Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  4. Forensics

Forensics

Skill Definition

Forensics refers to the capture, analysis and reporting of evidence in accordance with legal guidelines, to minimise disruption to an organisation. The principles of the skill include securing the scene and capturing evidence in accordance with legal guidelines and in the most effective manner to minimise disruption to the business; maintaining evidential weight using specialist equipment as appropriate; analysing the evidence to identify breaches of policy, regulatory or law, including the presence of malware, and presenting evidence as appropriate; and acting as an expert witness as appropriate.

Awareness

  • Describes basic forensic principles and is capable of using agreed tools and techniques in support of an investigation
  • Contributes to forensic activities with supervision
  • Follows documented forensic principles and guidelines such as those related to acquisition and handling of forensic artefacts and maintaining the chain of custody
  • Can identify suitable tools for use, and considers the impact on forensic integrity
  • Considers the difference in intelligence and evidential requirements

Working

  • Analyses digital evidence and investigates computer security incidents to derive information required to help resolve security incidents, and/or identify breaches of policy, regulation or law
  • Understands legislative requirements and implications of actions within the organisation context
  • Undertakes real-time analysis of ongoing incidents on live systems to identify relevant artefacts, understand the incident and facilitate resolution
  • Able to identify suspicious software, including potential malware sources
  • Secures the scene of an incident, with little requirement for supervision, acquiring and handling evidence in accordance with legal guidelines and in the most effective manner to minimise disruption to the business, ensuring that the chain of custody is maintained
  • Presents conclusions in a manner suited to the context (written or oral), and is able to effectively defend conclusions, and provide evidence and testimony as required

Practitioner

  • Supervises others and manages teams in undertaking complex forensic investigations, and defines working procedures
  • Analyses technically complex digital evidence and investigates complicated computer security incidents to derive information required to help resolve security incidents, and/or identify breaches of policy, regulation or law
  • Undertakes real-time analysis of sophisticated ongoing incidents on live systems to identify relevant artefacts, understand the incident and facilitate resolution
  • Secures the scene of an incident, without supervision, acquiring and handling evidence in accordance with legal guidelines and in the most effective manner to minimise disruption to the business, ensuring that the chain of custody is maintained
  • Adapts techniques, modifies tools and creates scripts to address atypical situations. Addresses forensic requirements arising from Cloud and distributed environments, and emerging technologies
  • Identifies indicators of compromise on an infrastructure, malicious software and any Tactics, Techniques and Procedures (TTPs) associated
  • Collates artefacts from a wide range of sources to develop conclusions
  • Presents conclusions in a manner suited to the context (written or oral), and effectively defends conclusions under scrutiny
  • Provides clear explanations to senior stakeholders, detailed explanations to technical specialists and, if required, provides testimony and evidence as an expert witness in legal cases

Expert

  • Sets direction within the organisation for all aspects of computer forensic activity. Defines policy and formulates the overarching digital forensics strategy, engaging with other relevant departments and stakeholders
  • Leads forensic teams
  • Contributes to the development of the field
  • Analyses technically complex digital evidence and investigates highly complicated and novel computer security incidents to derive information required to help resolve security incidents, and/or identify breaches of policy, regulation or law
  • Undertakes and oversees real-time analysis of very sophisticated ongoing incidents on live systems to identify relevant artefacts, understand the incident and facilitate resolution
  • Secures or oversees the securing of the scene of an incident, acquiring and handling evidence in accordance with legal guidelines and in the most effective manner to minimise disruption to the business, ensuring that the chain of custody is maintained, compliant with relevant standards, policies, procedures and legislation
  • Creates and adapts techniques and tools to address atypical and novel situations. Addresses forensic requirements arising from Cloud and distributed environments, and emerging technologies
  • Reverses engineer malware to further investigative and intelligence opportunities
  • Presents conclusions in a manner suited to the context (written or oral), and effectively defends conclusions under scrutiny
  • Provides clear explanations to senior stakeholders (including the highest levels of management), detailed explanations to technical specialists and, if required, provides testimony and evidence as an expert witness in legal cases (including cases that break new ground and set precedent in terms of forensic evidence)

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now