Skip to Content
Digital Forensics Specialist
12/3/2019 11:03:32 AM
Resource Category
Primary Core Capability
Secondary Core Capability
Resource Kind
Overall Function
The Digital Forensic Specialist investigates and recovers material found in digital devices
Single resource
In conjunction with a NIMS typed team
NIMS Typed Team
Cyber Incident Response Team
In conjunction with a NIMS typed unit
NIMS Typed Unit
Description Notes
Not Specified
Supporting Core Capabilities
Type Description
Type 1Same as Type 2
Type 2The National Incident Management System (NIMS) Type 2 Digital Forensics Specialist: 1. Collects, processes, and preserves computer-related evidence in support of network vulnerability mitigation and criminal fraud counterintelligence or law enforcement investigations 2. Works under the technical direction of the NIMS Type 1 Digital Forensics Specialist
Component Notes  
EducationNot Specified
Component Types
Type Criteria
Type 1Not Specified
Type 2Not Specified
TrainingAny use of the term “forensics” is descriptive of a skill or capability and does not imply a law enforcement role.
Component Types
Type Criteria
Type 1Same as Type 2
Type 2Completion of the following: 1. IS-100: Introduction to Incident Command System, ICS-100 2. IS-200: Basic Incident Command System for Initial Response, ICS-200 3. IS-700: National Incident Management System, An Introduction 4. IS-800: National Response Framework, An Introduction
ExperienceThe knowledge, skills, and abilities align with the National Institute of Standards and Technology’s National Initiative for Cyber Education (NICE) National Cybersecurity Workforce Framework.
Component Types
Type Criteria
Type 1Same as Type 2, PLUS: Knowledge, Skills, and Abilities: 1. Security event correlation tools 2. Debugging procedures and tools 3. Reverse engineering concepts 4. Network security architecture concepts, including topology, protocols, components, and principles 5. Basic system administration, network, and operating hardening techniques 6. Malware analysis tools 7. Conducting forensic analyses in multiple operating system environments 8. Analysis of captured malicious code 9. Using binary analysis tools 10. Identifying abnormal or irregular code and determining whether it is a threat 11. Identifying obscure threats and techniques 12. Interpreting results of debugger to ascertain tactics, techniques, and procedures 13. Developing, testing, and implementing network infrastructure contingency and recovery plans 14. Packet-level analysis using appropriate tools 15. Decrypting digital data collections AHJ-validated experience demonstrated in the following: 1. Collecting and analyzing intrusion artifacts and using discovered data to enable mitigation of potential computer network defense (CND) incidents within the enterprise 2. Confirming intrusion and discovering new information, if possible, after identifying intrusion via dynamic analysis 3. Decrypting seized data using technical means 4. Providing technical summary of findings in accordance with established reporting procedures 5. Examining recovered data for information of relevance to the issue at hand 6. Performing CND incident triage, to include determining scope, urgency, and potential impact; identifying the specific vulnerability; and making recommendations that enable expeditious remediation 7. Performing dynamic analysis to boot an image of a drive (without necessarily having the original drive) to see the intrusion as the user may have seen it in a native environment 8. Analyzing life forensic 9. Analyzing timeline 10. Analyzing static media and 1, 2, and 3 malware 11. Recognizing and accurately reporting forensic artifacts indicative of a particular operating system 12. Reviewing forensic images and other data sources for recovery of potentially relevant information 13. Using network monitoring tools to capture and analyze network traffic associated with malicious activity 14. Writing and publishing CND guidance and reports on incident findings to appropriate constituencies 15. Conducting a cursory binary analysis 16. Virus scanning on digital media 17. Analyzing file system forensic analysis 18. Analyzing to mount an "image" of a drive (without necessarily having the original drive) 19. Using deployable forensics toolkit to support operations as necessary
Type 2Agency Having Jurisdiction (AHJ)-validated knowledge, skills, and abilities demonstrated in the following areas: 1. Electronic evidence law 2. Legal rules of evidence and court procedure 3. Recognizing different types of digital forensics data 4. Deployable forensics 5. Anti-forensic tactics, techniques, and procedures 6. Common forensic tool configuration and support applications from the leading industry tools 7. Data carving tools and technique 8. Computer Fraud and Abuse Act 9. Virtual machine aware malware, aware debugger malware, and packing 10. Basic concepts and practices of processing digital forensic data 11. Encryption algorithms 12. Incident response and handling methodologies 13. Desktop, server, mainframe operating systems including Windows, Unix, Linux, Mac OS 14. Server diagnostics tools and fault identification techniques 15. Basic physical computer component and architectures, including the functions of various components and peripherals 16. File system implementations 17. Processes for seizing and preserving digital evidence 18. Hacking methodologies for common operating systems 19. Legal governance related to admission into systems 20. Processes for collecting, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data 21. Types and collection of data 22. Webmail collection, searching/analyzing techniques, tools, and cookies 23. System files (such as log files, registry files, configuration files) that contain relevant information 24. Forensic tool suites 25. Physically disassembling personal computers and servers 26. Identifying and extracting data of forensic interest in diverse media 27. Identifying, modifying, and manipulating applicable system components 28. Setting up a forensic workstation 29. One way hash functions 30. Analyzing volatile data 31. Identifying obfuscation techniques AHJ-documented and validated experience demonstrated in the following areas: 1. Conducting analysis of log files, evidence, and other information in order to determine best methods for identifying additional sources of evidence 2. Transportation and storage of data evidence 3. Tamper proofing packaging 4. Creating a forensically sound duplicate of the evidence that ensures the original evidence is not unintentionally modified, to use for data recovery and analysis processes 5. Documenting original condition of all evidence 6. Ensuring chain of custody is followed for all digital media acquired in accordance with applicable state and federal rules of evidence 7. Identifying digital evidence for examination and analysis in such a way as to avoid unintentional alteration 8. Analyzing file signature 9. Comparing against established database 10. Capturing live forensic data 11. Preparing digital media for imaging for ensuring data integrity 12. Providing technical assistance on digital evidence matters to appropriate personnel
Physical/Medical FitnessThe NIMS Guideline for the National Qualification System (NQS) defines Physical/Medical Fitness levels for NIMS positions.
Component Types
Type Criteria
Type 1Same as Type 2
Type 2Light
CurrencyProvider must carry out and use any background checks as applicable law specifies. This may include a background check completed within past 12 months; sex-offender registry check; and a local, state, and a local, state, and national criminal history.
Component Types
Type Criteria
Type 1Same as Type 2
Type 21. Functions in this position during an operational incident, planned event, exercise, drill, or simulation at least once every year 2. Background checks as applicable law permits and requires 3. Active security clearance
Professional and Technical Licenses and CertificationsNot Specified
Component Types
Type Criteria
Type 1Same as Type 2, PLUS: 1. Certified Digital Forensic Examiner (CDFE) 2. Certified Computer Crime Investigator (CCCI) 3. Information Assurance Certification (IAC) 4. Certified Forensic Examiner (CFE) 5. Certified Computer Hacking Forensic Investigator (CCHFI)
Type 21. Technical qualifications equivalent to Department of Defense Directive (DoDD) 8570 Level 2 2. Certified Digital Media Collector (CDMC)
Composition and Ordering Specifications
Discuss logistics for deploying this position, such as working conditions, length of deployment, security, lodging, transportation, and meals, prior to deployment
FEMA, NIMS 508: Cyber Incident Response Team
FEMA, National Incident Management System (NIMS), October 2017
FEMA, NIMS Guideline for the National Qualification System, November 2017
FEMA, National Response Framework, June 2016
National Initiative for Cybersecurity Education, National Cybersecurity Workforce Framework, v.2, May 2014
Department of Defense Directive (DoDD), 8570 and Global Assurance Information Certification (GAIC), January 2014