Digital Evidence Analysis
Responsible for identifying, collecting, examining, and preserving digital evidence using controlled and documented analytical and investigative techniques.
- T0167: Perform file signature analysis
- T0168: Perform data comparison against established database
- T0172: Perform real-time forensic analysis (e.g., using Helix in conjunction with LiveView)
- T0173: Perform timeline analysis
- T0179: Perform static media analysis
- T0182: Perform tier 1, 2, and 3 malware analysis
- T1064: Determine data specifications
- T1065: Determine data capacity requirements
- T1090: Determine best methods for identifying the perpetrator(s) of a network intrusion
- T1102: Identify intrusions
- T1103: Analyze intrusions
- T1104: Document what is known about intrusions
- T1120: Create forensically sound duplicates of evidence
- T1121: Decrypt seized data
- T1159: Create technical summary of findings reports
- T1175: Determine if digital media chain or custody processes meet Federal Rules of Evidence requirements
- T1191: Determine relevance of recovered data
- T1199: Identify digital evidence for analysis
- T1207: Collect documentary or physical evidence of cyber intrusion incidents, investigations, and operations
- T1253: Perform dynamic analysis on drives
- T1256: Perform forensically sound image collection
- T1282: Prepare digital media for imaging
- T1301: Report forensic artifacts indicative of a particular operating system
- T1322: Capture network traffic associated with malicious activities
- T1323: Analyze network traffic associated with malicious activities
- T1324: Process digital evidence
- T1325: Document digital evidence
- T1332: Produce incident findings reports
- T1370: Collect intrusion artifacts
- T1381: Scan digital media for viruses
- T1382: Mount a drive image
- T1383: Utilize deployable forensics toolkit
- T1486: Process forensic images
- T1516: Detect concealed data
- T1542: Document original condition of digital evidence
- T1607: Recover information from forensic data sources
- T2012: Check network connections
- T2013: Look for indicators of intrusions
- T2014: Identify devices and networks on scene
- T2015: Collect devices containing digital evidence
- T2016: Identify areas of compromise
- T2017: Acquire digital evidence
- T2018: Create a digital footprint of raw or physical data
- T2019: Process data into readable format
- T2020: Prepare data for ingestion into application systems
- T2021: Recover deleted or overwritten data files
- T2022: Create derivative evidence from findings report
- T2023: Serve as subject expert in training fact witnesses for testifying
- T2024: Present factual causality to support attribution of criminal activity
- T2025: Prepare technical materials for legal proceedings
- T2026: Serve as liaison to prosecutors
- T2027: Manage forensic laboratory accreditation processes
- K0636: Knowledge of decryption tools and techniques
- K0674: Knowledge of computer networking protocols
- K0675: Knowledge of risk management processes
- K0676: Knowledge of cybersecurity laws and regulations
- K0677: Knowledge of cybersecurity policies and procedures
- K0678: Knowledge of privacy laws and regulations
- K0679: Knowledge of privacy policies and procedures
- K0680: Knowledge of cybersecurity principles and practices
- K0681: Knowledge of privacy principles and practices
- K0682: Knowledge of cybersecurity threats
- K0683: Knowledge of cybersecurity vulnerabilities
- K0684: Knowledge of cybersecurity threat characteristics
- K0696: Knowledge of digital forensic data principles and practices
- K0697: Knowledge of encryption algorithm capabilities and applications
- K0701: Knowledge of data backup and recovery policies and procedures
- K0710: Knowledge of enterprise cybersecurity architecture principles and practices
- K0724: Knowledge of incident response principles and practices
- K0725: Knowledge of incident response tools and techniques
- K0726: Knowledge of incident handling tools and techniques
- K0744: Knowledge of operating system (OS) systems and software
- K0751: Knowledge of system threats
- K0752: Knowledge of system vulnerabilities
- K0759: Knowledge of client and server architecture
- K0760: Knowledge of server diagnostic tools and techniques
- K0770: Knowledge of system administration principles and practices
- K0778: Knowledge of enterprise information technology (IT) architecture principles and practices
- K0786: Knowledge of physical computer components
- K0787: Knowledge of computer peripherals
- K0791: Knowledge of defense-in-depth principles and practices
- K0793: Knowledge of file extensions
- K0794: Knowledge of file system implementation principles and practices
- K0795: Knowledge of digital evidence seizure policies and procedures
- K0796: Knowledge of digital evidence preservation policies and procedures
- K0797: Knowledge of ethical hacking tools and techniques
- K0800: Knowledge of evidence admissibility laws and regulations
- K0802: Knowledge of chain of custody policies and procedures
- K0804: Knowledge of persistent data principles and practices
- K0806: Knowledge of machine virtualization tools and techniques
- K0808: Knowledge of system file characteristics
- K0809: Knowledge of digital forensics data characteristics
- K0810: Knowledge of deployable forensics principles and practices
- K0812: Knowledge of digital communication systems and software
- K0837: Knowledge of hardening tools and techniques
- K0840: Knowledge of hardware reverse engineering tools and techniques
- K0842: Knowledge of software reverse engineering tools and techniques
- K0850: Knowledge of data carving tools and techniques
- K0851: Knowledge of reverse engineering principles and practices
- K0852: Knowledge of anti-forensics tools and techniques
- K0853: Knowledge of forensics lab design principles and practices
- K0854: Knowledge of forensics lab design systems and software
- K0855: Knowledge of debugging tools and techniques
- K0856: Knowledge of filename extension abuse
- K0857: Knowledge of malware analysis tools and techniques
- K0858: Knowledge of virtual machine detection tools and techniques
- K0859: Knowledge of encryption tools and techniques
- K0870: Knowledge of enterprise architecture (EA) reference models and frameworks
- K0871: Knowledge of enterprise architecture (EA) principles and practices
- K0892: Knowledge of cyber defense laws and regulations
- K0911: Knowledge of remote access tools and techniques
- K0914: Knowledge of binary analysis tools and techniques
- K0915: Knowledge of network architecture principles and practices
- K0916: Knowledge of malware analysis principles and practices
- K0923: Knowledge of operating system structures and internals
- K0941: Knowledge of data concealment tools and techniques
- K0947: Knowledge of computer engineering principles and practices
- K0962: Knowledge of targeting laws and regulations
- K0963: Knowledge of exploitation laws and regulations
- K0979: Knowledge of information searching tools and techniques
- K0983: Knowledge of computer networking principles and practices
- K1004: Knowledge of reporting policies and procedures
- K1014: Knowledge of network security principles and practices
- K1016: Knowledge of code obfuscation tools and techniques
- K1055: Knowledge of digital forensics principles and practices
- K1069: Knowledge of virtual machine tools and technologies
- K1079: Knowledge of web application security risks
- K1091: Knowledge of media forensics
- K1092: Knowledge of digital forensics tools and techniques
- K1115: Knowledge of Chain of Custody (CoC) processes and procedures
- K1145: Knowledge of data encryption practices and principles
- K1147: Knowledge of data integrity principles and practices
- K1151: Knowledge of digital evidence cataloging tools and techniques
- K1152: Knowledge of digital evidence extraction tools and techniques
- K1153: Knowledge of digital evidence handling principles and practices
- K1154: Knowledge of digital evidence packaging tools and techniques
- K1155: Knowledge of digital evidence preservation tools and techniques
- K1163: Knowledge of forensic image processing tools and techniques
- K1175: Knowledge of network monitoring tools and techniques
- K1220: Knowledge of steganography practices and principles
- K1280: Knowledge of approved data processing tools and techniques
- K1281: Knowledge of data types and characteristics
- K1282: Knowledge of predication requirements
- K1283: Knowledge of court exhibit processes
- K1284: Knowledge of testing and calibration in laboratory environment
- S0156: Skill in performing packet-level analysis
- S0378: Skill in decrypting information
- S0385: Skill in communicating complex concepts
- S0431: Skill in applying critical thinking
- S0472: Skill in developing virtual machines
- S0476: Skill in identifying filename extension abuse
- S0499: Skill in performing intelligence collection analysis
- S0589: Skill in preserving digital evidence integrity
- S0599: Skill in performing memory dump analysis
- S0605: Skill in storing digital evidence
- S0606: Skill in manipulating operating system components
- S0607: Skill in collecting digital evidence
- S0608: Skill in processing digital evidence
- S0612: Skill in performing digital forensics analysis
- S0622: Skill in implementing one-way hash functions
- S0623: Skill in performing source code analysis
- S0624: Skill in performing volatile data analysis
- S0625: Skill in interpreting debugger results
- S0651: Skill in performing malware analysis
- S0834: Skill in developing technical reports
- S0854: Skill in performing data analysis
- S0856: Skill in performing digital evidence analysis
- S0857: Skill in performing dynamic analysis
- S0860: Skill in performing file system forensic analysis
- S0866: Skill in performing log file analysis
- S0884: Skill in performing static malware analysis
- S0935: Skill in live acquisition
- S0936: Skill in deadbox acquisition
- S0937: Skill in inspecting data for ingestion
- S0938: Skill in interacting with live systems to identify active and historical networks
Source: Workforce Framework for Cybersecurity (NICE Framework) (NIST SP 800-181 Rev 1) (Version: 2.0.0)