Attention: CISA Learning is now available! If you are an EXTERNAL (non-CISA) user access the new system using this url: CISA Learning. The Federal Virtual Training Environment (FedVTE) has been permanently decommissioned and replaced by CISA Learning. Please reference the CISA Learning page for the latest information. Please note: CISA Users (staff and contractors) should access CISA Learning through the internal site. You should have received an email on December 4, 2024, titled “CISA Learning is LIVE!” with more information.

IN-WRL-001

Cybercrime Investigation

Responsible for investigating cyberspace intrusion incidents and crimes. Applies tactics, techniques, and procedures for a full range of investigative tools and processes and appropriately balances the benefits of prosecution versus intelligence gathering.

Task statements

T0193: Process crime scenes
T1020: Determine the operational and safety impacts of cybersecurity lapses
T1090: Determine best methods for identifying the perpetrator(s) of a network intrusion
T1094: Conduct victim and witness interviews
T1095: Conduct suspect interrogations
T1137: Investigate suspicious activity and alleged digital crimes
T1187: Establish internal and external cross-team relationships
T1191: Determine relevance of recovered data
T1192: Conduct analysis of computer network attacks
T1196: Determine if security incidents are indicative of a violation of law that requires specific legal action
T1198: Identify data or intelligence of evidentiary value
T1199: Identify digital evidence for analysis
T1200: Identify elements of proof of cybersecurity crimes
T1207: Collect documentary or physical evidence of cyber intrusion incidents, investigations, and operations
T1241: Document cybersecurity incidents
T1242: Escalate incidents that may cause ongoing and immediate impact to the environment
T1324: Process digital evidence
T1325: Document digital evidence
T1439: Assess the behavior of individual victims, witnesses, or suspects during cybersecurity investigations
T1456: Determine the impact of threats on cybersecurity
T1457: Implement threat countermeasures
T1477: Advise trial counsel as technical expert
T1505: Analyze cybersecurity threats for counter intelligence or criminal activity
T1510: Preserve digital evidence
T1526: Identify responsible parties for intrusions and other crimes
T1542: Document original condition of digital evidence
T1551: Prosecute cybercrimes and fraud committed against people and property
T1600: Prepare investigative reports
T1639: Assess target vulnerabilities and operational capabilities
T1712: Recommend potential courses of action

Knowledge statements

K0674: Knowledge of computer networking protocols
K0675: Knowledge of risk management processes
K0676: Knowledge of cybersecurity laws and regulations
K0677: Knowledge of cybersecurity policies and procedures
K0678: Knowledge of privacy laws and regulations
K0679: Knowledge of privacy policies and procedures
K0680: Knowledge of cybersecurity principles and practices
K0681: Knowledge of privacy principles and practices
K0682: Knowledge of cybersecurity threats
K0683: Knowledge of cybersecurity vulnerabilities
K0684: Knowledge of cybersecurity threat characteristics
K0685: Knowledge of access control principles and practices
K0686: Knowledge of authentication and authorization tools and techniques
K0716: Knowledge of host access control (HAC) systems and software
K0717: Knowledge of network access control (NAC) systems and software
K0732: Knowledge of intrusion detection tools and techniques
K0744: Knowledge of operating system (OS) systems and software
K0751: Knowledge of system threats
K0752: Knowledge of system vulnerabilities
K0759: Knowledge of client and server architecture
K0770: Knowledge of system administration principles and practices
K0784: Knowledge of insider threat laws and regulations
K0785: Knowledge of insider threat tools and techniques
K0788: Knowledge of adversarial tactics principles and practices
K0789: Knowledge of adversarial tactics tools and techniques
K0790: Knowledge of adversarial tactics policies and procedures
K0795: Knowledge of digital evidence seizure policies and procedures
K0796: Knowledge of digital evidence preservation policies and procedures
K0800: Knowledge of evidence admissibility laws and regulations
K0802: Knowledge of chain of custody policies and procedures
K0804: Knowledge of persistent data principles and practices
K0833: Knowledge of cyberattack actor characteristics
K0837: Knowledge of hardening tools and techniques
K0884: Knowledge of covert communication tools and techniques
K0892: Knowledge of cyber defense laws and regulations
K0899: Knowledge of crisis management protocols
K0900: Knowledge of crisis management processes
K0901: Knowledge of crisis management tools and techniques
K0909: Knowledge of abnormal physical and physiological behaviors
K0923: Knowledge of operating system structures and internals
K0962: Knowledge of targeting laws and regulations
K0963: Knowledge of exploitation laws and regulations
K0969: Knowledge of cyber-attack tools and techniques
K0983: Knowledge of computer networking principles and practices
K1014: Knowledge of network security principles and practices
K1016: Knowledge of code obfuscation tools and techniques
K1079: Knowledge of web application security risks
K1115: Knowledge of Chain of Custody (CoC) processes and procedures
K1138: Knowledge of cybersecurity standards and best practices
K1139: Knowledge of cybersecurity threats and vulnerabilities
K1151: Knowledge of digital evidence cataloging tools and techniques
K1152: Knowledge of digital evidence extraction tools and techniques
K1153: Knowledge of digital evidence handling principles and practices
K1154: Knowledge of digital evidence packaging tools and techniques
K1155: Knowledge of digital evidence preservation tools and techniques

Skill statements

S0469: Skill in navigating the dark web
S0470: Skill in using the TOR network
S0471: Skill in examining digital media
S0477: Skill in identifying anomalous activity
S0509: Skill in evaluating security products
S0589: Skill in preserving digital evidence integrity
S0607: Skill in collecting digital evidence
S0608: Skill in processing digital evidence
S0609: Skill in transporting digital evidence
S0620: Skill in evaluating the trustworthiness of a supply chain
S0651: Skill in performing malware analysis
S0807: Skill in solving problems
S0848: Skill in performing behavioral analysis
S0854: Skill in performing data analysis
S0856: Skill in performing digital evidence analysis
S0863: Skill in performing incident analysis
S0866: Skill in performing log file analysis
S0890: Skill in performing threat analysis
S0896: Skill in recognizing behavioral patterns

Source: Workforce Framework for Cybersecurity (NICE Framework) (NIST SP 800-181 Rev 1) (Version: 1.0.0)