Legal/Law Enforcement

Legal/Law Enforcement


Below are the associated Work Roles. Click the arrow to expand/collapse the Work Role information and view the associated Core and Additional KSATs (Knowledge, Skills, Abilties, and Tasks). Items denoted by a * are CORE KSATs for every Work Role, while other CORE KSATs vary by Work Role. Click on the other blue links to further explore the information.
Cyber Crime Investigator Work Role ID: 221 (NIST: IN-CI-001) Category/Specialty Area: Investigate / Cyber Investigations Workforce Element: Cyberspace Enablers / Legal/Law Enforcement

Identifies, collects, examines, and preserves evidence using controlled and documented analytical and investigative techniques.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
217

Skill in preserving evidence integrity according to standard operating procedures or national standards.

Skill
281

Knowledge of electronic devices (e.g., computer systems/components, access control devices, digital cameras, electronic organizers, hard drives, memory cards, modems, network components, printers, removable storage devices, scanners, telephones, copiers, credit card skimmers, facsimile machines, global positioning systems [GPSs]).

Knowledge
290

Knowledge of processes for seizing and preserving digital evidence (e.g., chain of custody).

Knowledge
340

Knowledge of types and collection of persistent data.

Knowledge
369

Skill in collecting, processing, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data.

Skill
1036

Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed.

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
3155

Knowledge of client organizations, including information needs, objectives, structure, capabilities, etc.

Knowledge
3159

Knowledge of cyber operations support or enabling processes.

Knowledge
3211

Knowledge of cyber laws and legal considerations and their effect on cyber planning.

Knowledge
3235

Knowledge of deconfliction processes and procedures.

Knowledge
3257

Knowledge of target and threat organization structures, critical capabilities, and critical vulnerabilities.

Knowledge
3262

Knowledge of evolving/emerging communications technologies.

Knowledge
3264

Knowledge of existing, emerging, and long-range issues related to cyber operations strategy, policy, and organization.

Knowledge
3356

Knowledge of organization policies and planning concepts for partnering with internal and/or external organizations.

Knowledge
3419

Knowledge of organization or partner exploitation of digital networks.

Knowledge
3585

Knowledge of accepted organization planning systems.

Knowledge
3591

Knowledge of organization objectives, leadership priorities, and decision-making risks.

Knowledge
3615

Knowledge of the structure and intent of organization specific plans, guidance and authorizations.

Knowledge
3627

Knowledge of cryptologic capabilities, limitations, and contributions to cyber operations.

Knowledge
3638

Knowledge of organization issues, objectives, and operations in cyber as well as regulations and policy directives governing cyber operations.

Knowledge
3639

Knowledge of organization cyber operations programs, strategies, and resources.

Knowledge
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge

Additional KSATs

KSAT ID Description KSAT
105

Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).

Knowledge
310

Knowledge of legal governance related to admissibility (e.g., Federal Rules of Evidence).

Knowledge
383

Skill in using scientific rules and methods to solve problems.

Skill
454

Conduct interviews of victims and witnesses and conduct interviews or interrogations of suspects.

Task
507A

Determine and develop leads and identify sources of information in order to identify and/or prosecute the responsible parties to an intrusion or other crimes.

Task
512

Develop a plan to investigate alleged crime, violation, or suspicious activity utilizing computers and the internet.

Task
564A

Document original condition of digital and/or associated evidence (e.g., via digital photographs, written reports, hash function checking).

Task
597

Establish relationships, if applicable, between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies, vendors, and public relations professionals).

Task
620A

Employ information technology (IT) systems and digital storage media to solve, investigate, and/or prosecute cybercrimes and fraud committed against people and property.

Task
623

Fuse computer network attack analyses with criminal and counterintelligence investigations and operations.

Task
633

Identify and/or determine whether a security incident is indicative of a violation of law that requires specific legal action.

Task
636

Identify digital evidence for examination and analysis in such a way as to avoid unintentional alteration.

Task
649

Identify, collect, and seize documentary or physical evidence, to include digital media and logs associated with cyber intrusion incidents, investigations, and operations.

Task
788A

Prepare reports to document the investigation following legal standards and requirements.

Task
843

Secure the electronic device or information source.

Task
917

Knowledge of social dynamics of computer attackers in a global context.

Knowledge
1039

Skill in evaluating the trustworthiness of the supplier and/or product.

Skill
5040

Analyze the crisis situation to ensure public, personal, and resource protection.

Task
5070

Assess the behavior of the individual victim, witness, or suspect as it relates to the investigation.

Task
5210

Determine the extent of threats and recommend courses of action and countermeasures to mitigate risks.

Task
5580

Provide criminal investigative support to trial counsel during the judicial process.

Task
6230

Knowledge of crisis management protocols, processes, and techniques.

Knowledge
6370

Knowledge of physical and physiological behaviors that may indicate suspicious or abnormal activity.

Knowledge
6440

Knowledge of the judicial process, including the presentation of facts and evidence.

Knowledge
Cyber Legal Advisor Work Role ID: 731 (NIST: OV-LG-001) Category/Specialty Area: Oversee & Govern / Legal Advice and Advocacy Workforce Element: Cyberspace Enablers / Legal/Law Enforcement

Provides legal advice and recommendations on relevant topics related to cyber law.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
339A

Knowledge of business or military operation plans, concept operation plans, orders, policies, and standing rules of engagement.

Knowledge
390A

Acquire and maintain a working knowledge of constitutional issues relevant laws, regulations, policies, agreements, standards, procedures, or other issuances.

Task
574A

Provide legal analysis and decisions to inspector generals, privacy officers, oversight and compliance personnel with regard to compliance with cybersecurity policies and relevant legal and regulatory requirements.

Task
984

Knowledge of cyber defense policies, procedures, and regulations.

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge

Additional KSATs

KSAT ID Description KSAT
24

Knowledge of concepts and practices of processing digital forensic data.

Knowledge
88

Knowledge of new and emerging information technology (IT) and cybersecurity technologies.

Knowledge
252

Knowledge of and experience in Insider Threat investigations, reporting, investigative tools and laws/regulations.

Knowledge
300A

Knowledge of intelligence principles, policies, and procedures including legal authorities and restrictions.

Knowledge
398

Advocate organization’s official position in legal and legislative proceedings.

Task
451A

Conduct framing of pleadings to properly identify alleged violations of law, regulations, or policy/guidance.

Task
539A

Develop guidelines for implementation.

Task
599

Evaluate contracts to ensure compliance with funding, legal, and program requirements.

Task
607

Evaluate the effectiveness of laws, regulations, policies, standards, or procedures.

Task
612A

Evaluate the impact of changes to laws, regulations, policies, standards, or procedures.

Task
618A

Provide guidance on laws, regulations, policies, standards, or procedures to management, personnel, or clients.

Task
655A

Facilitate implementation of new or revised laws, regulations, executive orders, policies, standards, or procedures.

Task
675

Interpret and apply laws, regulations, policies, standards, or procedures to specific issues.

Task
787A

Prepare legal and other relevant documents (e.g., depositions, briefs, affidavits, declarations, appeals, pleadings, discovery).

Task
834

Resolve conflicts in laws, regulations, policies, standards, or procedures.

Task
954A

Knowledge of foreign disclosure policies and import/export control regulations as related to cybersecurity.

Knowledge
1070A

Ability to monitor and assess the potential impact of emerging technologies on laws, regulations, and/or policies.

Ability
Forensics Analyst Work Role ID: 211 (NIST: IN-FO-001) Category/Specialty Area: Investigate / Digital Forensics Workforce Element: Cyberspace Enablers / Legal/Law Enforcement

Conducts deep-dive investigations on computer-based crimes establishing documentary or physical evidence, to include digital media and logs associated with cyber intrusion incidents.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
24

Knowledge of concepts and practices of processing digital forensic data.

Knowledge
25A

Knowledge of encryption algorithms, stenography, and other forms of data concealment.

Knowledge
61

Knowledge of incident response and handling methodologies.

Knowledge
90

Knowledge of operating systems.

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
217

Skill in preserving evidence integrity according to standard operating procedures or national standards.

Skill
264

Knowledge of basic physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage).

Knowledge
287

Knowledge of file system implementations (e.g., New Technology File System [NTFS], File Allocation Table [FAT], File Extension [EXT]).

Knowledge
302

Knowledge of investigative implications of hardware, Operating Systems, and network technologies.

Knowledge
310

Knowledge of legal governance related to admissibility (e.g., Federal Rules of Evidence).

Knowledge
316

Knowledge of processes for collecting, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data.

Knowledge
350

Skill in analyzing memory dumps to extract information.

Skill
381

Skill in using forensic tool suites (e.g., EnCase, Sleuthkit, FTK).

Skill
389

Skill in physically disassembling PCs.

Skill
447

Conduct analysis of log files, evidence, and other information in order to determine best methods for identifying the perpetrator(s) of a network intrusion.

Task
480

Create a forensically sound duplicate of the evidence (i.e., forensic image) that ensures the original evidence is not unintentionally modified, to use for data recovery and analysis processes. This includes, but is not limited to, hard drives, floppy diskettes, CD, PDA, mobile phones, GPS, and all tape formats.

Task
482A

Detect and analyze encrypted data, stenography, alternate data streams and other forms of concealed data.

Task
541

Provide technical summary of findings in accordance with established reporting procedures.

Task
564A

Document original condition of digital and/or associated evidence (e.g., via digital photographs, written reports, hash function checking).

Task
573

Ensure chain of custody is followed for all digital media acquired in accordance with the Federal Rules of Evidence.

Task
613

Examine recovered data for information of relevance to the issue at hand.

Task
636

Identify digital evidence for examination and analysis in such a way as to avoid unintentional alteration.

Task
749

Perform dynamic analysis to boot an “image” of a drive (without necessarily having the original drive) to see the intrusion as the user may have seen it, in a native environment.

Task
752

Perform file signature analysis.

Task
753

Perform hash comparison against established database.

Task
768

Perform static media analysis.

Task
786

Prepare digital media for imaging by ensuring data integrity (e.g., write blockers in accordance with standard operating procedures).

Task
817

Provide technical assistance on digital evidence matters to appropriate personnel.

Task
839A

Review forensic images and other data sources (e.g., volatile data) for recovery of potentially relevant information.

Task
871

Use specialized equipment and techniques to catalog, document, extract, collect, package, and preserve digital evidence.

Task
888

Knowledge of types of digital forensics data and how to recognize them.

Knowledge
890

Skill in conducting forensic analyses in multiple operating system environments (e.g., mobile device systems).

Skill
982

Knowledge of electronic evidence law.

Knowledge
1081

Perform virus scanning on digital media.

Task
1082

Perform file system forensic analysis.

Task
1083

Perform static analysis to mount an “image” of a drive (without necessarily having the original drive).

Task
1085

Utilize deployable forensics tool kit to support operations as necessary.

Task
1086

Knowledge of data carving tools and techniques (e.g., Foremost).

Knowledge
1092

Knowledge of anti-forensics tactics, techniques, and procedures.

Knowledge
1093

Knowledge of common forensics tool configuration and support applications (e.g., VMWare, WIRESHARK).

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge

Additional KSATs

KSAT ID Description KSAT
29

Knowledge of data backup, types of backups (e.g., full, incremental), and recovery concepts and tools.

Knowledge
105

Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).

Knowledge
113

Knowledge of server and client operating systems.

Knowledge
114

Knowledge of server diagnostic tools and fault identification techniques.

Knowledge
139

Knowledge of the common networking protocols (e.g., TCP/IP), services (e.g., web, mail, Domain Name Server), and how they interact to provide network communications.

Knowledge
193

Skill in developing, testing, and implementing network infrastructure contingency and recovery plans.

Skill
214

Skill in performing packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump).

Skill
290

Knowledge of processes for seizing and preserving digital evidence (e.g., chain of custody).

Knowledge
294

Knowledge of hacking methodologies in Windows or Unix/Linux environment.

Knowledge
340

Knowledge of types and collection of persistent data.

Knowledge
345

Knowledge of web mail collection, searching/analyzing techniques, tools, and cookies.

Knowledge
346

Knowledge of which system files (e.g., log files, registry files, configuration files) contain relevant information and where to find those system files.

Knowledge
360

Skill in identifying and extracting data of forensic interest in diverse media (i.e., media forensics).

Skill
364

Skill in identifying, modifying, and manipulating applicable system components within Windows, Unix, or Linux (e.g., passwords, user accounts, files).

Skill
369

Skill in collecting, processing, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data.

Skill
374

Skill in setting up a forensic workstation.

Skill
386

Skill in using virtual machines.

Skill
438A

Collect and analyze intrusion artifacts (e.g., source code, malware, and system configuration) and use discovered data to enable mitigation of potential cyber defense incidents within the enterprise.

Task
463

Confirm what is known about an intrusion and discover new information, if possible, after identifying intrusion via dynamic analysis.

Task
649

Identify, collect, and seize documentary or physical evidence, to include digital media and logs associated with cyber intrusion incidents, investigations, and operations.

Task
758

Perform real-time forensic analysis (e.g., using Helix in conjunction with LiveView).

Task
759

Perform timeline analysis.

Task
771

Perform tier 1, 2, and 3 malware analysis.

Task
792

Process crime scenes.

Task
825

Recognize and accurately report forensic artifacts indicative of a particular operating system.

Task
868

Extract data using data carving techniques (e.g., Forensic Tool Kit [FTK], Foremost).

Task
870

Capture and analyze network traffic associated with malicious activities using network monitoring tools.

Task
882

Write and publish cyber defense techniques, guidance, and reports on incident findings to appropriate constituencies.

Task
889

Knowledge of deployable forensics.

Knowledge
908

Ability to decrypt digital data collections.

Ability
923

Knowledge of security event correlation tools.

Knowledge
944

Conduct cursory binary analysis.

Task
983

Knowledge of legal rules of evidence and court procedure.

Knowledge
1033

Knowledge of basic system administration, network, and operating system hardening techniques.

Knowledge
1036

Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed.

Knowledge
1072

Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).

Knowledge
1084

Perform static malware analysis.

Task
1087

Skill in deep analysis of captured malicious code (e.g., malware forensics).

Skill
1088

Skill in using binary analysis tools (e.g., Hexedit, command code xxd, hexdump).

Skill
1089

Knowledge of reverse engineering concepts.

Knowledge
1091

Skill in one way hash functions (e.g., Secure Hash Algorithm [SHA], Message Digest Algorithm [MD5]).

Skill
1094

Knowledge of debugging procedures and tools.

Knowledge
1095

Knowledge of how different file types can be used for anomalous behavior.

Knowledge
1096

Knowledge of malware analysis tools (e.g., Oily Debug, Ida Pro).

Knowledge
1097

Knowledge of virtual machine aware malware, debugger aware malware, and packing.

Knowledge
1098

Skill in analyzing anomalous code as malicious or benign.

Skill
1099

Skill in analyzing volatile data.

Skill
1100

Skill in identifying obfuscation techniques.

Skill
1101

Skill in interpreting results of debugger to ascertain tactics, techniques, and procedures.

Skill