IN-WRL-002

Digital Evidence Analysis

Responsible for identifying, collecting, examining, and preserving digital evidence using controlled and documented analytical and investigative techniques.

Task statements

T0167: Perform file signature analysis
T0168: Perform data comparison against established database
T0172: Perform real-time forensic analysis (e.g., using Helix in conjunction with LiveView)
T0173: Perform timeline analysis
T0179: Perform static media analysis
T0182: Perform tier 1, 2, and 3 malware analysis
T1064: Determine data specifications
T1065: Determine data capacity requirements
T1090: Determine best methods for identifying the perpetrator(s) of a network intrusion
T1102: Identify intrusions
T1103: Analyze intrusions
T1104: Document what is known about intrusions
T1120: Create forensically sound duplicates of evidence
T1121: Decrypt seized data
T1159: Create technical summary of findings reports
T1175: Determine if digital media chain or custody processes meet Federal Rules of Evidence requirements
T1191: Determine relevance of recovered data
T1199: Identify digital evidence for analysis
T1207: Collect documentary or physical evidence of cyber intrusion incidents, investigations, and operations
T1253: Perform dynamic analysis on drives
T1256: Perform forensically sound image collection
T1282: Prepare digital media for imaging
T1301: Report forensic artifacts indicative of a particular operating system
T1322: Capture network traffic associated with malicious activities
T1323: Analyze network traffic associated with malicious activities
T1324: Process digital evidence
T1325: Document digital evidence
T1332: Produce incident findings reports
T1370: Collect intrusion artifacts
T1381: Scan digital media for viruses
T1382: Mount a drive image
T1383: Utilize deployable forensics toolkit
T1486: Process forensic images
T1516: Detect concealed data
T1542: Document original condition of digital evidence
T1607: Recover information from forensic data sources
T2012: Check network connections
T2013: Look for indicators of intrusions
T2014: Identify devices and networks on scene
T2015: Collect devices containing digital evidence
T2016: Identify areas of compromise
T2017: Acquire digital evidence
T2018: Create a digital footprint of raw or physical data
T2019: Process data into readable format
T2020: Prepare data for ingestion into application systems
T2021: Recover deleted or overwritten data files
T2022: Create derivative evidence from findings report
T2023: Serve as subject expert in training fact witnesses for testifying
T2024: Present factual causality to support attribution of criminal activity
T2025: Prepare technical materials for legal proceedings
T2026: Serve as liaison to prosecutors
T2027: Manage forensic laboratory accreditation processes

Knowledge statements

K0636: Knowledge of decryption tools and techniques
K0674: Knowledge of computer networking protocols
K0675: Knowledge of risk management processes
K0676: Knowledge of cybersecurity laws and regulations
K0677: Knowledge of cybersecurity policies and procedures
K0678: Knowledge of privacy laws and regulations
K0679: Knowledge of privacy policies and procedures
K0680: Knowledge of cybersecurity principles and practices
K0681: Knowledge of privacy principles and practices
K0682: Knowledge of cybersecurity threats
K0683: Knowledge of cybersecurity vulnerabilities
K0684: Knowledge of cybersecurity threat characteristics
K0696: Knowledge of digital forensic data principles and practices
K0697: Knowledge of encryption algorithm capabilities and applications
K0701: Knowledge of data backup and recovery policies and procedures
K0710: Knowledge of enterprise cybersecurity architecture principles and practices
K0724: Knowledge of incident response principles and practices
K0725: Knowledge of incident response tools and techniques
K0726: Knowledge of incident handling tools and techniques
K0744: Knowledge of operating system (OS) systems and software
K0751: Knowledge of system threats
K0752: Knowledge of system vulnerabilities
K0759: Knowledge of client and server architecture
K0760: Knowledge of server diagnostic tools and techniques
K0770: Knowledge of system administration principles and practices
K0778: Knowledge of enterprise information technology (IT) architecture principles and practices
K0786: Knowledge of physical computer components
K0787: Knowledge of computer peripherals
K0791: Knowledge of defense-in-depth principles and practices
K0793: Knowledge of file extensions
K0794: Knowledge of file system implementation principles and practices
K0795: Knowledge of digital evidence seizure policies and procedures
K0796: Knowledge of digital evidence preservation policies and procedures
K0797: Knowledge of ethical hacking tools and techniques
K0800: Knowledge of evidence admissibility laws and regulations
K0802: Knowledge of chain of custody policies and procedures
K0804: Knowledge of persistent data principles and practices
K0806: Knowledge of machine virtualization tools and techniques
K0808: Knowledge of system file characteristics
K0809: Knowledge of digital forensics data characteristics
K0810: Knowledge of deployable forensics principles and practices
K0812: Knowledge of digital communication systems and software
K0837: Knowledge of hardening tools and techniques
K0840: Knowledge of hardware reverse engineering tools and techniques
K0842: Knowledge of software reverse engineering tools and techniques
K0850: Knowledge of data carving tools and techniques
K0851: Knowledge of reverse engineering principles and practices
K0852: Knowledge of anti-forensics tools and techniques
K0853: Knowledge of forensics lab design principles and practices
K0854: Knowledge of forensics lab design systems and software
K0855: Knowledge of debugging tools and techniques
K0856: Knowledge of filename extension abuse
K0857: Knowledge of malware analysis tools and techniques
K0858: Knowledge of virtual machine detection tools and techniques
K0859: Knowledge of encryption tools and techniques
K0870: Knowledge of enterprise architecture (EA) reference models and frameworks
K0871: Knowledge of enterprise architecture (EA) principles and practices
K0892: Knowledge of cyber defense laws and regulations
K0911: Knowledge of remote access tools and techniques
K0914: Knowledge of binary analysis tools and techniques
K0915: Knowledge of network architecture principles and practices
K0916: Knowledge of malware analysis principles and practices
K0923: Knowledge of operating system structures and internals
K0941: Knowledge of data concealment tools and techniques
K0947: Knowledge of computer engineering principles and practices
K0962: Knowledge of targeting laws and regulations
K0963: Knowledge of exploitation laws and regulations
K0979: Knowledge of information searching tools and techniques
K0983: Knowledge of computer networking principles and practices
K1004: Knowledge of reporting policies and procedures
K1014: Knowledge of network security principles and practices
K1016: Knowledge of code obfuscation tools and techniques
K1055: Knowledge of digital forensics principles and practices
K1069: Knowledge of virtual machine tools and technologies
K1079: Knowledge of web application security risks
K1091: Knowledge of media forensics
K1092: Knowledge of digital forensics tools and techniques
K1115: Knowledge of Chain of Custody (CoC) processes and procedures
K1145: Knowledge of data encryption practices and principles
K1147: Knowledge of data integrity principles and practices
K1151: Knowledge of digital evidence cataloging tools and techniques
K1152: Knowledge of digital evidence extraction tools and techniques
K1153: Knowledge of digital evidence handling principles and practices
K1154: Knowledge of digital evidence packaging tools and techniques
K1155: Knowledge of digital evidence preservation tools and techniques
K1163: Knowledge of forensic image processing tools and techniques
K1175: Knowledge of network monitoring tools and techniques
K1220: Knowledge of steganography practices and principles
K1280: Knowledge of approved data processing tools and techniques
K1281: Knowledge of data types and characteristics
K1282: Knowledge of predication requirements
K1283: Knowledge of court exhibit processes
K1284: Knowledge of testing and calibration in laboratory environment

Skill statements

S0156: Skill in performing packet-level analysis
S0378: Skill in decrypting information
S0385: Skill in communicating complex concepts
S0431: Skill in applying critical thinking
S0472: Skill in developing virtual machines
S0476: Skill in identifying filename extension abuse
S0499: Skill in performing intelligence collection analysis
S0589: Skill in preserving digital evidence integrity
S0599: Skill in performing memory dump analysis
S0605: Skill in storing digital evidence
S0606: Skill in manipulating operating system components
S0607: Skill in collecting digital evidence
S0608: Skill in processing digital evidence
S0612: Skill in performing digital forensics analysis
S0622: Skill in implementing one-way hash functions
S0623: Skill in performing source code analysis
S0624: Skill in performing volatile data analysis
S0625: Skill in interpreting debugger results
S0651: Skill in performing malware analysis
S0834: Skill in developing technical reports
S0854: Skill in performing data analysis
S0856: Skill in performing digital evidence analysis
S0857: Skill in performing dynamic analysis
S0860: Skill in performing file system forensic analysis
S0866: Skill in performing log file analysis
S0884: Skill in performing static malware analysis
S0935: Skill in live acquisition
S0936: Skill in deadbox acquisition
S0937: Skill in inspecting data for ingestion
S0938: Skill in interacting with live systems to identify active and historical networks

Source: Workforce Framework for Cybersecurity (NICE Framework) (NIST SP 800-181 Rev 1) (Version: 2.0.0)