| Education | Not Specified |
| Type 1 | Not Specified |
| Type 2 | Not Specified |
|
| Training | Any use of the term “forensics” is descriptive of a skill or capability and does not imply a law enforcement role. |
| Type 1 | Same as Type 2 |
| Type 2 | Completion of the following:
1. IS-100: Introduction to Incident Command System, ICS-100
2. IS-200: Basic Incident Command System for Initial Response, ICS-200
3. IS-700: National Incident Management System, An Introduction
4. IS-800: National Response Framework, An Introduction |
|
| Experience | The knowledge, skills, and abilities align with the National Institute of Standards and Technology’s National Initiative for Cyber Education (NICE) National Cybersecurity Workforce Framework. |
| Type 1 | Same as Type 2, PLUS:
Knowledge, Skills, and Abilities:
1. Security event correlation tools
2. Debugging procedures and tools
3. Reverse engineering concepts
4. Network security architecture concepts, including topology, protocols, components, and principles
5. Basic system administration, network, and operating hardening techniques
6. Malware analysis tools
7. Conducting forensic analyses in multiple operating system environments
8. Analysis of captured malicious code
9. Using binary analysis tools
10. Identifying abnormal or irregular code and determining whether it is a threat
11. Identifying obscure threats and techniques
12. Interpreting results of debugger to ascertain tactics, techniques, and procedures
13. Developing, testing, and implementing network infrastructure contingency and recovery plans
14. Packet-level analysis using appropriate tools
15. Decrypting digital data collections
AHJ-validated experience demonstrated in the following:
1. Collecting and analyzing intrusion artifacts and using discovered data to enable mitigation of potential computer network defense (CND) incidents within the enterprise
2. Confirming intrusion and discovering new information, if possible, after identifying intrusion via dynamic analysis
3. Decrypting seized data using technical means
4. Providing technical summary of findings in accordance with established reporting procedures
5. Examining recovered data for information of relevance to the issue at hand
6. Performing CND incident triage, to include determining scope, urgency, and potential impact; identifying the specific vulnerability; and making recommendations that enable expeditious remediation
7. Performing dynamic analysis to boot an image of a drive (without necessarily having the original drive) to see the intrusion as the user may have seen it in a native environment
8. Analyzing life forensic
9. Analyzing timeline
10. Analyzing static media and 1, 2, and 3 malware
11. Recognizing and accurately reporting forensic artifacts indicative of a particular operating system
12. Reviewing forensic images and other data sources for recovery of potentially relevant information
13. Using network monitoring tools to capture and analyze network traffic associated with malicious activity
14. Writing and publishing CND guidance and reports on incident findings to appropriate constituencies
15. Conducting a cursory binary analysis
16. Virus scanning on digital media
17. Analyzing file system forensic analysis
18. Analyzing to mount an "image" of a drive (without necessarily having the original drive)
19. Using deployable forensics toolkit to support operations as necessary |
| Type 2 | Agency Having Jurisdiction (AHJ)-validated knowledge, skills, and abilities demonstrated in the following areas:
1. Electronic evidence law
2. Legal rules of evidence and court procedure
3. Recognizing different types of digital forensics data
4. Deployable forensics
5. Anti-forensic tactics, techniques, and procedures
6. Common forensic tool configuration and support applications from the leading industry tools
7. Data carving tools and technique
8. Computer Fraud and Abuse Act
9. Virtual machine aware malware, aware debugger malware, and packing
10. Basic concepts and practices of processing digital forensic data
11. Encryption algorithms
12. Incident response and handling methodologies
13. Desktop, server, mainframe operating systems including Windows, Unix, Linux, Mac OS
14. Server diagnostics tools and fault identification techniques
15. Basic physical computer component and architectures, including the functions of various components and peripherals
16. File system implementations
17. Processes for seizing and preserving digital evidence
18. Hacking methodologies for common operating systems
19. Legal governance related to admission into systems
20. Processes for collecting, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data
21. Types and collection of data
22. Webmail collection, searching/analyzing techniques, tools, and cookies
23. System files (such as log files, registry files, configuration files) that contain relevant information
24. Forensic tool suites
25. Physically disassembling personal computers and servers
26. Identifying and extracting data of forensic interest in diverse media
27. Identifying, modifying, and manipulating applicable system components
28. Setting up a forensic workstation
29. One way hash functions
30. Analyzing volatile data
31. Identifying obfuscation techniques
AHJ-documented and validated experience demonstrated in the following areas:
1. Conducting analysis of log files, evidence, and other information in order to determine best methods for identifying additional sources of evidence
2. Transportation and storage of data evidence
3. Tamper proofing packaging
4. Creating a forensically sound duplicate of the evidence that ensures the original evidence is not unintentionally modified, to use for data recovery and analysis processes
5. Documenting original condition of all evidence
6. Ensuring chain of custody is followed for all digital media acquired in accordance with applicable state and federal rules of evidence
7. Identifying digital evidence for examination and analysis in such a way as to avoid unintentional alteration
8. Analyzing file signature
9. Comparing against established database
10. Capturing live forensic data
11. Preparing digital media for imaging for ensuring data integrity
12. Providing technical assistance on digital evidence matters to appropriate personnel |
|
| Physical/Medical Fitness | The NIMS Guideline for the National Qualification System (NQS) defines Physical/Medical Fitness levels for NIMS positions. |
| Type 1 | Same as Type 2 |
| Type 2 | Light |
|
| Currency | Provider must carry out and use any background checks as applicable law specifies. This may include a background check completed within past 12 months; sex-offender registry check; and a local, state, and a local, state, and national criminal history. |
| Type 1 | Same as Type 2 |
| Type 2 | 1. Functions in this position during an operational incident, planned event, exercise, drill, or simulation at least once every year
2. Background checks as applicable law permits and requires
3. Active security clearance |
|
| Professional and Technical Licenses and Certifications | Not Specified |
| Type 1 | Same as Type 2, PLUS:
1. Certified Digital Forensic Examiner (CDFE)
2. Certified Computer Crime Investigator (CCCI)
3. Information Assurance Certification (IAC)
4. Certified Forensic Examiner (CFE)
5. Certified Computer Hacking Forensic Investigator (CCHFI) |
| Type 2 | 1. Technical qualifications equivalent to Department of Defense Directive (DoDD) 8570 Level 2
2. Certified Digital Media Collector (CDMC) |
|
