Digital Forensics
Responsible for analyzing digital evidence from computer security incidents to derive useful information in support of system and network vulnerability mitigation.
- T0167: Perform file signature analysis
- T0168: Perform data comparison against established database
- T0172: Perform real-time forensic analysis (e.g., using Helix in conjunction with LiveView)
- T0173: Perform timeline analysis
- T0179: Perform static media analysis
- T0182: Perform tier 1, 2, and 3 malware analysis
- T0397: Perform Windows registry analysis
- T1020: Determine the operational and safety impacts of cybersecurity lapses
- T1051: Set up a forensic workstation
- T1084: Identify anomalous network activity
- T1090: Determine best methods for identifying the perpetrator(s) of a network intrusion
- T1102: Identify intrusions
- T1103: Analyze intrusions
- T1104: Document what is known about intrusions
- T1118: Identify vulnerabilities
- T1119: Recommend vulnerability remediation strategies
- T1120: Create forensically sound duplicates of evidence
- T1121: Decrypt seized data
- T1159: Create technical summary of findings reports
- T1175: Determine if digital media chain or custody processes meet Federal Rules of Evidence requirements
- T1191: Determine relevance of recovered data
- T1199: Identify digital evidence for analysis
- T1253: Perform dynamic analysis on drives
- T1260: Perform real-time cyber defense incident handling
- T1282: Prepare digital media for imaging
- T1301: Report forensic artifacts indicative of a particular operating system
- T1322: Capture network traffic associated with malicious activities
- T1323: Analyze network traffic associated with malicious activities
- T1324: Process digital evidence
- T1325: Document digital evidence
- T1370: Collect intrusion artifacts
- T1371: Mitigate potential cyber defense incidents
- T1372: Advise law enforcement personnel as technical expert
- T1381: Scan digital media for viruses
- T1382: Mount a drive image
- T1383: Utilize deployable forensics toolkit
- T1387: Validate intrusion detection system alerts
- T1407: Correlate threat assessment data
- T1486: Process forensic images
- T1487: Perform file and registry monitoring on running systems
- T1488: Enter digital media information into tracking databases
- T1489: Correlate incident data
- T1490: Prepare cyber defense toolkits
- T1510: Preserve digital evidence
- T1607: Recover information from forensic data sources
- T1617: Prepare cyber defense reports
- K0018: Knowledge of encryption algorithms
- K0635: Knowledge of decryption
- K0636: Knowledge of decryption tools and techniques
- K0637: Knowledge of data repositories
- K0674: Knowledge of computer networking protocols
- K0675: Knowledge of risk management processes
- K0676: Knowledge of cybersecurity laws and regulations
- K0677: Knowledge of cybersecurity policies and procedures
- K0678: Knowledge of privacy laws and regulations
- K0679: Knowledge of privacy policies and procedures
- K0680: Knowledge of cybersecurity principles and practices
- K0681: Knowledge of privacy principles and practices
- K0682: Knowledge of cybersecurity threats
- K0683: Knowledge of cybersecurity vulnerabilities
- K0684: Knowledge of cybersecurity threat characteristics
- K0696: Knowledge of digital forensic data principles and practices
- K0697: Knowledge of encryption algorithm capabilities and applications
- K0701: Knowledge of data backup and recovery policies and procedures
- K0710: Knowledge of enterprise cybersecurity architecture principles and practices
- K0724: Knowledge of incident response principles and practices
- K0725: Knowledge of incident response tools and techniques
- K0726: Knowledge of incident handling tools and techniques
- K0744: Knowledge of operating system (OS) systems and software
- K0751: Knowledge of system threats
- K0752: Knowledge of system vulnerabilities
- K0759: Knowledge of client and server architecture
- K0760: Knowledge of server diagnostic tools and techniques
- K0761: Knowledge of Fault Detection and Diagnostics (FDD) tools and techniques
- K0770: Knowledge of system administration principles and practices
- K0778: Knowledge of enterprise information technology (IT) architecture principles and practices
- K0786: Knowledge of physical computer components
- K0787: Knowledge of computer peripherals
- K0791: Knowledge of defense-in-depth principles and practices
- K0793: Knowledge of file extensions
- K0794: Knowledge of file system implementation principles and practices
- K0795: Knowledge of digital evidence seizure policies and procedures
- K0796: Knowledge of digital evidence preservation policies and procedures
- K0797: Knowledge of ethical hacking tools and techniques
- K0800: Knowledge of evidence admissibility laws and regulations
- K0802: Knowledge of chain of custody policies and procedures
- K0804: Knowledge of persistent data principles and practices
- K0806: Knowledge of machine virtualization tools and techniques
- K0807: Knowledge of web mail tools and techniques
- K0808: Knowledge of system file characteristics
- K0809: Knowledge of digital forensics data characteristics
- K0810: Knowledge of deployable forensics principles and practices
- K0812: Knowledge of digital communication systems and software
- K0817: Knowledge of event correlation tools and techniques
- K0837: Knowledge of hardening tools and techniques
- K0840: Knowledge of hardware reverse engineering tools and techniques
- K0842: Knowledge of software reverse engineering tools and techniques
- K0850: Knowledge of data carving tools and techniques
- K0851: Knowledge of reverse engineering principles and practices
- K0852: Knowledge of anti-forensics tools and techniques
- K0853: Knowledge of forensics lab design principles and practices
- K0854: Knowledge of forensics lab design systems and software
- K0855: Knowledge of debugging tools and techniques
- K0856: Knowledge of filename extension abuse
- K0857: Knowledge of malware analysis tools and techniques
- K0858: Knowledge of virtual machine detection tools and techniques
- K0859: Knowledge of encryption tools and techniques
- K0870: Knowledge of enterprise architecture (EA) reference models and frameworks
- K0871: Knowledge of enterprise architecture (EA) principles and practices
- K0892: Knowledge of cyber defense laws and regulations
- K0914: Knowledge of binary analysis tools and techniques
- K0915: Knowledge of network architecture principles and practices
- K0916: Knowledge of malware analysis principles and practices
- K0923: Knowledge of operating system structures and internals
- K0939: Knowledge of packet-level analysis tools and techniques
- K0959: Knowledge of operational design principles and practices
- K0962: Knowledge of targeting laws and regulations
- K0963: Knowledge of exploitation laws and regulations
- K0977: Knowledge of intelligence collection management tools and techniques
- K0979: Knowledge of information searching tools and techniques
- K0980: Knowledge of intelligence collection sources
- K0983: Knowledge of computer networking principles and practices
- K1004: Knowledge of reporting policies and procedures
- K1014: Knowledge of network security principles and practices
- K1016: Knowledge of code obfuscation tools and techniques
- K1055: Knowledge of digital forensics principles and practices
- K1069: Knowledge of virtual machine tools and technologies
- K1079: Knowledge of web application security risks
- K1091: Knowledge of media forensics
- K1092: Knowledge of digital forensics tools and techniques
- K1115: Knowledge of Chain of Custody (CoC) processes and procedures
- K1147: Knowledge of data integrity principles and practices
- K1151: Knowledge of digital evidence cataloging tools and techniques
- K1152: Knowledge of digital evidence extraction tools and techniques
- K1153: Knowledge of digital evidence handling principles and practices
- K1154: Knowledge of digital evidence packaging tools and techniques
- K1155: Knowledge of digital evidence preservation tools and techniques
- K1163: Knowledge of forensic image processing tools and techniques
- K1175: Knowledge of network monitoring tools and techniques
- K1193: Knowledge of packet analysis tools and techniques
- S0156: Skill in performing packet-level analysis
- S0378: Skill in decrypting information
- S0472: Skill in developing virtual machines
- S0473: Skill in maintaining virtual machines
- S0474: Skill in finding system files
- S0475: Skill in recognizing digital forensics data
- S0476: Skill in identifying filename extension abuse
- S0491: Skill in processing digital forensic data
- S0499: Skill in performing intelligence collection analysis
- S0575: Skill in developing network infrastructure contingency and recovery plans
- S0576: Skill in testing network infrastructure contingency and recovery plans
- S0589: Skill in preserving digital evidence integrity
- S0599: Skill in performing memory dump analysis
- S0603: Skill in identifying forensics data in diverse media
- S0604: Skill in extracting forensics data in diverse media
- S0605: Skill in storing digital evidence
- S0606: Skill in manipulating operating system components
- S0607: Skill in collecting digital evidence
- S0608: Skill in processing digital evidence
- S0609: Skill in transporting digital evidence
- S0611: Skill in disassembling Personal Computers (PCs)
- S0612: Skill in performing digital forensics analysis
- S0621: Skill in performing binary analysis
- S0622: Skill in implementing one-way hash functions
- S0623: Skill in performing source code analysis
- S0624: Skill in performing volatile data analysis
- S0625: Skill in interpreting debugger results
- S0651: Skill in performing malware analysis
- S0652: Skill in performing bit-level analysis
- S0653: Skill in creating digital evidence copies
- S0671: Skill in implementing network infrastructure contingency and recovery plans
- S0678: Skill in administering operating systems
- S0821: Skill in collaborating with internal and external stakeholders
- S0834: Skill in developing technical reports
- S0854: Skill in performing data analysis
- S0856: Skill in performing digital evidence analysis
- S0857: Skill in performing dynamic analysis
- S0860: Skill in performing file system forensic analysis
- S0866: Skill in performing log file analysis
- S0875: Skill in performing network traffic packet analysis
- S0882: Skill in performing static analysis
- S0884: Skill in performing static malware analysis
Source: Workforce Framework for Cybersecurity (NICE Framework) (NIST SP 800-181 Rev 1) (Version: 1.0.0)