Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  4. Forensics

Forensics

Skill Definition

Forensics refers to the capture, analysis and reporting of evidence in accordance with legal guidelines, to minimise disruption to an organisation. The principles of the skill include securing the scene and capturing evidence in accordance with legal guidelines and in the most effective manner to minimise disruption to the business; maintaining evidential weight using specialist equipment as appropriate; analysing the evidence to identify breaches of policy, regulatory or law, including the presence of malware, and presenting evidence as appropriate; and acting as an expert witness as appropriate.

Awareness

Awareness

Describes basic forensic principles and is capable of using agreed tools and techniques in support of an investigation

Contributes to forensic activities with supervision

Follows documented forensic principles and guidelines such as those related to acquisition and handling of forensic artefacts and maintaining the chain of custody

Can identify suitable tools for use, and considers the impact on forensic integrity

Considers the difference in intelligence and evidential requirements

 

 

Working

Working

Analyses digital evidence and investigates computer security incidents to derive information required to help resolve security incidents, and/or identify breaches of policy, regulation or law

Understands legislative requirements and implications of actions within the organisation context

Undertakes real-time analysis of ongoing incidents on live systems to identify relevant artefacts, understand the incident and facilitate resolution

Able to identify suspicious software, including potential malware sources

Secures the scene of an incident, with little requirement for supervision, acquiring and handling evidence in accordance with legal guidelines and in the most effective manner to minimise disruption to the business, ensuring that the chain of custody is maintained

Presents conclusions in a manner suited to the context (written or oral), and is able to effectively defend conclusions, and provide evidence and testimony as required

 

 

Practitioner

Practitioner

Supervises others and manages teams in undertaking complex forensic investigations, and defines working procedures

Analyses technically complex digital evidence and investigates complicated computer security incidents to derive information required to help resolve security incidents, and/or identify breaches of policy, regulation or law

Undertakes real-time analysis of sophisticated ongoing incidents on live systems to identify relevant artefacts, understand the incident and facilitate resolution

Secures the scene of an incident, without supervision, acquiring and handling evidence in accordance with legal guidelines and in the most effective manner to minimise disruption to the business, ensuring that the chain of custody is maintained

Adapts techniques, modifies tools and creates scripts to address atypical situations. Addresses forensic requirements arising from Cloud and distributed environments, and emerging technologies

Identifies indicators of compromise on an infrastructure, malicious software and any Tactics, Techniques and Procedures (TTPs) associated

Collates artefacts from a wide range of sources to develop conclusions

 

 

Presents conclusions in a manner suited to the context (written or oral), and effectively defends conclusions under scrutiny

Provides clear explanations to senior stakeholders, detailed explanations to technical specialists and, if required, provides testimony and evidence as an expert witness in legal cases

Expert

Expert

Sets direction within the organisation for all aspects of computer forensic activity. Defines policy and formulates the overarching digital forensics strategy, engaging with other relevant departments and stakeholders

Leads forensic teams

Contributes to the development of the field

Analyses technically complex digital evidence and investigates highly complicated and novel computer security incidents to derive information required to help resolve security incidents, and/or identify breaches of policy, regulation or law

Undertakes and oversees real-time analysis of very sophisticated ongoing incidents on live systems to identify relevant artefacts, understand the incident and facilitate resolution

Secures or oversees the securing of the scene of an incident, acquiring and handling evidence in accordance with legal guidelines and in the most effective manner to minimise disruption to the business, ensuring that the chain of custody is maintained, compliant with relevant standards, policies, procedures and legislation

Creates and adapts techniques and tools to address atypical and novel situations. Addresses forensic requirements arising from Cloud and distributed environments, and emerging technologies

Reverses engineer malware to further investigative and intelligence opportunities

Presents conclusions in a manner suited to the context (written or oral), and effectively defends conclusions under scrutiny

Provides clear explanations to senior stakeholders (including the highest levels of management), detailed explanations to technical specialists and, if required, provides testimony and evidence as an expert witness in legal cases (including cases that break new ground and set precedent in terms of forensic evidence)

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now