Cyber Crime Investigator

Identifies, collects, examines, and preserves evidence using controlled and documented analytical and investigative techniques.

Below are the Knowledge, Skills, Abilities and Tasks identified as being required to perform this work role.

Knowledge of computer networking concepts and protocols, and network security methodologies.
Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
K0003Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
K0004Knowledge of cybersecurity and privacy principles.
K0005Knowledge of cyber threats and vulnerabilities.
K0006Knowledge of specific operational impacts of cybersecurity lapses.
K0046Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions.
K0070Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
K0107Knowledge of Insider Threat investigations, reporting, investigative tools and laws/regulations.
K0110Knowledge of adversarial tactics, techniques, and procedures.
K0114Knowledge of electronic devices (e.g., computer systems/components, access control devices, digital cameras, digital scanners, electronic organizers, hard drives, memory cards, modems, network components, networked appliances, networked home control devices, printers, removable storage devices, telephones, copiers, facsimile machines, etc.).
K0118Knowledge of processes for seizing and preserving digital evidence.
K0123Knowledge of legal governance related to admissibility (e.g. Rules of Evidence).
K0125Knowledge of processes for collecting, packaging, transporting, and storing electronic evidence while maintaining chain of custody.
K0128Knowledge of types and collection of persistent data.
K0144Knowledge of social dynamics of computer attackers in a global context.
K0155Knowledge of electronic evidence law.
K0156Knowledge of legal rules of evidence and court procedure.
K0168Knowledge of applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures.
K0209Knowledge of covert communication techniques.
K0231Knowledge of crisis management protocols, processes, and techniques.
K0244Knowledge of physical and physiological behaviors that may indicate suspicious or abnormal activity.
K0251Knowledge of the judicial process, including the presentation of facts and evidence.
K0351Knowledge of applicable statutes, laws, regulations and policies governing cyber targeting and exploitation.
K0624Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list)
S0047Skill in preserving evidence integrity according to standard operating procedures or national standards.
S0068Skill in collecting, processing, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data.
S0072Skill in using scientific rules and methods to solve problems.
S0086Skill in evaluating the trustworthiness of the supplier and/or product.
A0174Ability to find and navigate the dark web using the TOR network to locate markets and forums.
A0175Ability to examine digital media on multiple operating system platforms.
T0031Conduct interviews of victims and witnesses and conduct interviews or interrogations of suspects.
T0059Develop a plan to investigate alleged crime, violation, or suspicious activity utilizing computers and the Internet.
T0096Establish relationships, if applicable, between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies, vendors, public relations professionals).
T0103Examine recovered data for information of relevance to the issue at hand.
T0104Fuse computer network attack analyses with criminal and counterintelligence investigations and operations.
T0110Identify and/or determine whether a security incident is indicative of a violation of law that requires specific legal action.
T0112Identify data or intelligence of evidentiary value to support counterintelligence and criminal investigations.
T0113Identify digital evidence for examination and analysis in such a way as to avoid unintentional alteration.
T0114Identify elements of proof of the crime.
T0120Identify, collect, and seize documentary or physical evidence, to include digital media and logs associated with cyber intrusion incidents, investigations, and operations.
T0193Process crime scenes.
T0225Secure the electronic device or information source.
T0241Use specialized equipment and techniques to catalog, document, extract, collect, package, and preserve digital evidence.
T0343Analyze the crisis to ensure public, personal, and resource protection.
T0346Assess the behavior of the individual victim, witness, or suspect as it relates to the investigation.
T0360Determine the extent of threats and recommend courses of action or countermeasures to mitigate risks.
T0386Provide criminal investigative support to trial counsel during the judicial process.
T0423Analyze computer-generated threats for counter intelligence or criminal activity.
T0430Gather and preserve evidence used on the prosecution of computer crimes.
T0433Conduct analysis of log files, evidence, and other information to determine best methods for identifying the perpetrator(s) of a network intrusion or other crimes.
T0453Determine and develop leads and identify sources of information to identify and/or prosecute the responsible parties to an intrusion or other crimes.
T0471Document original condition of digital and/or associated evidence (e.g., via digital photographs, written reports, hash function checking).
T0479Employ information technology (IT) systems and digital storage media to solve, investigate, and/or prosecute cybercrimes and fraud committed against people and property.
T0523Prepare reports to document the investigation following legal standards and requirements.