* Knowledge of computer networking concepts and protocols, and network security methodologies.

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Skill in preserving evidence integrity according to standard operating procedures or national standards.

Knowledge of electronic devices (e.g., computer systems/components, access control devices, digital cameras, electronic organizers, hard drives, memory cards, modems, network components, printers, removable storage devices, scanners, telephones, copiers, credit card skimmers, facsimile machines, global positioning systems [GPSs]).

Knowledge of processes for seizing and preserving digital evidence (e.g., chain of custody).

Knowledge of types and collection of persistent data.

Skill in collecting, processing, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data.

Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed.

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

* Knowledge of cybersecurity principles.

* Knowledge of cyber threats and vulnerabilities.

Knowledge of client organizations, including information needs, objectives, structure, capabilities, etc.

Knowledge of cyber operations support or enabling processes.

Knowledge of cyber laws and legal considerations and their effect on cyber planning.

Knowledge of deconfliction processes and procedures.

Knowledge of target and threat organization structures, critical capabilities, and critical vulnerabilities.

Knowledge of evolving/emerging communications technologies.

Knowledge of existing, emerging, and long-range issues related to cyber operations strategy, policy, and organization.

Knowledge of organization policies and planning concepts for partnering with internal and/or external organizations.

Knowledge of organization or partner exploitation of digital networks.

Knowledge of accepted organization planning systems.

Knowledge of organization objectives, leadership priorities, and decision-making risks.

Knowledge of the structure and intent of organization specific plans, guidance and authorizations.

Knowledge of cryptologic capabilities, limitations, and contributions to cyber operations.

Knowledge of organization issues, objectives, and operations in cyber as well as regulations and policy directives governing cyber operations.

Knowledge of organization cyber operations programs, strategies, and resources.

* Knowledge of specific operational impacts of cybersecurity lapses.

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).

Knowledge of legal governance related to admissibility (e.g., Federal Rules of Evidence).

Skill in using scientific rules and methods to solve problems.

Conduct interviews of victims and witnesses and conduct interviews or interrogations of suspects.

Determine and develop leads and identify sources of information in order to identify and/or prosecute the responsible parties to an intrusion or other crimes.

Develop a plan to investigate alleged crime, violation, or suspicious activity utilizing computers and the internet.

Document original condition of digital and/or associated evidence (e.g., via digital photographs, written reports, hash function checking).

Establish relationships, if applicable, between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies, vendors, and public relations professionals).

Employ information technology (IT) systems and digital storage media to solve, investigate, and/or prosecute cybercrimes and fraud committed against people and property.

Fuse computer network attack analyses with criminal and counterintelligence investigations and operations.

Identify and/or determine whether a security incident is indicative of a violation of law that requires specific legal action.

Identify digital evidence for examination and analysis in such a way as to avoid unintentional alteration.

Identify, collect, and seize documentary or physical evidence, to include digital media and logs associated with cyber intrusion incidents, investigations, and operations.

Prepare reports to document the investigation following legal standards and requirements.

Secure the electronic device or information source.

Knowledge of social dynamics of computer attackers in a global context.

Skill in evaluating the trustworthiness of the supplier and/or product.

Knowledge of security implications of software configurations.

Analyze the crisis situation to ensure public, personal, and resource protection.

Assess the behavior of the individual victim, witness, or suspect as it relates to the investigation.

Determine the extent of threats and recommend courses of action and countermeasures to mitigate risks.

Provide criminal investigative support to trial counsel during the judicial process.

Knowledge of crisis management protocols, processes, and techniques.

Knowledge of physical and physiological behaviors that may indicate suspicious or abnormal activity.

Knowledge of the judicial process, including the presentation of facts and evidence.

* Knowledge of computer networking concepts and protocols, and network security methodologies.

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Acquire and maintain a working knowledge of constitutional issues relevant laws, regulations, policies, agreements, standards, procedures, or other issuances.

Provide legal analysis and decisions to inspector generals, privacy officers, oversight and compliance personnel with regard to compliance with cybersecurity policies and relevant legal and regulatory requirements.

Knowledge of cyber defense policies, procedures, and regulations.

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

* Knowledge of cybersecurity principles.

* Knowledge of cyber threats and vulnerabilities.

* Knowledge of specific operational impacts of cybersecurity lapses.

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge of concepts and practices of processing digital forensic data.

Knowledge of current and emerging cyber technologies.

Knowledge of and experience in Insider Threat investigations, reporting, investigative tools and laws/regulations.

Knowledge of intelligence principles, policies, and procedures including legal authorities and restrictions.

Advocate organization’s official position in legal and legislative proceedings.

Conduct framing of pleadings to properly identify alleged violations of law, regulations, or policy/guidance.

Develop guidelines for implementation.

Evaluate contracts to ensure compliance with funding, legal, and program requirements.

Evaluate the effectiveness of laws, regulations, policies, standards, or procedures.

Evaluate the impact of changes to laws, regulations, policies, standards, or procedures.

Provide guidance on laws, regulations, policies, standards, or procedures to management, personnel, or clients.

Facilitate implementation of new or revised laws, regulations, executive orders, policies, standards, or procedures.

Interpret and apply laws, regulations, policies, standards, or procedures to specific issues.

Prepare legal and other relevant documents (e.g., depositions, briefs, affidavits, declarations, appeals, pleadings, discovery).

Resolve conflicts in laws, regulations, policies, standards, or procedures.

Knowledge of foreign disclosure policies and import/export control regulations as related to cybersecurity.

Ability to monitor and assess the potential impact of emerging technologies on laws, regulations, and/or policies.

Knowledge of cloud service models and possible limitations for an incident response.

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge of concepts and practices of processing digital forensic data.

Knowledge of encryption algorithms, stenography, and other forms of data concealment.

Knowledge of incident response and handling methodologies.

Knowledge of operating systems.

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Skill in preserving evidence integrity according to standard operating procedures or national standards.

Knowledge of basic physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage).

Knowledge of file system implementations (e.g., New Technology File System [NTFS], File Allocation Table [FAT], File Extension [EXT]).

Knowledge of investigative implications of hardware, Operating Systems, and network technologies.

Knowledge of legal governance related to admissibility (e.g., Federal Rules of Evidence).

Knowledge of processes for collecting, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data.

Skill in analyzing memory dumps to extract information.

Skill in using forensic tool suites (e.g., EnCase, Sleuthkit, FTK).

Skill in physically disassembling PCs.

Conduct analysis of log files, evidence, and other information in order to determine best methods for identifying the perpetrator(s) of a network intrusion.

Create a forensically sound duplicate of the evidence (i.e., forensic image) that ensures the original evidence is not unintentionally modified, to use for data recovery and analysis processes. This includes, but is not limited to, hard drives, floppy diskettes, CD, PDA, mobile phones, GPS, and all tape formats.

Detect and analyze encrypted data, stenography, alternate data streams and other forms of concealed data.

Provide technical summary of findings in accordance with established reporting procedures.

Document original condition of digital and/or associated evidence (e.g., via digital photographs, written reports, hash function checking).

Ensure chain of custody is followed for all digital media acquired in accordance with the Federal Rules of Evidence.

Examine recovered data for information of relevance to the issue at hand.

Identify digital evidence for examination and analysis in such a way as to avoid unintentional alteration.

Perform dynamic analysis to boot an “image” of a drive (without necessarily having the original drive) to see the intrusion as the user may have seen it, in a native environment.

Perform file signature analysis.

Perform hash comparison against established database.

Perform static media analysis.

Prepare digital media for imaging by ensuring data integrity (e.g., write blockers in accordance with standard operating procedures).

Provide technical assistance on digital evidence matters to appropriate personnel.

Review forensic images and other data sources (e.g., volatile data) for recovery of potentially relevant information.

Use specialized equipment and techniques to catalog, document, extract, collect, package, and preserve digital evidence.

Knowledge of types of digital forensics data and how to recognize them.

Skill in conducting forensic analyses in multiple operating system environments (e.g., mobile device systems).

Knowledge of electronic evidence law.

Perform virus scanning on digital media.

Perform file system forensic analysis.

Perform static analysis to mount an “image” of a drive (without necessarily having the original drive).

Utilize deployable forensics tool kit to support operations as necessary.

Knowledge of data carving tools and techniques (e.g., Foremost).

Knowledge of anti-forensics tactics, techniques, and procedures.

Knowledge of common forensics tool configuration and support applications (e.g., VMWare, WIRESHARK).

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

* Knowledge of cybersecurity principles.

* Knowledge of cyber threats and vulnerabilities.

* Knowledge of specific operational impacts of cybersecurity lapses.

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge of data backup, types of backups (e.g., full, incremental), and recovery concepts and tools.

Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).

Knowledge of server and client operating systems.

Knowledge of server diagnostic tools and fault identification techniques.

Knowledge of the common networking protocols (e.g., TCP/IP), services (e.g., web, mail, Domain Name Server), and how they interact to provide network communications.

Skill in developing, testing, and implementing network infrastructure contingency and recovery plans.

Skill in performing packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump).

Knowledge of processes for seizing and preserving digital evidence (e.g., chain of custody).

Knowledge of hacking methodologies in Windows or Unix/Linux environment.

Knowledge of types and collection of persistent data.

Knowledge of web mail collection, searching/analyzing techniques, tools, and cookies.

Knowledge of which system files (e.g., log files, registry files, configuration files) contain relevant information and where to find those system files.

Skill in identifying and extracting data of forensic interest in diverse media (i.e., media forensics).

Skill in identifying, modifying, and manipulating applicable system components within Windows, Unix, or Linux (e.g., passwords, user accounts, files).

Skill in collecting, processing, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data.

Skill in setting up a forensic workstation.

Skill in using virtual machines.

Collect and analyze intrusion artifacts (e.g., source code, malware, and system configuration) and use discovered data to enable mitigation of potential cyber defense incidents within the enterprise.

Confirm what is known about an intrusion and discover new information, if possible, after identifying intrusion via dynamic analysis.

Identify, collect, and seize documentary or physical evidence, to include digital media and logs associated with cyber intrusion incidents, investigations, and operations.

Perform real-time forensic analysis (e.g., using Helix in conjunction with LiveView).

Perform timeline analysis.

Perform tier 1, 2, and 3 malware analysis.

Process crime scenes.

Recognize and accurately report forensic artifacts indicative of a particular operating system.

Extract data using data carving techniques (e.g., Forensic Tool Kit [FTK], Foremost).

Capture and analyze network traffic associated with malicious activities using network monitoring tools.

Write and publish cyber defense techniques, guidance, and reports on incident findings to appropriate constituencies.

Knowledge of deployable forensics.

Ability to decrypt digital data collections.

Knowledge of security event correlation tools.

Conduct cursory binary analysis.

Knowledge of legal rules of evidence and court procedure.

Knowledge of basic system administration, network, and operating system hardening techniques.

Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed.

Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).

Perform static malware analysis.

Skill in deep analysis of captured malicious code (e.g., malware forensics).

Skill in using binary analysis tools (e.g., Hexedit, command code xxd, hexdump).

Knowledge of reverse engineering concepts.

Skill in one way hash functions (e.g., Secure Hash Algorithm [SHA], Message Digest Algorithm [MD5]).

Knowledge of debugging procedures and tools.

Knowledge of how different file types can be used for anomalous behavior.

Knowledge of malware analysis tools (e.g., Oily Debug, Ida Pro).

Knowledge of virtual machine aware malware, debugger aware malware, and packing.

Skill in analyzing anomalous code as malicious or benign.

Skill in analyzing volatile data.

Skill in identifying obfuscation techniques.

Skill in interpreting results of debugger to ascertain tactics, techniques, and procedures.

Knowledge of cloud service models and possible limitations for an incident response.

Ability to apply cybersecurity strategy to cloud computing service and deployment models, identifying proper architecture for different operating environments.