Forensics Analyst

Conducts deep-dive investigations on computer-based crimes establishing documentary or physical evidence, to include digital media and logs associated with cyber intrusion incidents.

Tasks

The concrete work activities defined for this role in the DCWF v5.1 spreadsheet. Core tasks are required for the role; additional tasks are associated but not mandatory.

• T1081 additional Perform virus scanning on digital media.
• T1082 additional Perform file system forensic analysis.
• T1083 additional Perform static analysis to mount an "image" of a drive (without necessarily having the original drive).
• T1084 additional Perform static malware analysis.
• T1085 additional Utilize deployable forensics tool kit to support operations as necessary.
• T438A additional Collect and analyze intrusion artifacts (e.g., source code, malware, and system configuration) and use discovered data to enable mitigation of potential cyber defense incidents within the enterprise.
• T447 additional Conduct analysis of log files, evidence, and other information in order to determine best methods for identifying the perpetrator(s) of a network intrusion.
• T463 additional Confirm what is known about an intrusion and discover new information, if possible, after identifying intrusion via dynamic analysis.
• T480 additional Create a forensically sound duplicate of the evidence (i.e., forensic image) that ensures the original evidence is not unintentionally modified, to use for data recovery and analysis processes. This includes, but is not limited to, hard drives, floppy diskettes, CD, PDA, mobile phones, GPS, and all tape formats.
• T482A additional Detect and analyze encrypted data, stenography, alternate data streams and other forms of concealed data.
• T541 additional Provide technical summary of findings in accordance with established reporting procedures.
• T564A additional Document original condition of digital and/or associated evidence (e.g., via digital photographs, written reports, hash function checking).
• T573 additional Ensure chain of custody is followed for all digital media acquired in accordance with the Federal Rules of Evidence.
• T613 additional Examine recovered data for information of relevance to the issue at hand.
• T636 additional Identify digital evidence for examination and analysis in such a way as to avoid unintentional alteration.
• T649 additional Identify, collect, and seize documentary or physical evidence, to include digital media and logs associated with cyber intrusion incidents, investigations, and operations.
• T749 additional Perform dynamic analysis to boot an “image” of a drive (without necessarily having the original drive) to see the intrusion as the user may have seen it, in a native environment.
• T752 additional Perform file signature analysis.
• T753 additional Perform hash comparison against established database.
• T758 additional Perform real-time forensic analysis (e.g., using Helix in conjunction with LiveView).
• T759 additional Perform timeline analysis.
• T768 additional Perform static media analysis.
• T771 additional Perform tier 1, 2, and 3 malware analysis.
• T786 additional Prepare digital media for imaging by ensuring data integrity (e.g., write blockers in accordance with standard operating procedures).
• T792 additional Process crime scenes.
• T817 additional Provide technical assistance on digital evidence matters to appropriate personnel.
• T825 additional Recognize and accurately report forensic artifacts indicative of a particular operating system.
• T839A additional Review forensic images and other data sources (e.g., volatile data) for recovery of potentially relevant information.
• T868 additional Extract data using data carving techniques (e.g., Forensic Tool Kit [FTK], Foremost).
• T870 additional Capture and analyze network traffic associated with malicious activities using network monitoring tools.
• T871 additional Use specialized equipment and techniques to catalog, document, extract, collect, package, and preserve digital evidence.
• T882 additional Write and publish cyber defense techniques, guidance, and reports on incident findings to appropriate constituencies.
• T944 additional Conduct cursory binary analysis.

Knowledge, Skills, and Abilities

KSA statements define what a person filling this role knows or can do. "Knowledge" is what they must know, "Skill" is what they can perform, and "Ability" is a durable capacity they bring to the work.

• K0024 knowledge core Knowledge of concepts and practices of processing digital forensic data.
• K0061 knowledge core Knowledge of incident response and handling methodologies.
• K0090 knowledge core Knowledge of operating systems.
• K025A knowledge core Knowledge of encryption algorithms, stenography, and other forms of data concealment.
• K0264 knowledge core Knowledge of basic physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage).
• K0287 knowledge core Knowledge of file system implementations (e.g., New Technology File System [NTFS], File Allocation Table [FAT], File Extension [EXT]).
• K0302 knowledge core Knowledge of investigative implications of hardware, Operating Systems, and network technologies.
• K0310 knowledge core Knowledge of legal governance related to admissibility (e.g., Federal Rules of Evidence).
• K0316 knowledge core Knowledge of processes for collecting, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data.
• K0888 knowledge core Knowledge of types of digital forensics data and how to recognize them.
• K0982 knowledge core Knowledge of electronic evidence law.
• K1086 knowledge core Knowledge of data carving tools and techniques (e.g., Foremost).
• K1092 knowledge core Knowledge of anti-forensics tactics, techniques, and procedures.
• K1093 knowledge core Knowledge of common forensics tool configuration and support applications (e.g., VMWare, WIRESHARK).
• S217 skill core Skill in preserving evidence integrity according to standard operating procedures or national standards.
• S350 skill core Skill in analyzing memory dumps to extract information.
• S381 skill core Skill in using forensic tool suites (e.g., EnCase, Sleuthkit, FTK).
• S389 skill core Skill in physically disassembling PCs.
• S890 skill core Skill in conducting forensic analyses in multiple operating system environments (e.g., mobile device systems).
• A6918 ability additional Ability to apply cybersecurity strategy to cloud computing service and deployment models, identifying proper architecture for different operating environments.
• A908 ability additional Ability to decrypt digital data collections.
• K0029 knowledge additional Knowledge of data backup, types of backups (e.g., full, incremental), and recovery concepts and tools.
• K0105 knowledge additional Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
• K0113 knowledge additional Knowledge of server and client operating systems.
• K0114 knowledge additional Knowledge of server diagnostic tools and fault identification techniques.
• K0139 knowledge additional Knowledge of the common networking protocols (e.g., TCP/IP), services (e.g., web, mail, Domain Name Server), and how they interact to provide network communications.
• K0290 knowledge additional Knowledge of processes for seizing and preserving digital evidence (e.g., chain of custody).
• K0294 knowledge additional Knowledge of hacking methodologies in Windows or Unix/Linux environment.
• K0340 knowledge additional Knowledge of types and collection of persistent data.
• K0345 knowledge additional Knowledge of web mail collection, searching/analyzing techniques, tools, and cookies.
• K0346 knowledge additional Knowledge of which system files (e.g., log files, registry files, configuration files) contain relevant information and where to find those system files.
• K0889 knowledge additional Knowledge of deployable forensics.
• K0923 knowledge additional Knowledge of security event correlation tools.
• K0983 knowledge additional Knowledge of legal rules of evidence and court procedure.
• K1033 knowledge additional Knowledge of basic system administration, network, and operating system hardening techniques.
• K1036 knowledge additional Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed.
• K1072 knowledge additional Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth, Zero Trust).
• K1089 knowledge additional Knowledge of reverse engineering concepts.
• K1094 knowledge additional Knowledge of debugging procedures and tools.
• K1095 knowledge additional Knowledge of how different file types can be used for anomalous behavior.
• K1096 knowledge additional Knowledge of malware analysis tools (e.g., Oily Debug, Ida Pro).
• K1097 knowledge additional Knowledge of virtual machine aware malware, debugger aware malware, and packing.
• K6210 knowledge additional Knowledge of cloud service models and possible limitations for an incident response.
• S1087 skill additional Skill in deep analysis of captured malicious code (e.g., malware forensics).
• S1088 skill additional Skill in using binary analysis tools (e.g., Hexedit, command code xxd, hexdump).
• S1091 skill additional Skill in one way hash functions (e.g., Secure Hash Algorithm [SHA], Message Digest Algorithm [MD5]).
• S1098 skill additional Skill in analyzing anomalous code as malicious or benign.
• S1099 skill additional Skill in analyzing volatile data.
• S1100 skill additional Skill in identifying obfuscation techniques.
• S1101 skill additional Skill in interpreting results of debugger to ascertain tactics, techniques, and procedures.
• S193 skill additional Skill in developing, testing, and implementing network infrastructure contingency and recovery plans.
• S214 skill additional Skill in performing packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump).
• S360 skill additional Skill in identifying and extracting data of forensic interest in diverse media (i.e., media forensics).
• S364 skill additional Skill in identifying, modifying, and manipulating applicable system components within Windows, Unix, or Linux (e.g., passwords, user accounts, files).
• S369 skill additional Skill in collecting, processing, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data.
• S374 skill additional Skill in setting up a forensic workstation.
• S386 skill additional Skill in using virtual machines.

EWU courses that develop this role

Skill drills that practice this role

Exam questions from CSCD 240. Click any to work it.

• CSCD240-E1-A-Q34 primary grep Print lines of access.log containing 403 with their line numbers.
• CSCD240-E1-A-Q48 primary metadata Show detailed metadata for /etc/passwd: inode, all three timestamps, octal perms.
• CSCD240-E1-A-Q50 primary log-pipeline auth.log line format "2026-04-14 08:31 FAIL user=alex src=10.x". Print top-3 FAIL source IPs, count first, most-frequent first.
• CSCD240-E1-B-Q18 primary log-search Print every line of auth.log containing "Failed password" (case-insensitive), with line numbers.
• CSCD240-E1-B-Q19 primary log-pipeline Top 5 source IPs in FAIL lines of auth.log, where IP is field 5.
• CSCD240-E1-B-Q20 primary log-pipeline Count distinct usernames on FAIL lines of auth.log where username is "user=<name>".
• CSCD240-E1-B-Q33 primary forensics-stat Print all metadata for /etc/passwd: inode, perms in octal, all three timestamps.
• CSCD240-E1-B-Q34 primary forensics-file Identify the data type of sample.bin (ELF, ASCII, gzip, etc).
• CSCD240-E1-B-Q35 primary forensics-time Print last-modification time of /var/log/syslog in machine-readable (seconds-epoch or ISO) format.
• CSCD240-E1-B-Q36 primary forensics-timeline List the 5 most recently modified files in /tmp (newest first).
• CSCD240-E1-B-Q50 primary archive-evidence Create gzip-compressed tarball evidence.tar.gz of every .log in /var/log/.
• CSCD240-E1-C-Q01 primary forensics Which command returns inode, permission bits, size, and all three timestamps of a file?
• CSCD240-E1-C-Q21 primary forensics-time Which find predicate matches files modified within the last 24 hours?
• CSCD240-E1-C-Q25 primary grep Print every line of auth.log containing "Failed password" (case-insensitive) with line numbers.
• CSCD240-E1-C-Q26 primary log-pipeline Top 5 source IPs appearing on FAIL lines of auth.log (IP = field 5).
• CSCD240-E1-C-Q27 primary log-pipeline List unique usernames appearing on FAIL lines of auth.log (user=<name>).
• CSCD240-E1-C-Q30 primary forensics-timeline List 10 most-recently modified files in /var/log/ (newest first).
• CSCD240-E1-C-Q31 primary archive Create gzipped tarball ir-evidence.tar.gz of every .log in /var/log/.
• CSCD240-E1-C-Q35 primary archive-extract Extract the archive case-123.tar.gz into the current directory.
• CSCD240-E1-C-Q36 primary forensics-time Print ISO-8601 modification time of /etc/passwd.
• CSCD240-E1-C-Q45 primary integrity Verify /opt/ids/analyze has not been silently replaced — which find predicate and which file-metadata command (no crypto)?
• CSCD240-E1-C-Q50 primary ir-process IR runbook: capture terminal session output of every IR command. Name the command and why it matters for chain of custody.
• CSCD240-E1-B-Q23 secondary grep-recursive Recursively search /etc for any file containing "password=" and print only filenames.

NCAE CyberGames scoreboard errors for this role

• NCAE-5e1da0ed9d SSH Login / failure: Failed to connect to host: IP
• NCAE-4b0a05cc84 SSH Login / partial: The following users failed to authenticate with their public key: nills, vetomo
• NCAE-9924ef98f9 SSH Login / partial: The following users failed to authenticate with their public key: vetomo, nills
• NCAE-f750673474 SSH Login / partial: The following users failed to authenticate with their public key: simone_weil, todd_k
• NCAE-cbaa327d45 SSH Login / partial: The following users failed to authenticate with their public key: vetomo, todd_k
• NCAE-31a06c29be SSH Login / partial: The following users failed to authenticate with their public key: claude_chevalley
• NCAE-57bc10ac12 SSH Login / partial: The following users failed to authenticate with their public key: claude_chevalley, simone_weil
• NCAE-8b86722a38 SSH Login / partial: The following users failed to authenticate with their public key: nills, simone_weil
• NCAE-7b7d319908 SSH Login / partial: The following users failed to authenticate with their public key: nills, todd_k
• NCAE-a4e6291912 SSH Login / partial: The following users failed to authenticate with their public key: simone_weil, vetomo, claude_chevalley
• NCAE-c5b357ae25 SSH Login / partial: The following users failed to authenticate with their public key: nills
• NCAE-5985c6e330 SSH Login / partial: The following users failed to authenticate with their public key: simone_weil, nills
• NCAE-ca679de119 SSH Login / partial: The following users failed to authenticate with their public key: vetomo, claude_chevalley
• NCAE-fd86ddff99 SSH Login / partial: The following users failed to authenticate with their public key: vetomo
• NCAE-d5ad63d4f1 SSH Login / partial: The following users failed to authenticate with their public key: simone_weil, vetomo, nills
• NCAE-b2369be32e SSH Login / partial: The following users failed to authenticate with their public key: todd_k
• NCAE-0f62f7018e SSH Login / partial: The following users failed to authenticate with their public key: claude_chevalley, todd_k, simone_weil
• NCAE-c9f04c8da7 SSH Login / partial: The following users failed to authenticate with their public key: nills, todd_k, claude_chevalley
• NCAE-3336e86af3 SSH Login / partial: The following users failed to authenticate with their public key: simone_weil, nills, claude_chevalley, todd_k
• NCAE-0c3df3519e SSH Login / partial: The following users failed to authenticate with their public key: simone_weil, todd_k, vetomo
• NCAE-3baf4b3c23 SSH Login / partial: The following users failed to authenticate with their public key: claude_chevalley, vetomo, nills
• NCAE-9272351c5c SSH Login / partial: The following users failed to authenticate with their public key: todd_k, nills, simone_weil
• NCAE-b2915c14cc SSH Login / partial: The following users failed to authenticate with their public key: simone_weil, claude_chevalley, vetomo
• NCAE-96eec2d7fc SSH Login / partial: The following users failed to authenticate with their public key: nills, simone_weil, vetomo
• NCAE-f398f8bd49 SSH Login / partial: The following users failed to authenticate with their public key: simone_weil, vetomo
• NCAE-c88723b1d2 SSH Login / partial: The following users failed to authenticate with their public key: nills, simone_weil, todd_k
• NCAE-67df7ad67b SSH Login / partial: The following users failed to authenticate with their public key: claude_chevalley, simone_weil, vetomo
• NCAE-7f3d1219e8 SSH Login / partial: The following users failed to authenticate with their public key: simone_weil, clancy, listo, vetomo, blurry_face, claude_chevalley, ned, lisdn, vialists, nico
• NCAE-780002b22c SSH Login / partial: The following users failed to authenticate with their public key: lisdn, vialists
• NCAE-86ba930e77 SSH Login / partial: The following users failed to authenticate with their public key: nills, claude_chevalley

Other roles in this element