Cyber Defense Forensics Analyst

Analyzes digital evidence and investigates computer security incidents to derive useful information in support of system/network vulnerability mitigation.

Tasks

The concrete work activities defined for this role in the DCWF v5.1 spreadsheet. Core tasks are required for the role; additional tasks are associated but not mandatory.

• T1031 additional Serve as technical expert and liaison to law enforcement personnel and explain incident details as required.
• T1081 additional Perform virus scanning on digital media.
• T1082 additional Perform file system forensic analysis.
• T1083 additional Perform static analysis to mount an "image" of a drive (without necessarily having the original drive).
• T1084 additional Perform static malware analysis.
• T1085 additional Utilize deployable forensics tool kit to support operations as necessary.
• T2179 additional Coordinate with intelligence analysts to correlate threat assessment data.
• T438A additional Collect and analyze intrusion artifacts (e.g., source code, malware, and system configuration) and use discovered data to enable mitigation of potential cyber defense incidents within the enterprise.
• T447 additional Conduct analysis of log files, evidence, and other information in order to determine best methods for identifying the perpetrator(s) of a network intrusion.
• T463 additional Confirm what is known about an intrusion and discover new information, if possible, after identifying intrusion via dynamic analysis.
• T480 additional Create a forensically sound duplicate of the evidence (i.e., forensic image) that ensures the original evidence is not unintentionally modified, to use for data recovery and analysis processes. This includes, but is not limited to, hard drives, floppy diskettes, CD, PDA, mobile phones, GPS, and all tape formats.
• T482 additional Decrypt seized data using technical means.
• T541 additional Provide technical summary of findings in accordance with established reporting procedures.
• T5690 additional Process image with appropriate tools depending on analyst’s goals.
• T5700 additional Perform Windows registry analysis.
• T5720 additional Perform file and registry monitoring on the running system after identifying intrusion via dynamic analysis.
• T573 additional Ensure chain of custody is followed for all digital media acquired in accordance with the Federal Rules of Evidence.
• T5730 additional Enter media information into tracking database (e.g. Product Tracker Tool) for digital media that has been acquired.
• T5740 additional Correlate incident data and perform cyber defense reporting.
• T5760 additional Maintain deployable cyber defense toolkit (e.g. specialized cyber defense software/hardware) to support IRT mission.
• T613 additional Examine recovered data for information of relevance to the issue at hand.
• T636 additional Identify digital evidence for examination and analysis in such a way as to avoid unintentional alteration.
• T749 additional Perform dynamic analysis to boot an “image” of a drive (without necessarily having the original drive) to see the intrusion as the user may have seen it, in a native environment.
• T752 additional Perform file signature analysis.
• T753 additional Perform hash comparison against established database.
• T758 additional Perform real-time forensic analysis (e.g., using Helix in conjunction with LiveView).
• T759 additional Perform timeline analysis.
• T762 additional Perform real-time cyber defense incident handling (e.g., forensic collections, intrusion correlation and tracking, threat analysis, and direct system remediation) tasks to support deployable Incident Response Teams (IRTs).
• T768 additional Perform static media analysis.
• T771 additional Perform tier 1, 2, and 3 malware analysis.
• T786 additional Prepare digital media for imaging by ensuring data integrity (e.g., write blockers in accordance with standard operating procedures).
• T817 additional Provide technical assistance on digital evidence matters to appropriate personnel.
• T825 additional Recognize and accurately report forensic artifacts indicative of a particular operating system.
• T839A additional Review forensic images and other data sources (e.g., volatile data) for recovery of potentially relevant information.
• T868A additional Use data carving techniques (e.g., FTK-Foremost) to extract data for further analysis.
• T870 additional Capture and analyze network traffic associated with malicious activities using network monitoring tools.
• T871 additional Use specialized equipment and techniques to catalog, document, extract, collect, package, and preserve digital evidence.
• T882A additional Write and publish cyber defense recommendations, reports, and white papers on incident findings to appropriate constituencies.
• T944 additional Conduct cursory binary analysis.

Knowledge, Skills, and Abilities

KSA statements define what a person filling this role knows or can do. "Knowledge" is what they must know, "Skill" is what they can perform, and "Ability" is a durable capacity they bring to the work.

• A6890 ability core Ability to conduct forensic analyses in and for both Windows and Unix/Linux environments.
• K024A knowledge core Knowledge of basic concepts and practices of processing digital forensic data.
• K0302 knowledge core Knowledge of investigative implications of hardware, Operating Systems, and network technologies.
• K1086 knowledge core Knowledge of data carving tools and techniques (e.g., Foremost).
• K1089 knowledge core Knowledge of reverse engineering concepts.
• K1092 knowledge core Knowledge of anti-forensics tactics, techniques, and procedures.
• K1096 knowledge core Knowledge of malware analysis tools (e.g., Oily Debug, Ida Pro).
• K6810 knowledge core Knowledge of binary analysis.
• S1087 skill core Skill in deep analysis of captured malicious code (e.g., malware forensics).
• S1088 skill core Skill in using binary analysis tools (e.g., Hexedit, command code xxd, hexdump).
• S1098 skill core Skill in analyzing anomalous code as malicious or benign.
• S1099 skill core Skill in analyzing volatile data.
• S1100 skill core Skill in identifying obfuscation techniques.
• S1101 skill core Skill in interpreting results of debugger to ascertain tactics, techniques, and procedures.
• S217 skill core Skill in preserving evidence integrity according to standard operating procedures or national standards.
• S350 skill core Skill in analyzing memory dumps to extract information.
• S381 skill core Skill in using forensic tool suites (e.g., EnCase, Sleuthkit, FTK).
• S6850 skill core Skill in analyzing malware.
• S6860 skill core Skill in conducting bit-level analysis.
• S6870 skill core Skill in processing digital evidence, to include protecting and making legally sound copies of evidence.
• S890 skill core Skill in conducting forensic analyses in multiple operating system environments (e.g., mobile device systems).
• A908 ability additional Ability to decrypt digital data collections.
• K0025 knowledge additional Knowledge of encryption algorithms (e.g., Internet Protocol Security [IPSEC], Advanced Encryption Standard [AES], Generic Routing Encapsulation [GRE], Internet Key Exchange [IKE], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], Triple Data Encryption Standard [3DES]).
• K0029 knowledge additional Knowledge of data backup, types of backups (e.g., full, incremental), and recovery concepts and tools.
• K0061 knowledge additional Knowledge of incident response and handling methodologies.
• K0090 knowledge additional Knowledge of operating systems.
• K0105 knowledge additional Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
• K0113 knowledge additional Knowledge of server and client operating systems.
• K0114 knowledge additional Knowledge of server diagnostic tools and fault identification techniques.
• K0139 knowledge additional Knowledge of the common networking protocols (e.g., TCP/IP), services (e.g., web, mail, Domain Name Server), and how they interact to provide network communications.
• K0264 knowledge additional Knowledge of basic physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage).
• K0287 knowledge additional Knowledge of file system implementations (e.g., New Technology File System [NTFS], File Allocation Table [FAT], File Extension [EXT]).
• K0290 knowledge additional Knowledge of processes for seizing and preserving digital evidence (e.g., chain of custody).
• K0294 knowledge additional Knowledge of hacking methodologies in Windows or Unix/Linux environment.
• K0310 knowledge additional Knowledge of legal governance related to admissibility (e.g., Federal Rules of Evidence).
• K0316 knowledge additional Knowledge of processes for collecting, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data.
• K0340 knowledge additional Knowledge of types and collection of persistent data.
• K0345 knowledge additional Knowledge of web mail collection, searching/analyzing techniques, tools, and cookies.
• K0346 knowledge additional Knowledge of which system files (e.g., log files, registry files, configuration files) contain relevant information and where to find those system files.
• K0888 knowledge additional Knowledge of types of digital forensics data and how to recognize them.
• K0889 knowledge additional Knowledge of deployable forensics.
• K0923 knowledge additional Knowledge of security event correlation tools.
• K0982 knowledge additional Knowledge of electronic evidence law.
• K0983 knowledge additional Knowledge of legal rules of evidence and court procedure.
• K1033 knowledge additional Knowledge of basic system administration, network, and operating system hardening techniques.
• K1036 knowledge additional Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed.
• K1072 knowledge additional Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth, Zero Trust).
• K1093 knowledge additional Knowledge of common forensics tool configuration and support applications (e.g., VMWare, WIRESHARK).
• K1094 knowledge additional Knowledge of debugging procedures and tools.
• K1095 knowledge additional Knowledge of how different file types can be used for anomalous behavior.
• K1097 knowledge additional Knowledge of virtual machine aware malware, debugger aware malware, and packing.
• K3461 knowledge additional Knowledge of relevant laws, legal authorities, restrictions, and regulations pertaining to cyber defense activities.
• K3513 knowledge additional Knowledge of system administration concepts for Unix/Linux and/or Windows operating systems.
• K6210 knowledge additional Knowledge of cloud service models and possible limitations for an incident response.
• K6820 knowledge additional Knowledge of network architecture concepts including topology, protocols, and components.
• S1091 skill additional Skill in one way hash functions (e.g., Secure Hash Algorithm [SHA], Message Digest Algorithm [MD5]).
• S193 skill additional Skill in developing, testing, and implementing network infrastructure contingency and recovery plans.
• S214A skill additional Skill in performing packet-level analysis.
• S360 skill additional Skill in identifying and extracting data of forensic interest in diverse media (i.e., media forensics).
• S364 skill additional Skill in identifying, modifying, and manipulating applicable system components within Windows, Unix, or Linux (e.g., passwords, user accounts, files).
• S369 skill additional Skill in collecting, processing, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data.
• S374 skill additional Skill in setting up a forensic workstation.
• S386 skill additional Skill in using virtual machines.
• S389 skill additional Skill in physically disassembling PCs.

EWU courses that develop this role

Other roles in this element