Investigation
IN-WRL-002

Digital Evidence Analysis

Responsible for identifying, collecting, examining, and preserving digital evidence using controlled and documented analytical and investigative techniques.

  • T0167: Perform file signature analysis
  • T0168: Perform data comparison against established database
  • T0172: Perform real-time forensic analysis (e.g., using Helix in conjunction with LiveView)
  • T0173: Perform timeline analysis
  • T0179: Perform static media analysis
  • T0182: Perform tier 1, 2, and 3 malware analysis
  • T1064: Determine data specifications
  • T1065: Determine data capacity requirements
  • T1090: Determine best methods for identifying the perpetrator(s) of a network intrusion
  • T1102: Identify intrusions
  • T1103: Analyze intrusions
  • T1104: Document what is known about intrusions
  • T1120: Create forensically sound duplicates of evidence
  • T1121: Decrypt seized data
  • T1159: Create technical summary of findings reports
  • T1175: Determine if digital media chain or custody processes meet Federal Rules of Evidence requirements
  • T1191: Determine relevance of recovered data
  • T1199: Identify digital evidence for analysis
  • T1207: Collect documentary or physical evidence of cyber intrusion incidents, investigations, and operations
  • T1253: Perform dynamic analysis on drives
  • T1256: Perform forensically sound image collection
  • T1282: Prepare digital media for imaging
  • T1301: Report forensic artifacts indicative of a particular operating system
  • T1322: Capture network traffic associated with malicious activities
  • T1323: Analyze network traffic associated with malicious activities
  • T1324: Process digital evidence
  • T1325: Document digital evidence
  • T1332: Produce incident findings reports
  • T1370: Collect intrusion artifacts
  • T1381: Scan digital media for viruses
  • T1382: Mount a drive image
  • T1383: Utilize deployable forensics toolkit
  • T1486: Process forensic images
  • T1516: Detect concealed data
  • T1542: Document original condition of digital evidence
  • T1607: Recover information from forensic data sources
  • T2012: Check network connections
  • T2013: Look for indicators of intrusions
  • T2014: Identify devices and networks on scene
  • T2015: Collect devices containing digital evidence
  • T2016: Identify areas of compromise
  • T2017: Acquire digital evidence
  • T2018: Create a digital footprint of raw or physical data
  • T2019: Process data into readable format
  • T2020: Prepare data for ingestion into application systems
  • T2021: Recover deleted or overwritten data files
  • T2022: Create derivative evidence from findings report
  • T2023: Serve as subject expert in training fact witnesses for testifying
  • T2024: Present factual causality to support attribution of criminal activity
  • T2025: Prepare technical materials for legal proceedings
  • T2026: Serve as liaison to prosecutors
  • T2027: Manage forensic laboratory accreditation processes