Cyber Defense Forensics Analyst

Analyzes digital evidence and investigates computer security incidents to derive useful information in support of system/network vulnerability mitigation.

Below are the Knowledge, Skills, Abilities and Tasks identified as being required to perform this work role.

Knowledge of computer networking concepts and protocols, and network security methodologies.
Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
K0003Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
K0004Knowledge of cybersecurity and privacy principles.
K0005Knowledge of cyber threats and vulnerabilities.
K0006Knowledge of specific operational impacts of cybersecurity lapses.
K0018Knowledge of encryption algorithms
K0021Knowledge of data backup and recovery.
K0042Knowledge of incident response and handling methodologies.
K0060Knowledge of operating systems.
K0070Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
K0077Knowledge of server and client operating systems.
K0078Knowledge of server diagnostic tools and fault identification techniques.
K0109Knowledge of physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage).
K0117Knowledge of file system implementations (e.g., New Technology File System [NTFS], File Allocation Table [FAT], File Extension [EXT]).
K0118Knowledge of processes for seizing and preserving digital evidence.
K0119Knowledge of hacking methodologies.
K0122Knowledge of investigative implications of hardware, Operating Systems, and network technologies.
K0123Knowledge of legal governance related to admissibility (e.g. Rules of Evidence).
K0125Knowledge of processes for collecting, packaging, transporting, and storing electronic evidence while maintaining chain of custody.
K0128Knowledge of types and collection of persistent data.
K0131Knowledge of web mail collection, searching/analyzing techniques, tools, and cookies.
K0132Knowledge of which system files (e.g., log files, registry files, configuration files) contain relevant information and where to find those system files.
K0133Knowledge of types of digital forensics data and how to recognize them.
K0134Knowledge of deployable forensics.
K0145Knowledge of security event correlation tools.
K0155Knowledge of electronic evidence law.
K0156Knowledge of legal rules of evidence and court procedure.
K0167Knowledge of system administration, network, and operating system hardening techniques.
K0168Knowledge of applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures.
K0179Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).
K0182Knowledge of data carving tools and techniques (e.g., Foremost).
K0183Knowledge of reverse engineering concepts.
K0184Knowledge of anti-forensics tactics, techniques, and procedures.
K0185Knowledge of forensics lab design configuration and support applications (e.g., VMWare, Wireshark).
K0186Knowledge of debugging procedures and tools.
K0187Knowledge of file type abuse by adversaries for anomalous behavior.
K0188Knowledge of malware analysis tools (e.g., Oily Debug, Ida Pro).
K0189Knowledge of malware with virtual machine detection (e.g. virtual aware malware, debugger aware malware, and unpacked malware that looks for VM-related strings in your computer??s display device).
K0224Knowledge of system administration concepts for operating systems such as but not limited to Unix/Linux, IOS, Android, and Windows operating systems.
K0254Knowledge of binary analysis.
K0255Knowledge of network architecture concepts including topology, protocols, and components.
K0301Knowledge of packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump).
K0304Knowledge of concepts and practices of processing digital forensic data.
K0347Knowledge and understanding of operational design.
K0624Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list)
S0032Skill in developing, testing, and implementing network infrastructure contingency and recovery plans.
S0047Skill in preserving evidence integrity according to standard operating procedures or national standards.
S0062Skill in analyzing memory dumps to extract information.
S0065Skill in identifying and extracting data of forensic interest in diverse media (i.e., media forensics).
S0067Skill in identifying, modifying, and manipulating applicable system components within Windows, Unix, or Linux (e.g., passwords, user accounts, files).
S0068Skill in collecting, processing, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data.
S0069Skill in setting up a forensic workstation.
S0071Skill in using forensic tool suites (e.g., EnCase, Sleuthkit, FTK).
S0073Skill in using virtual machines. (e.g., Microsoft Hyper-V, VMWare vSphere, Citrix XenDesktop/Server, Amazon Elastic Compute Cloud, etc.).
S0074Skill in physically disassembling PCs.
S0075Skill in conducting forensic analyses in multiple operating system environments (e.g., mobile device systems).
S0087Skill in deep analysis of captured malicious code (e.g., malware forensics).
S0088Skill in using binary analysis tools (e.g., Hexedit, command code xxd, hexdump).
S0089Skill in one-way hash functions (e.g., Secure Hash Algorithm [SHA], Message Digest Algorithm [MD5]).
S0090Skill in analyzing anomalous code as malicious or benign.
S0091Skill in analyzing volatile data.
S0092Skill in identifying obfuscation techniques.
S0093Skill in interpreting results of debugger to ascertain tactics, techniques, and procedures.
S0131Skill in analyzing malware.
S0132Skill in conducting bit-level analysis.
S0133Skill in processing digital evidence, to include protecting and making legally sound copies of evidence.
S0156Skill in performing packet-level analysis.
A0005Ability to decrypt digital data collections.
A0043Ability to conduct forensic analyses in and for both Windows and Unix/Linux environments.
T0027Conduct analysis of log files, evidence, and other information to determine best methods for identifying the perpetrator(s) of a network intrusion.
T0036Confirm what is known about an intrusion and discover new information, if possible, after identifying intrusion via dynamic analysis.
T0048Create a forensically sound duplicate of the evidence (i.e., forensic image) that ensures the original evidence is not unintentionally modified, to use for data recovery and analysis processes. This includes, but is not limited to, hard drives, floppy diskettes, CDs, PDAs, mobile phones, GPS, and all tape formats.
T0049Decrypt seized data using technical means.
T0075Provide technical summary of findings in accordance with established reporting procedures.
T0087Ensure that chain of custody is followed for all digital media acquired in accordance with the Federal Rules of Evidence.
T0103Examine recovered data for information of relevance to the issue at hand.
T0113Identify digital evidence for examination and analysis in such a way as to avoid unintentional alteration.
T0165Perform dynamic analysis to boot an ¡°image¡± of a drive (without necessarily having the original drive) to see the intrusion as the user may have seen it, in a native environment.
T0167Perform file signature analysis.
T0168Perform hash comparison against established database.
T0172Perform real-time forensic analysis (e.g., using Helix in conjunction with LiveView).
T0173Perform timeline analysis.
T0175Perform real-time cyber defense incident handling (e.g., forensic collections, intrusion correlation and tracking, threat analysis, and direct system remediation) tasks to support deployable Incident Response Teams (IRTs).
T0179Perform static media analysis.
T0182Perform tier 1, 2, and 3 malware analysis.
T0190Prepare digital media for imaging by ensuring data integrity (e.g., write blockers in accordance with standard operating procedures).
T0212Provide technical assistance on digital evidence matters to appropriate personnel.
T0216Recognize and accurately report forensic artifacts indicative of a particular operating system.
T0238Extract data using data carving techniques (e.g., Forensic Tool Kit [FTK], Foremost).
T0240Capture and analyze network traffic associated with malicious activities using network monitoring tools.
T0241Use specialized equipment and techniques to catalog, document, extract, collect, package, and preserve digital evidence.
T0253Conduct cursory binary analysis.
T0279Serve as technical expert and liaison to law enforcement personnel and explain incident details as required.
T0285Perform virus scanning on digital media.
T0286Perform file system forensic analysis.
T0287Perform static analysis to mount an “image” of a drive (without necessarily having the original drive).
T0288Perform static malware analysis.
T0289Utilize deployable forensics toolkit to support operations as necessary.
T0312Coordinate with intelligence analysts to correlate threat assessment data.
T0396Process image with appropriate tools depending on analyst¡¯s goals.
T0397Perform Windows registry analysis.
T0398Perform file and registry monitoring on the running system after identifying intrusion via dynamic analysis.
T0399Enter media information into tracking database (e.g., Product Tracker Tool) for digital media that has been acquired.
T0400Correlate incident data and perform cyber defense reporting.
T0401Maintain deployable cyber defense toolkit (e.g., specialized cyber defense software/hardware) to support Incident Response Team mission.
T0432Collect and analyze intrusion artifacts (e.g., source code, malware, and system configuration) and use discovered data to enable mitigation of potential cyber defense incidents within the enterprise.
T0532Review forensic images and other data sources (e.g., volatile data) for recovery of potentially relevant information.
T0546Write and publish cyber defense recommendations, reports, and white papers on incident findings to appropriate constituencies.