Digital Forensics
Role overview
The role of Digital Forensics is to scope, co-ordinate and undertake forensic activity to gather forensic evidence from devices, systems and the internet in compliance with law and organisational investigation requirements.
Role level
Typical role level expectations
• Conduct forensic activity using specialist equipment as appropriate, following the relevant organisational processes
• Work with specialist forensic personnel or a wider team to support the digital aspects of their investigation
• Support the application of forensic readiness policy and Work with other teams to ensure its implementation
• Analyse evidence to identify breaches of policy, regulation or law
• Present evidence as appropriate, acting as an expert witness if necessary
Typical role level expectations
• Assess the need for (and co-ordinate) forensic activity within the overall response initiative, including managing a team, ensuring that forensic services are deployed appropriately
• Manage forensic readiness policy and work with other teams to ensure appropriate implementation
• Co-ordinate team scene investigation and capture evidence in accordance with legal guidelines to minimise disruption to the business and preserve evidentiary integrity, using specialist equipment as appropriate
• Review evidence to identify breaches of policy, regulation or law
• Present evidence as appropriate, acting as an expert witness if necessary
Typical role expectations
• Define and lead digital forensics strategy through the assessment and communication of forensic requirements within an organisation
• Define the organisational approach to evidence capture in line with legal guidelines, to minimise disruption to the business and preserve evidentiary integrity, using specialist equipment as appropriate
• Lead forensic readiness policy and guide teams to ensure its implementation
• Provide thought leadership and deliver specialist advice to others within and beyond the organisation
• Present evidence as appropriate, acting as an expert witness if necessary
Skills
| Skill | Associate | Lead | Principal |
|---|---|---|---|
| Forensics | Working | Practitioner | Expert |
| Intrusion detection and analysis | Working | Practitioner | Expert |
| Information risk assessment and risk management | Working | Practitioner | Practitioner |
| Threat intelligence and threat assessment | Working | Practitioner | Practitioner |
| Threat Understanding | Working | Practitioner | Practitioner |
| Legal and regulatory environment and compliance | Awareness | Awareness | Awareness |
| Protective security | Awareness | Awareness | Awareness |
Core learning
Entry level
EC-Council Certified Incident Handler
Certificate in Digital Forensics Fundamentals
CompTIA IT Fundamentals
Associate level
Certified Forensic Computer Examiner (CFCE)
CompTIA Security+
SEC460: Enterprise Threat and Vulnerability Assessment
Lead level
CREST Registered Intrusion Analyst (CRIA)
CyberSec First Responder (CFR)
Certification Training CREST Certified Host Intrusion Analyst (CCHIA)
Principal level
Cybersecurity Forensic Analyst (CSFA) Certification
CompTIA Advanced Security Practitioner (CASP+)
Forensic Awareness