Cyber Crime Investigator

Cyber Crime Investigator Work Role ID: 221 (NIST: IN-CI-001) Category/Specialty Area: Investigate / Cyber Investigations Workforce Element: Cyberspace Enablers / Legal/Law Enforcement

Identifies, collects, examines, and preserves evidence using controlled and documented analytical and investigative techniques.


Items denoted by a * are CORE KSATs for every Work Role, while other CORE KSATs vary by Work Role.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
217

Skill in preserving evidence integrity according to standard operating procedures or national standards.

Skill
281

Knowledge of electronic devices (e.g., computer systems/components, access control devices, digital cameras, electronic organizers, hard drives, memory cards, modems, network components, printers, removable storage devices, scanners, telephones, copiers, credit card skimmers, facsimile machines, global positioning systems [GPSs]).

Knowledge
290

Knowledge of processes for seizing and preserving digital evidence (e.g., chain of custody).

Knowledge
340

Knowledge of types and collection of persistent data.

Knowledge
369

Skill in collecting, processing, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data.

Skill
1036

Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed.

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
3155

Knowledge of client organizations, including information needs, objectives, structure, capabilities, etc.

Knowledge
3159

Knowledge of cyber operations support or enabling processes.

Knowledge
3211

Knowledge of cyber laws and legal considerations and their effect on cyber planning.

Knowledge
3235

Knowledge of deconfliction processes and procedures.

Knowledge
3257

Knowledge of target and threat organization structures, critical capabilities, and critical vulnerabilities.

Knowledge
3262

Knowledge of evolving/emerging communications technologies.

Knowledge
3264

Knowledge of existing, emerging, and long-range issues related to cyber operations strategy, policy, and organization.

Knowledge
3356

Knowledge of organization policies and planning concepts for partnering with internal and/or external organizations.

Knowledge
3419

Knowledge of organization or partner exploitation of digital networks.

Knowledge
3585

Knowledge of accepted organization planning systems.

Knowledge
3591

Knowledge of organization objectives, leadership priorities, and decision-making risks.

Knowledge
3615

Knowledge of the structure and intent of organization specific plans, guidance and authorizations.

Knowledge
3627

Knowledge of cryptologic capabilities, limitations, and contributions to cyber operations.

Knowledge
3638

Knowledge of organization issues, objectives, and operations in cyber as well as regulations and policy directives governing cyber operations.

Knowledge
3639

Knowledge of organization cyber operations programs, strategies, and resources.

Knowledge
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge

Additional KSATs

KSAT ID Description KSAT
105

Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).

Knowledge
310

Knowledge of legal governance related to admissibility (e.g., Federal Rules of Evidence).

Knowledge
383

Skill in using scientific rules and methods to solve problems.

Skill
454

Conduct interviews of victims and witnesses and conduct interviews or interrogations of suspects.

Task
507A

Determine and develop leads and identify sources of information in order to identify and/or prosecute the responsible parties to an intrusion or other crimes.

Task
512

Develop a plan to investigate alleged crime, violation, or suspicious activity utilizing computers and the internet.

Task
564A

Document original condition of digital and/or associated evidence (e.g., via digital photographs, written reports, hash function checking).

Task
597

Establish relationships, if applicable, between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies, vendors, and public relations professionals).

Task
620A

Employ information technology (IT) systems and digital storage media to solve, investigate, and/or prosecute cybercrimes and fraud committed against people and property.

Task
623

Fuse computer network attack analyses with criminal and counterintelligence investigations and operations.

Task
633

Identify and/or determine whether a security incident is indicative of a violation of law that requires specific legal action.

Task
636

Identify digital evidence for examination and analysis in such a way as to avoid unintentional alteration.

Task
649

Identify, collect, and seize documentary or physical evidence, to include digital media and logs associated with cyber intrusion incidents, investigations, and operations.

Task
788A

Prepare reports to document the investigation following legal standards and requirements.

Task
843

Secure the electronic device or information source.

Task
917

Knowledge of social dynamics of computer attackers in a global context.

Knowledge
1039

Skill in evaluating the trustworthiness of the supplier and/or product.

Skill
5040

Analyze the crisis situation to ensure public, personal, and resource protection.

Task
5070

Assess the behavior of the individual victim, witness, or suspect as it relates to the investigation.

Task
5210

Determine the extent of threats and recommend courses of action and countermeasures to mitigate risks.

Task
5580

Provide criminal investigative support to trial counsel during the judicial process.

Task
6230

Knowledge of crisis management protocols, processes, and techniques.

Knowledge
6370

Knowledge of physical and physiological behaviors that may indicate suspicious or abnormal activity.

Knowledge
6440

Knowledge of the judicial process, including the presentation of facts and evidence.

Knowledge