Learn the Skills of a Cyber Defense Forensics Analyst
CISA’s Federal Cyber Defense Skilling Academy provides its students an opportunity to focus on professional growth through an intense, full-time, three-month accelerated training program. Those looking to join the cybersecurity community or learn cybersecurity skills are encouraged to apply to the Skilling Academy.
The Cyber Defense Forensics Analyst Session is Now Open!
The Cyber Defense Forensics Analyst session is open and accepting applications! Learn all the details and how to apply.
*Application period closes March 15, 2024.
The Federal Cyber Defense Skilling Academy - Cyber Defense Forensics Analyst (CDFA) Pathway
- What is the Cyber Defense Forensics Analyst Pathway?
The Skilling Academy’s Cyber Defense Forensics Analyst (CDFA) Pathway helps Department of Homeland Security (DHS) federal civilian employees develop their cyber defense skills through training in the baseline knowledge, skills, and abilities of a Cyber Defense Forensics Analyst.
This work role analyzes digital evidence and investigates computer security incidents to derive useful information in support of system and network vulnerability mitigation.
The CDFA Pathway will prepare students with the skills of a cybercrime investigator during the aftermath of a hack, data breach, or theft of a variety of digital storage devices. The role of a forensics analyst is multifaceted and encompasses a variety of responsibilities. Some of the topics students will be exposed to include the following:
- Recovering breached, modified, or destroyed data
- Recording and cataloging evidence related to computer hacks
- Securing digital storage devices
- Determining how a hacker gained access to a network
Through the Cyber Defense Forensics Analyst Pathway, students will begin to develop the skills required to investigate and analyze digital evidence to identify, track, and mitigate cyber threats. It is important to note that these skills serve as a starting point, and additional practice and experience may be necessary for students to fully excel in these work roles
- Who Can Apply?
The Cyber Defense Forensics Analyst (CDFA) Pathway is designed to be an intermediate, fast-paced, three-month course. Applicants from all skill levels are encouraged to apply; however, the Skilling Academy highly encourages applicants to have prior exposure to cybersecurity concepts and practices to provide a solid groundwork for students to excel in the coursework.
Prospective students in the CDFA Pathway may strongly benefit from a foundational understanding of the following:
- Basic cybersecurity analysis and operations
- Systems administration
- Information security
- Basic operating system (OS) application
- Network fundamentals and operations
All full-time Federal Civilian Executive Branch (FCEB) employees in any job series and any grade or grade equivalent for non-GS employees are eligible to apply to the Cyber Defense Forensics Analyst Pathway.
Each session has a limited capacity. Therefore, those who apply are committing to attend, participate, and complete the entire rigorous three-month session.
To explore your interest in this work role, consider visiting the National Initiative for Cybersecurity Careers and Studies (NICCS) website for comprehensive information on Digital Forensics.
- Participation Expectations
- The Skilling Academy is the student's sole focus for the 40-hour, full-time work week during the entire three-month duration of the course.
- Students will refrain from conducting activities associated with their regular duty assignment, including, but not limited to, meetings, calls, and work deliverables.
- Depending on agency requirements, students may be required to complete an SF-182 to receive approval from their organization to attend the Skilling Academy. Applicants should discuss the requirements of the Skilling Academy with their supervisor to ensure session requirements can be fulfilled. Students are responsible for working with their supervisor to confirm compliance with their home agency’s policies, to include any necessary timekeeping to ensure salary payments from their home agency are not interrupted.
- During the Skilling Academy’s instruction periods, students will be required to be on camera and in business casual attire for every class.
- Due to the rigorous and fast-paced cadence of the course, the Skilling Academy strongly advises students against taking scheduled leave during the course. If a student accrues eight unexcused absences or does not finish 20% of the labs in the Skilling Academy, they will be marked as incomplete and will not graduate from the program. Students may, however, apply to future sessions.
- Sick leave and emergency personal leave are permitted; however, it is the student’s responsibility to make up any missed class content as soon as possible.
- To ensure students do not fall behind, missed instruction days and lab work must be made up by accessing class recordings and self-study materials. Class recordings are available for two weeks after each session.
- If a student fails to complete the required work assigned in the allotted class time, the student agrees to complete the required work as soon as possible.
- If a student decides to withdraw from the session after the start date, a formal withdrawal form signed by the student’s supervisor will be required.
- To fully participate in the Skilling Academy, students must have access to the following hardware and software requirements:
Minimum Configuration Requirements
Personal or GFE laptop* or desktop computer with Windows 10 or newer
Speakers or headset
Internet bandwidth: 10 Mbps
CPU: 1.1 GHz, Dual Core
RAM: 4.0 GB
Browser: IE, Edge, Chrome, Firefox, Safari
Apps: MS Teams
Email: Access to federal government email account
*If a student does not have a GFE laptop or desktop, they may be able to access their federal government email account and MS Teams account through another means. Contact your agency’s IT Service Desk for more information on accessing your federal email through non-GFE.
Recommended Configuration Requirements
- Internet bandwidth: 50+ Mbps
- CPU: 2.0 GHz, Quad Core or better
- RAM: 8.0+ GB
- Secondary monitor
**Instructions on how to create the alternate Skilling Academy-specific email will be sent to accepted students.
- Sample Class Schedule
Below is a sample schedule of a typical day during the Skilling Academy. All students will be required to join virtually Monday through Friday from 8:00 a.m. to 5:00 p.m. ET, excluding federal holidays. Students will not be able to maintain their Alternative Work Schedule during the Skilling Academy. Students will return to their regular duty assignment during breaks unless the home agency has approved leave.
8:00 AM - 8:10 AM ET
Review daily agenda, answer any questions
8:10 AM - 10:00 AM ET
10:00 AM - 12:00 PM ET
12:00 PM - 1:00 PM ET
1:00 PM - 2:30 PM ET
2:30 PM - 4:50 PM ET
Lab time or self-study
4:50 PM - 5:00 PM ET
Wrap up for the day
*10-minute breaks will be given approximately every hour.
What Students Learn:
The coursework of the Cyber Defense Forensics Analyst Pathway (CDFA) is mapped to the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework and provides valuable hands-on experience to practice CDFA skills in a lab environment. As an added incentive, students will receive specialized training and a voucher to take the EC Council’s Computer Hacking Forensic Investigator (CHFI) certification exam. The Cyber Defense Forensics Analyst Pathway will include the following instructor-led modules:
- FOR101 – Introduction to Forensic Analysis
This module will introduce you to digital forensics and all that it encompasses. It will address both theoretical concepts, as well as common terminology used in the field. Students will discover various types of media that could serve as evidentiary value and how it can aid in the overall investigative goals.
- FOR300 - Basic Digital Media Forensics
This module is an optimal starting point for individuals looking to expand their forensic knowledge and outlines several ways to achieve forensic goals while ensuring all processes are completed in a forensically-sound manner. The chain of custody and evidence handling is addressed, as well as what to do and what not to do when dealing with “live” evidence.
- FOR400 - Fundamentals of Network Forensics
This module expands on acquired networking knowledge and extends into the computer forensic mindset. Students will learn about common devices used in computer networks and where useful data may reside. Students will also learn how to collect that data for analysis using hacker methodology. Additionally, this module covers information related to common exploits involved in Windows server systems and common virus exploits. Students will learn how to recognize exploit traffic, and the difference between attacks and poor network configuration.
- FOR410 - Mobile Device Forensics
This module introduces mobile devices and the value that they offer in forensic investigations. This module addresses the methods used to store data, as well as the areas of the mobile device where data is stored and how to access it. This module will also discuss mobile device removable media and the role it plays with the mobile device. Students will cover network technology as well as three tools specifically designed for mobile device acquisition.
- FOR500 - Forensic Investigations and Evidence Handling
This module will cover the investigative aspect of properly handling a variety of digital media. Students will gain an understanding of how to implement chain of custody, how to properly process media so that it could be used in a court of law, and how to acquire data that will aid in forensic investigation. This module will also focus on data integrity and how to ensure that no data is altered during an investigation.
- MAL400 - Fundamentals of Malware Analysis
This module will introduce students to theoretical knowledge and hands-on techniques for analyzing malware. Students will learn how to identify and analyze software that causes harm to users, computers, and networks as part of an overall cyber defense and incident response plan. Understanding how malware works and what it was designed to do is crucial to thwarting future attacks.
- MAL500 - Reverse Engineering Malware
This module is an intermediate course that exposes students to the theoretical knowledge and hands-on techniques to analyze malware of greater complexity. Students will learn to analyze malicious Windows programs, debug user-mode and kernel-mode malware with WinDbg, identify common malware functionality, in addition to reversing covert and encoded malware.
- MAL600 - Advanced Malware Analysis
This module is an advanced course that exposes students to the theoretical knowledge and hands-on techniques to reverse engineer malware designed to thwart common reverse engineering techniques. Students will learn how to identify and analyze the presence of advanced packers, polymorphic malware, encrypted malware, and malicious code that has been armored with cryptors, anti-debugging and anti-reverse engineering. Students will discuss and identify emerging malware threats and how to best combat them.
- CYBRScore Final Assessment - Cyber Defense Forensics Analyst
The CYBRScore Cyber Defense Forensics Analyst assessments are designed to assess an individual’s knowledge, skills, and abilities related to analyzing digital evidence and investigating computer security incidents to derive useful information in support of system/network vulnerability mitigation.
- EC Council-CHFI (Computer Hacking Forensic Investigator) Course and Certification
This module provides students with a firm grasp of digital forensics, presenting a detailed and methodological approach to digital forensics and evidence analysis that also pivots around the Dark Web, IoT, and Cloud Forensics. The tools and techniques covered in this program will prepare the learner for conducting digital investigations using groundbreaking digital forensics technologies.
- Working Forensic Case Capture the Flag (CTF)
This Capture the Flag (CTF) module will allow students to take what you have learned of real-world scenarios and theoretical concepts to work a simulated forensic investigation from beginning to end. Students will use the investigative skills learned throughout the program to understand how to properly handle evidence, ensure data integrity, collect the evidence in a forensically sound manner, and process the data to reach a reasonable conclusion to complete the investigation. Students will be required to provide a comprehensive report on their findings.
How To Apply
Apply for the Skilling Academy in two simple steps:
- Complete the application package - the application package is made up of a federal resume, Statement of Interest and Supervisor and Applicant Agreement Form.
- Submit the Completed application package - submit your application package through your federal government email address.
Please review the FAQ's before applying.
Frequently Asked Questions
Have questions? Learn everything you need to know and more about the Federal Cyber Defense Skilling Academy by reading the FAQs below.
Federal Cyber Defense Skilling Academy Privacy Act Statement
Authority: 5 U.S.C. § 301, 44 U.S.C. § 3101, and 6 U.S.C. 652(c)(11) authorize the collection of this information.
Purpose: The information gathered will be used to establish the federal applicant's eligibility for the Federal Cyber Defense Skilling Academy, and if selected to participate in the program, create a Cyberworld Institute (CWI) and COMTECH Corp. account, contact students about opportunities for cyber security training, and provide information about the classes offered by the Skilling Academy.
Routine Uses: Information collected may be disclosed as generally permitted under 5 U.S.C. § 552a(b) of the Privacy Act of 1974, as amended. This includes using the information as necessary and authorized by the routine uses published in DHS/All-003 Department of Homeland Security General Training Records, November 25, 2008, 73 FR 71656 and DHS/ALL-004 General Information Technology Access Account Records System (GITAARS), November 27, 2012, 77 FR 70792. If accepted into the program, names and email addresses will be disclosed to Cyberworld Institute (CWI) and COMTECH Corp. to allow access to the learning content.
Disclosure: Providing this information is voluntary. However, failure to provide this information may prevent CISA from deciding applicant eligibility, creating a Cyberworld Institute (CWI) and COMTECH Corp. account if selected to participate in the program and contacting you in the event there are queries about your request or registration.