Cyber Crime Investigator

Identifies, collects, examines, and preserves evidence using controlled and documented analytical and investigative techniques.

Tasks

The concrete work activities defined for this role in the DCWF v5.1 spreadsheet. Core tasks are required for the role; additional tasks are associated but not mandatory.

• T402A additional Analyze computer-generated threats for counter intelligence or criminal activity.
• T429A additional Gather and preserve evidence used on the prosecution of computer crimes.
• T447A additional Conduct analysis of log files, evidence, and other information in order to determine best methods for identifying the perpetrator(s) of a network intrusion or other crimes.
• T454 additional Conduct interviews of victims and witnesses and conduct interviews or interrogations of suspects.
• T5040 additional Analyze the crisis situation to ensure public, personal, and resource protection.
• T5070 additional Assess the behavior of the individual victim, witness, or suspect as it relates to the investigation.
• T507A additional Determine and develop leads and identify sources of information in order to identify and/or prosecute the responsible parties to an intrusion or other crimes.
• T512 additional Develop a plan to investigate alleged crime, violation, or suspicious activity utilizing computers and the internet.
• T5210 additional Determine the extent of threats and recommend courses of action and countermeasures to mitigate risks.
• T5580 additional Provide criminal investigative support to trial counsel during the judicial process.
• T564A additional Document original condition of digital and/or associated evidence (e.g., via digital photographs, written reports, hash function checking).
• T597 additional Establish relationships, if applicable, between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies, vendors, and public relations professionals).
• T613 additional Examine recovered data for information of relevance to the issue at hand.
• T620A additional Employ information technology (IT) systems and digital storage media to solve, investigate, and/or prosecute cybercrimes and fraud committed against people and property.
• T623 additional Fuse computer network attack analyses with criminal and counterintelligence investigations and operations.
• T633 additional Identify and/or determine whether a security incident is indicative of a violation of law that requires specific legal action.
• T635 additional Identify data or intelligence of evidentiary value to support counterintelligence and criminal investigations.
• T636 additional Identify digital evidence for examination and analysis in such a way as to avoid unintentional alteration.
• T637 additional Identify elements of proof of the crime.
• T649 additional Identify, collect, and seize documentary or physical evidence, to include digital media and logs associated with cyber intrusion incidents, investigations, and operations.
• T788A additional Prepare reports to document the investigation following legal standards and requirements.
• T843 additional Secure the electronic device or information source.
• T871 additional Use specialized equipment and techniques to catalog, document, extract, collect, package, and preserve digital evidence.

Knowledge, Skills, and Abilities

KSA statements define what a person filling this role knows or can do. "Knowledge" is what they must know, "Skill" is what they can perform, and "Ability" is a durable capacity they bring to the work.

• K0281 knowledge core Knowledge of electronic devices (e.g., computer systems/components, access control devices, digital cameras, electronic organizers, hard drives, memory cards, modems, network components, printers, removable storage devices, scanners, telephones, copiers, credit card skimmers, facsimile machines, global positioning systems [GPSs]).
• K0290 knowledge core Knowledge of processes for seizing and preserving digital evidence (e.g., chain of custody).
• K0340 knowledge core Knowledge of types and collection of persistent data.
• K1036 knowledge core Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed.
• S217 skill core Skill in preserving evidence integrity according to standard operating procedures or national standards.
• S369 skill core Skill in collecting, processing, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data.
• K0105 knowledge additional Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
• K0310 knowledge additional Knowledge of legal governance related to admissibility (e.g., Federal Rules of Evidence).
• K0917 knowledge additional Knowledge of social dynamics of computer attackers in a global context.
• K3480 knowledge additional Knowledge of security implications of software configurations.
• K6230 knowledge additional Knowledge of crisis management protocols, processes, and techniques.
• K6370 knowledge additional Knowledge of physical and physiological behaviors that may indicate suspicious or abnormal activity.
• K6440 knowledge additional Knowledge of the judicial process, including the presentation of facts and evidence.
• S1039 skill additional Skill in evaluating the trustworthiness of the supplier and/or product.
• S383 skill additional Skill in using scientific rules and methods to solve problems.

Other roles in this element