IN-WRL-002

Digital Evidence Analysis

Responsible for identifying, collecting, examining, and preserving digital evidence using controlled and documented analytical and investigative techniques.

Task statements

T0167: Perform file signature analysis
T0168: Perform data comparison against established database
T0172: Perform real-time forensic analysis (e.g., using Helix in conjunction with LiveView)
T0173: Perform timeline analysis
T0179: Perform static media analysis
T0182: Perform tier 1, 2, and 3 malware analysis
T0193: Process crime scenes
T1020: Determine the operational and safety impacts of cybersecurity lapses
T1051: Set up a forensic workstation
T1090: Determine best methods for identifying the perpetrator(s) of a network intrusion
T1102: Identify intrusions
T1103: Analyze intrusions
T1104: Document what is known about intrusions
T1120: Create forensically sound duplicates of evidence
T1159: Create technical summary of findings reports
T1175: Determine if digital media chain or custody processes meet Federal Rules of Evidence requirements
T1191: Determine relevance of recovered data
T1199: Identify digital evidence for analysis
T1207: Collect documentary or physical evidence of cyber intrusion incidents, investigations, and operations
T1253: Perform dynamic analysis on drives
T1282: Prepare digital media for imaging
T1301: Report forensic artifacts indicative of a particular operating system
T1322: Capture network traffic associated with malicious activities
T1323: Analyze network traffic associated with malicious activities
T1324: Process digital evidence
T1325: Document digital evidence
T1332: Produce incident findings reports
T1333: Communicate incident findings to appropriate constituencies
T1370: Collect intrusion artifacts
T1371: Mitigate potential cyber defense incidents
T1381: Scan digital media for viruses
T1382: Mount a drive image
T1383: Utilize deployable forensics toolkit
T1486: Process forensic images
T1510: Preserve digital evidence
T1516: Detect concealed data
T1542: Document original condition of digital evidence
T1607: Recover information from forensic data sources

Knowledge statements

K0635: Knowledge of decryption
K0636: Knowledge of decryption tools and techniques
K0637: Knowledge of data repositories
K0674: Knowledge of computer networking protocols
K0675: Knowledge of risk management processes
K0676: Knowledge of cybersecurity laws and regulations
K0677: Knowledge of cybersecurity policies and procedures
K0678: Knowledge of privacy laws and regulations
K0679: Knowledge of privacy policies and procedures
K0680: Knowledge of cybersecurity principles and practices
K0681: Knowledge of privacy principles and practices
K0682: Knowledge of cybersecurity threats
K0683: Knowledge of cybersecurity vulnerabilities
K0684: Knowledge of cybersecurity threat characteristics
K0696: Knowledge of digital forensic data principles and practices
K0697: Knowledge of encryption algorithm capabilities and applications
K0701: Knowledge of data backup and recovery policies and procedures
K0710: Knowledge of enterprise cybersecurity architecture principles and practices
K0724: Knowledge of incident response principles and practices
K0725: Knowledge of incident response tools and techniques
K0726: Knowledge of incident handling tools and techniques
K0744: Knowledge of operating system (OS) systems and software
K0751: Knowledge of system threats
K0752: Knowledge of system vulnerabilities
K0759: Knowledge of client and server architecture
K0760: Knowledge of server diagnostic tools and techniques
K0761: Knowledge of Fault Detection and Diagnostics (FDD) tools and techniques
K0770: Knowledge of system administration principles and practices
K0778: Knowledge of enterprise information technology (IT) architecture principles and practices
K0784: Knowledge of insider threat laws and regulations
K0785: Knowledge of insider threat tools and techniques
K0786: Knowledge of physical computer components
K0787: Knowledge of computer peripherals
K0791: Knowledge of defense-in-depth principles and practices
K0793: Knowledge of file extensions
K0794: Knowledge of file system implementation principles and practices
K0795: Knowledge of digital evidence seizure policies and procedures
K0796: Knowledge of digital evidence preservation policies and procedures
K0797: Knowledge of ethical hacking tools and techniques
K0800: Knowledge of evidence admissibility laws and regulations
K0802: Knowledge of chain of custody policies and procedures
K0804: Knowledge of persistent data principles and practices
K0806: Knowledge of machine virtualization tools and techniques
K0807: Knowledge of web mail tools and techniques
K0808: Knowledge of system file characteristics
K0809: Knowledge of digital forensics data characteristics
K0810: Knowledge of deployable forensics principles and practices
K0812: Knowledge of digital communication systems and software
K0817: Knowledge of event correlation tools and techniques
K0837: Knowledge of hardening tools and techniques
K0840: Knowledge of hardware reverse engineering tools and techniques
K0842: Knowledge of software reverse engineering tools and techniques
K0850: Knowledge of data carving tools and techniques
K0851: Knowledge of reverse engineering principles and practices
K0852: Knowledge of anti-forensics tools and techniques
K0853: Knowledge of forensics lab design principles and practices
K0854: Knowledge of forensics lab design systems and software
K0855: Knowledge of debugging tools and techniques
K0856: Knowledge of filename extension abuse
K0857: Knowledge of malware analysis tools and techniques
K0858: Knowledge of virtual machine detection tools and techniques
K0859: Knowledge of encryption tools and techniques
K0870: Knowledge of enterprise architecture (EA) reference models and frameworks
K0871: Knowledge of enterprise architecture (EA) principles and practices
K0892: Knowledge of cyber defense laws and regulations
K0914: Knowledge of binary analysis tools and techniques
K0915: Knowledge of network architecture principles and practices
K0916: Knowledge of malware analysis principles and practices
K0923: Knowledge of operating system structures and internals
K0941: Knowledge of data concealment tools and techniques
K0962: Knowledge of targeting laws and regulations
K0963: Knowledge of exploitation laws and regulations
K0977: Knowledge of intelligence collection management tools and techniques
K0979: Knowledge of information searching tools and techniques
K0980: Knowledge of intelligence collection sources
K0983: Knowledge of computer networking principles and practices
K1004: Knowledge of reporting policies and procedures
K1014: Knowledge of network security principles and practices
K1016: Knowledge of code obfuscation tools and techniques
K1055: Knowledge of digital forensics principles and practices
K1069: Knowledge of virtual machine tools and technologies
K1079: Knowledge of web application security risks
K1091: Knowledge of media forensics
K1092: Knowledge of digital forensics tools and techniques
K1115: Knowledge of Chain of Custody (CoC) processes and procedures
K1145: Knowledge of data encryption practices and principles
K1147: Knowledge of data integrity principles and practices
K1151: Knowledge of digital evidence cataloging tools and techniques
K1152: Knowledge of digital evidence extraction tools and techniques
K1153: Knowledge of digital evidence handling principles and practices
K1154: Knowledge of digital evidence packaging tools and techniques
K1155: Knowledge of digital evidence preservation tools and techniques
K1163: Knowledge of forensic image processing tools and techniques
K1175: Knowledge of network monitoring tools and techniques
K1220: Knowledge of steganography practices and principles

Skill statements

S0156: Skill in performing packet-level analysis
S0378: Skill in decrypting information
S0471: Skill in examining digital media
S0472: Skill in developing virtual machines
S0473: Skill in maintaining virtual machines
S0474: Skill in finding system files
S0475: Skill in recognizing digital forensics data
S0476: Skill in identifying filename extension abuse
S0499: Skill in performing intelligence collection analysis
S0575: Skill in developing network infrastructure contingency and recovery plans
S0576: Skill in testing network infrastructure contingency and recovery plans
S0589: Skill in preserving digital evidence integrity
S0599: Skill in performing memory dump analysis
S0603: Skill in identifying forensics data in diverse media
S0604: Skill in extracting forensics data in diverse media
S0605: Skill in storing digital evidence
S0606: Skill in manipulating operating system components
S0607: Skill in collecting digital evidence
S0608: Skill in processing digital evidence
S0609: Skill in transporting digital evidence
S0611: Skill in disassembling Personal Computers (PCs)
S0612: Skill in performing digital forensics analysis
S0621: Skill in performing binary analysis
S0622: Skill in implementing one-way hash functions
S0623: Skill in performing source code analysis
S0624: Skill in performing volatile data analysis
S0625: Skill in interpreting debugger results
S0651: Skill in performing malware analysis
S0671: Skill in implementing network infrastructure contingency and recovery plans
S0678: Skill in administering operating systems
S0834: Skill in developing technical reports
S0854: Skill in performing data analysis
S0856: Skill in performing digital evidence analysis
S0857: Skill in performing dynamic analysis
S0860: Skill in performing file system forensic analysis
S0866: Skill in performing log file analysis
S0882: Skill in performing static analysis
S0884: Skill in performing static malware analysis

Source: Workforce Framework for Cybersecurity (NICE Framework) (NIST SP 800-181 Rev 1) (Version: 1.0.0)