CISA Cyber Defense Forensics Analyst

This role analyzes digital evidence and investigates computer security incidents to derive useful information in support of system/network vulnerability mitigation.

Personnel performing this role may unofficially or alternatively be called:

  • Computer Forensic Analyst
  • Computer Network Defense (CND) Forensic Analyst
  • Digital Forensic Examiner
  • Cyber Forensic Analyst
  • Forensic Analyst (Cryptologic)
  • Forensic Technician
  • Network Forensic Examiner
  • Host Forensic Examiner

Category: Investigate
Specialty Area: Digital Forensics


Core Tasks

  • Conduct analysis of log files, evidence, and other information to determine best methods for identifying the perpetrator(s) of a network intrusion. (T0027)
  • Confirm what is known about an intrusion and discover new information, if possible, after identifying intrusion via dynamic analysis. (T0036)
  • Provide technical summary of findings in accordance with established reporting procedures. (T0075)
  • Examine recovered data for information of relevance to the issue at hand. (T0103)
  • Perform file signature analysis. (T0167)
  • Perform file system forensic analysis. (T0286)
  • Collect and analyze intrusion artifacts (e.g., source code, malware, and system configuration) and use discovered data to enable mitigation of potential cyber defense incidents within the enterprise. (T0432)

Core Competencies

  • Computer Forensics
  • Computer Network Defense
  • Software Testing and Evaluation
  • System Administration
  • Threat Analysis

Core Knowledge, Skills and Abilities (KSAs)

  • Knowledge of investigative implications of hardware, Operating Systems, and network technologies. (K0122)
  • Knowledge of data carving tools and techniques (e.g., Foremost). (K0182)
  • Knowledge of anti-forensics tactics, techniques, and procedures. (K0184)
  • Knowledge of concepts and practices of processing digital forensic data. (K0304)
  • Skill in preserving evidence integrity according to standard operating procedures or national standards. (S0047)
  • Skill in using forensic tool suites (e.g., EnCase, Sleuthkit, FTK). (S0071)
  • Skill in conducting forensic analyses in multiple operating system environments (e.g., mobile device systems). (S0075)
  • Skill in analyzing anomalous code as malicious or benign. (S0090)
  • Skill in analyzing volatile data. (S0091)
  • Skill in processing digital evidence, to include protecting and making legally sound copies of evidence. (S0133)
  • Ability to conduct forensic analyses in and for both Windows and Unix/Linux environments. (A0043)
  • Skill in identifying obfuscation techniques. (S0092)
  • Skill in interpreting results of debugger to ascertain tactics, techniques, and procedures. (S0093)
  • Skill in conducting bit-level analysis. (S0132)
  • Skill in analyzing memory dumps to extract information. (S0062)
  • Knowledge of reverse engineering concepts. (K0183)
  • Knowledge of malware analysis tools (e.g., Oily Debug, Ida Pro). (K0188)
  • Knowledge of binary analysis. (K0254)
  • Skill in deep analysis of captured malicious code (e.g., malware forensics). (S0087)
  • Skill in using binary analysis tools (e.g., Hexedit, command code xxd, hexdump). (S0088)
  • Skill in analyzing malware. (S0131)

How to Apply

To apply for this work role, submit an application to one or more of CISA's vacancy announcements. Please ensure your resume has been updated to reflect your demonstrated experience performing the above tasks and describe your exposure to the listed competencies.

  1. Assign the appropriate Task ID and/or Core KSA ID to each experience statement in your resume. Task and KSA IDs are listed in parenthesis at the end of each bullet above.
  2. You must also include demonstrated experience on the four required competencies:
  • Attention to Detail
  • Customer Service
  • Oral Communication
  • Problem Solving

Was this webpage helpful?  Yes  |  Somewhat  |  No