Law Enforcement /CounterIntelligence Forensics Analyst

Conducts detailed investigations on computer-based crimes establishing documentary or physical evidence, to include digital media and logs associated with cyber intrusion incidents.
  • Knowledge of computer networking concepts and protocols, and network security methodologies.
  • Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
  • Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
  • Knowledge of cybersecurity and privacy principles.
  • Knowledge of cyber threats and vulnerabilities.
  • Knowledge of specific operational impacts of cybersecurity lapses.
  • Knowledge of concepts and practices of processing digital forensic data.
  • Knowledge of data backup and recovery.
  • Knowledge of incident response and handling methodologies.
  • Knowledge of operating systems.
  • Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
  • Knowledge of server and client operating systems.
  • Knowledge of server diagnostic tools and fault identification techniques.
  • Knowledge of Insider Threat investigations, reporting, investigative tools and laws/regulations.
  • Knowledge of physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage).
  • Knowledge of file system implementations (e.g., New Technology File System [NTFS], File Allocation Table [FAT], File Extension [EXT]).
  • Knowledge of processes for seizing and preserving digital evidence.
  • Knowledge of hacking methodologies.
  • Knowledge of investigative implications of hardware, Operating Systems, and network technologies.
  • Knowledge of legal governance related to admissibility (e.g. Rules of Evidence).
  • Knowledge of processes for collecting, packaging, transporting, and storing electronic evidence while maintaining chain of custody.
  • Knowledge of types and collection of persistent data.
  • Knowledge of web mail collection, searching/analyzing techniques, tools, and cookies.
  • Knowledge of which system files (e.g., log files, registry files, configuration files) contain relevant information and where to find those system files.
  • Knowledge of types of digital forensics data and how to recognize them.
  • Knowledge of deployable forensics.
  • Knowledge of security event correlation tools.
  • Knowledge of electronic evidence law.
  • Knowledge of legal rules of evidence and court procedure.
  • Knowledge of system administration, network, and operating system hardening techniques.
  • Knowledge of applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures.
  • Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).
  • Knowledge of data carving tools and techniques (e.g., Foremost).
  • Knowledge of reverse engineering concepts.
  • Knowledge of anti-forensics tactics, techniques, and procedures.
  • Knowledge of forensics lab design configuration and support applications (e.g., VMWare, Wireshark).
  • Knowledge of debugging procedures and tools.
  • Knowledge of file type abuse by adversaries for anomalous behavior.
  • Knowledge of malware analysis tools (e.g., Oily Debug, Ida Pro).
  • Knowledge of malware with virtual machine detection (e.g. virtual aware malware, debugger aware malware, and unpacked malware that looks for VM-related strings in your computer's display device).
  • Knowledge of data concealment (e.g. encryption algorithms and steganography).
  • Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list)
  • Skill in developing, testing, and implementing network infrastructure contingency and recovery plans.
  • Skill in performing packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump).
  • Skill in preserving evidence integrity according to standard operating procedures or national standards.
  • Skill in analyzing memory dumps to extract information.
  • Skill in identifying and extracting data of forensic interest in diverse media (i.e., media forensics).
  • Skill in identifying, modifying, and manipulating applicable system components within Windows, Unix, or Linux (e.g., passwords, user accounts, files).
  • Skill in collecting, processing, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data.
  • Skill in setting up a forensic workstation.
  • Skill in using forensic tool suites (e.g., EnCase, Sleuthkit, FTK).
  • Skill in using virtual machines. (e.g., Microsoft Hyper-V, VMWare vSphere, Citrix XenDesktop/Server, Amazon Elastic Compute Cloud, etc.).
  • Skill in physically disassembling PCs.
  • Skill in conducting forensic analyses in multiple operating system environments (e.g., mobile device systems).
  • Skill in deep analysis of captured malicious code (e.g., malware forensics).
  • Skill in using binary analysis tools (e.g., Hexedit, command code xxd, hexdump).
  • Skill in one-way hash functions (e.g., Secure Hash Algorithm [SHA], Message Digest Algorithm [MD5]).
  • Skill in analyzing anomalous code as malicious or benign.
  • Skill in analyzing volatile data.
  • Skill in identifying obfuscation techniques.
  • Skill in interpreting results of debugger to ascertain tactics, techniques, and procedures.
  • Ability to decrypt digital data collections.
  • Ability to examine digital media on multiple operating system platforms.
  • Develop a plan to investigate alleged crime, violation, or suspicious activity utilizing computers and the Internet.
  • Establish relationships, if applicable, between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies, vendors, public relations professionals).
  • Resolve conflicts in laws, regulations, policies, standards, or procedures.
  • Analyze incident data for emerging trends.
  • Perform file and registry monitoring on the running system after identifying intrusion via dynamic analysis.
  • Acquire and maintain a working knowledge of constitutional issues which arise in relevant laws, regulations, policies, agreements, standards, procedures, or other issuances.
  • Maintain deployable cyber defense toolkit (e.g., specialized cyber defense software/hardware) to support Incident Response Team mission.
  • Read, interpret, write, modify, and execute simple scripts (e.g., Perl, VBScript) on Windows and UNIX systems (e.g., those that perform tasks such as: parsing large data files, automating manual tasks, and fetching/processing remote data).
  • Identify and/or develop reverse engineering tools to enhance capabilities and detect vulnerabilities.
  • Analyze organizational cyber policy.