Cybercrime Investigation [NICE Framework Work Role]

T0193: Process crime scenes
T1020: Determine the operational and safety impacts of cybersecurity lapses
T1090: Determine best methods for identifying the perpetrator(s) of a network intrusion
T1094: Conduct victim and witness interviews
T1095: Conduct suspect interrogations
T1137: Investigate suspicious activity and alleged digital crimes
T1187: Establish internal and external cross-team relationships
T1191: Determine relevance of recovered data
T1192: Conduct analysis of computer network attacks
T1196: Determine if security incidents are indicative of a violation of law that requires specific legal action
T1198: Identify data or intelligence of evidentiary value
T1199: Identify digital evidence for analysis
T1200: Identify elements of proof of cybersecurity crimes
T1207: Collect documentary or physical evidence of cyber intrusion incidents, investigations, and operations
T1241: Document cybersecurity incidents
T1242: Escalate incidents that may cause ongoing and immediate impact to the environment
T1324: Process digital evidence
T1325: Document digital evidence
T1439: Assess the behavior of individual victims, witnesses, or suspects during cybersecurity investigations
T1456: Determine the impact of threats on cybersecurity
T1457: Implement threat countermeasures
T1477: Advise trial counsel as technical expert
T1505: Analyze cybersecurity threats for counter intelligence or criminal activity
T1510: Preserve digital evidence
T1526: Identify responsible parties for intrusions and other crimes
T1542: Document original condition of digital evidence
T1551: Prosecute cybercrimes and fraud committed against people and property
T1600: Prepare investigative reports
T1639: Assess target vulnerabilities and operational capabilities
T1712: Recommend potential courses of action

K0674: Knowledge of computer networking protocols
K0675: Knowledge of risk management processes
K0676: Knowledge of cybersecurity laws and regulations
K0677: Knowledge of cybersecurity policies and procedures
K0678: Knowledge of privacy laws and regulations
K0679: Knowledge of privacy policies and procedures
K0680: Knowledge of cybersecurity principles and practices
K0681: Knowledge of privacy principles and practices
K0682: Knowledge of cybersecurity threats
K0683: Knowledge of cybersecurity vulnerabilities
K0684: Knowledge of cybersecurity threat characteristics
K0685: Knowledge of access control principles and practices
K0686: Knowledge of authentication and authorization tools and techniques
K0716: Knowledge of host access control (HAC) systems and software
K0717: Knowledge of network access control (NAC) systems and software
K0732: Knowledge of intrusion detection tools and techniques
K0744: Knowledge of operating system (OS) systems and software
K0751: Knowledge of system threats
K0752: Knowledge of system vulnerabilities
K0759: Knowledge of client and server architecture
K0770: Knowledge of system administration principles and practices
K0784: Knowledge of insider threat laws and regulations
K0785: Knowledge of insider threat tools and techniques
K0788: Knowledge of adversarial tactics principles and practices
K0789: Knowledge of adversarial tactics tools and techniques
K0790: Knowledge of adversarial tactics policies and procedures
K0795: Knowledge of digital evidence seizure policies and procedures
K0796: Knowledge of digital evidence preservation policies and procedures
K0800: Knowledge of evidence admissibility laws and regulations
K0802: Knowledge of chain of custody policies and procedures
K0804: Knowledge of persistent data principles and practices
K0833: Knowledge of cyberattack actor characteristics
K0837: Knowledge of hardening tools and techniques
K0884: Knowledge of covert communication tools and techniques
K0892: Knowledge of cyber defense laws and regulations
K0899: Knowledge of crisis management protocols
K0900: Knowledge of crisis management processes
K0901: Knowledge of crisis management tools and techniques
K0909: Knowledge of abnormal physical and physiological behaviors
K0923: Knowledge of operating system structures and internals
K0962: Knowledge of targeting laws and regulations
K0963: Knowledge of exploitation laws and regulations
K0969: Knowledge of cyber-attack tools and techniques
K0983: Knowledge of computer networking principles and practices
K1014: Knowledge of network security principles and practices
K1016: Knowledge of code obfuscation tools and techniques
K1079: Knowledge of web application security risks
K1115: Knowledge of Chain of Custody (CoC) processes and procedures
K1138: Knowledge of cybersecurity standards and best practices
K1139: Knowledge of cybersecurity threats and vulnerabilities
K1151: Knowledge of digital evidence cataloging tools and techniques
K1152: Knowledge of digital evidence extraction tools and techniques
K1153: Knowledge of digital evidence handling principles and practices
K1154: Knowledge of digital evidence packaging tools and techniques
K1155: Knowledge of digital evidence preservation tools and techniques

S0469: Skill in navigating the dark web
S0470: Skill in using the TOR network
S0471: Skill in examining digital media
S0477: Skill in identifying anomalous activity
S0509: Skill in evaluating security products
S0589: Skill in preserving digital evidence integrity
S0607: Skill in collecting digital evidence
S0608: Skill in processing digital evidence
S0609: Skill in transporting digital evidence
S0620: Skill in evaluating the trustworthiness of a supply chain
S0651: Skill in performing malware analysis
S0807: Skill in solving problems
S0848: Skill in performing behavioral analysis
S0854: Skill in performing data analysis
S0856: Skill in performing digital evidence analysis
S0863: Skill in performing incident analysis
S0866: Skill in performing log file analysis
S0890: Skill in performing threat analysis
S0896: Skill in recognizing behavioral patterns

Cybercrime Investigation

Task statements

Knowledge statements

Skill statements