- Knowledge of computer networking concepts and protocols, and network security methodologies.
- Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
- Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
- Knowledge of cybersecurity and privacy principles.
- Knowledge of cyber threats and vulnerabilities.
- Knowledge of specific operational impacts of cybersecurity lapses.
- Knowledge of concepts and practices of processing digital forensic data.
- Knowledge of data backup and recovery.
- Knowledge of incident response and handling methodologies.
- Knowledge of operating systems.
- Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
- Knowledge of server and client operating systems.
- Knowledge of server diagnostic tools and fault identification techniques.
- Knowledge of Insider Threat investigations, reporting, investigative tools and laws/regulations.
- Knowledge of physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage).
- Knowledge of file system implementations (e.g., New Technology File System [NTFS], File Allocation Table [FAT], File Extension [EXT]).
- Knowledge of processes for seizing and preserving digital evidence.
- Knowledge of hacking methodologies.
- Knowledge of investigative implications of hardware, Operating Systems, and network technologies.
- Knowledge of legal governance related to admissibility (e.g. Rules of Evidence).
- Knowledge of processes for collecting, packaging, transporting, and storing electronic evidence while maintaining chain of custody.
- Knowledge of types and collection of persistent data.
- Knowledge of web mail collection, searching/analyzing techniques, tools, and cookies.
- Knowledge of which system files (e.g., log files, registry files, configuration files) contain relevant information and where to find those system files.
- Knowledge of types of digital forensics data and how to recognize them.
- Knowledge of deployable forensics.
- Knowledge of security event correlation tools.
- Knowledge of electronic evidence law.
- Knowledge of legal rules of evidence and court procedure.
- Knowledge of system administration, network, and operating system hardening techniques.
- Knowledge of applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures.
- Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).
- Knowledge of data carving tools and techniques (e.g., Foremost).
- Knowledge of reverse engineering concepts.
- Knowledge of anti-forensics tactics, techniques, and procedures.
- Knowledge of forensics lab design configuration and support applications (e.g., VMWare, Wireshark).
- Knowledge of debugging procedures and tools.
- Knowledge of file type abuse by adversaries for anomalous behavior.
- Knowledge of malware analysis tools (e.g., Oily Debug, Ida Pro).
- Knowledge of malware with virtual machine detection (e.g. virtual aware malware, debugger aware malware, and unpacked malware that looks for VM-related strings in your computer's display device).
- Knowledge of data concealment (e.g. encryption algorithms and steganography).
- Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list)
Law Enforcement /CounterIntelligence Forensics Analyst
Conducts detailed investigations on computer-based crimes establishing documentary or physical evidence, to include digital media and logs associated with cyber intrusion incidents.
- Skill in developing, testing, and implementing network infrastructure contingency and recovery plans.
- Skill in performing packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump).
- Skill in preserving evidence integrity according to standard operating procedures or national standards.
- Skill in analyzing memory dumps to extract information.
- Skill in identifying and extracting data of forensic interest in diverse media (i.e., media forensics).
- Skill in identifying, modifying, and manipulating applicable system components within Windows, Unix, or Linux (e.g., passwords, user accounts, files).
- Skill in collecting, processing, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data.
- Skill in setting up a forensic workstation.
- Skill in using forensic tool suites (e.g., EnCase, Sleuthkit, FTK).
- Skill in using virtual machines. (e.g., Microsoft Hyper-V, VMWare vSphere, Citrix XenDesktop/Server, Amazon Elastic Compute Cloud, etc.).
- Skill in physically disassembling PCs.
- Skill in conducting forensic analyses in multiple operating system environments (e.g., mobile device systems).
- Skill in deep analysis of captured malicious code (e.g., malware forensics).
- Skill in using binary analysis tools (e.g., Hexedit, command code xxd, hexdump).
- Skill in one-way hash functions (e.g., Secure Hash Algorithm [SHA], Message Digest Algorithm [MD5]).
- Skill in analyzing anomalous code as malicious or benign.
- Skill in analyzing volatile data.
- Skill in identifying obfuscation techniques.
- Skill in interpreting results of debugger to ascertain tactics, techniques, and procedures.
- Ability to decrypt digital data collections.
- Ability to examine digital media on multiple operating system platforms.
- Develop a plan to investigate alleged crime, violation, or suspicious activity utilizing computers and the Internet.
- Establish relationships, if applicable, between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies, vendors, public relations professionals).
- Resolve conflicts in laws, regulations, policies, standards, or procedures.
- Analyze incident data for emerging trends.
- Perform file and registry monitoring on the running system after identifying intrusion via dynamic analysis.
- Acquire and maintain a working knowledge of constitutional issues which arise in relevant laws, regulations, policies, agreements, standards, procedures, or other issuances.
- Maintain deployable cyber defense toolkit (e.g., specialized cyber defense software/hardware) to support Incident Response Team mission.
- Read, interpret, write, modify, and execute simple scripts (e.g., Perl, VBScript) on Windows and UNIX systems (e.g., those that perform tasks such as: parsing large data files, automating manual tasks, and fetching/processing remote data).
- Identify and/or develop reverse engineering tools to enhance capabilities and detect vulnerabilities.
- Analyze organizational cyber policy.