and operational capabilities
  • T1712: Recommend potential courses of action
  • K0674: Knowledge of computer networking protocols
  • K0675: Knowledge of risk management processes
  • K0676: Knowledge of cybersecurity laws and regulations
  • K0677: Knowledge of cybersecurity policies and procedures
  • K0678: Knowledge of privacy laws and regulations
  • K0679: Knowledge of privacy policies and procedures
  • K0680: Knowledge of cybersecurity principles and practices
  • K0681: Knowledge of privacy principles and practices
  • K0682: Knowledge of cybersecurity threats
  • K0683: Knowledge of cybersecurity vulnerabilities
  • K0684: Knowledge of cybersecurity threat characteristics
  • K0685: Knowledge of access control principles and practices
  • K0686: Knowledge of authentication and authorization tools and techniques
  • K0716: Knowledge of host access control (HAC) systems and software
  • K0717: Knowledge of network access control (NAC) systems and software
  • K0732: Knowledge of intrusion detection tools and techniques
  • K0744: Knowledge of operating system (OS) systems and software
  • K0751: Knowledge of system threats
  • K0752: Knowledge of system vulnerabilities
  • K0759: Knowledge of client and server architecture
  • K0770: Knowledge of system administration principles and practices
  • K0784: Knowledge of insider threat laws and regulations
  • K0785: Knowledge of insider threat tools and techniques
  • K0788: Knowledge of adversarial tactics principles and practices
  • K0789: Knowledge of adversarial tactics tools and techniques
  • K0790: Knowledge of adversarial tactics policies and procedures
  • K0795: Knowledge of digital evidence seizure policies and procedures
  • K0796: Knowledge of digital evidence preservation policies and procedures
  • K0800: Knowledge of evidence admissibility laws and regulations
  • K0802: Knowledge of chain of custody policies and procedures
  • K0804: Knowledge of persistent data principles and practices
  • K0833: Knowledge of cyberattack actor characteristics
  • K0837: Knowledge of hardening tools and techniques
  • K0884: Knowledge of covert communication tools and techniques
  • K0892: Knowledge of cyber defense laws and regulations
  • K0899: Knowledge of crisis management protocols
  • K0900: Knowledge of crisis management processes
  • K0901: Knowledge of crisis management tools and techniques
  • K0909: Knowledge of abnormal physical and physiological behaviors
  • K0923: Knowledge of operating system structures and internals
  • K0962: Knowledge of targeting laws and regulations
  • K0963: Knowledge of exploitation laws and regulations
  • K0969: Knowledge of cyber-attack tools and techniques
  • K0983: Knowledge of computer networking principles and practices
  • K1014: Knowledge of network security principles and practices
  • K1016: Knowledge of code obfuscation tools and techniques
  • K1079: Knowledge of web application security risks
  • K1115: Knowledge of Chain of Custody (CoC) processes and procedures
  • K1138: Knowledge of cybersecurity standards and best practices
  • K1139: Knowledge of cybersecurity threats and vulnerabilities
  • K1151: Knowledge of digital evidence cataloging tools and techniques
  • K1152: Knowledge of digital evidence extraction tools and techniques
  • K1153: Knowledge of digital evidence handling principles and practices
  • K1154: Knowledge of digital evidence packaging tools and techniques
  • K1155: Knowledge of digital evidence preservation tools and techniques
  • S0469: Skill in navigating the dark web
  • S0470: Skill in using the TOR network
  • S0471: Skill in examining digital media
  • S0477: Skill in identifying anomalous activity
  • S0509: Skill in evaluating security products
  • S0589: Skill in preserving digital evidence integrity
  • S0607: Skill in collecting digital evidence
  • S0608: Skill in processing digital evidence
  • S0609: Skill in transporting digital evidence
  • S0620: Skill in evaluating the trustworthiness of a supply chain
  • S0651: Skill in performing malware analysis
  • S0807: Skill in solving problems
  • S0848: Skill in performing behavioral analysis
  • S0854: Skill in performing data analysis
  • S0856: Skill in performing digital evidence analysis
  • S0863: Skill in performing incident analysis
  • S0866: Skill in performing log file analysis
  • S0890: Skill in performing threat analysis
  • S0896: Skill in recognizing behavioral patterns