Deliver digital forensic services
Overview
This standard is about delivering digital forensic services.
The growth of digital device use for organisational and social purposes has led to behaviours that may need investigation for professional conduct or legality.
This involves ethically identifying and reconstructing the relevant sequence of events that has led to the investigation of a target IT system or digital devices and the importance of digital evidence. This includes carefully identifying, collecting and analysing digital information in support of investigations to determine the circumstances of events of concern to an organisation whilst maintaining evidential integrity.
This standard covers the competencies needed to deliver digital forensic services. It is for those who need to deliver digital forensic services as part of their duties.
Performance criteria
You must be able to:
- Attend incident scenes to conduct searches for digital data, ensuring proper continuity of evidence
- Conduct physical examinations of digital devices, including disassembly and reassembly
Perform preliminary forensic analysis to identify storage device specifications, and system and file types
Triage information systems and digital devices when required to prioritise and plan data recovery and analysis
- Carry out forensic acquisition of data in accordance with organisational guidelines
- Locate and interpret relevant system logs, to identify anomalies or evidence of compromise, including from firewalls, proxies, web servers, system files, and packet captures
Perform detailed forensic analysis of data to tell the story of the digital activity for the user scenario under investigation
Prepare evidential data for use in further investigations and potential legal proceedings
- Record all digital forensic activities and results in line with organisational standards
- Produce reports of digital forensic activities and findings
- Present digital forensics findings to management, legal and other stakeholders
Knowledge and Understanding
You need to know and understand:
- That the need for digital forensic analysis can result from incidents, suspected data breaches, intellectual property theft, insider threat investigations, fraud and abuse, asset misuse, and violations of organisational policy
- The starting point for a digital forensic analysis of data is a snapshot of the state of the system of interest, including the current content of data storage drives, cloud storage, system data or other storage medium
How to extract and produce a mirror image of data, whilst retaining its integrity
That an operating system maintains a variety of monitoring logs that can provide useful information of individual account user activity
- Computer architecture, operation, connectivity and fixed and virtual networking
- The legislation in relation to Computer Misuse and Cybercrime
- The Data Protection Act, the Freedom of Information Act, and the Criminal Procedure and Investigations Act
- How to effectively manage digital forensic projects to ensure stakeholder requirements and expectations are fulfilled
- How to access and examine digital devices, including hard disk drives solid state drives, mobile phone SIM cards and other storage media
- The industry standard digital forensic imaging and analysis tools and techniques and how to apply them
How to search and filter data sources to identify data of interest
How to read and extract data to identify individual facts and relationships that can support or disprove a hypothesis under investigation
- The steps involved in performing forensic examination of digital devices or systems in accordance with organisational policies and procedures
- That as storage devices evolve, it is increasingly difficult to obtain a true physical copy of the media and a logical or partial acquisition may be the only possibility
- How to apply forensic analysis that can explain the digital data evidence obtained
- How to report on forensic examinations to tell the story of the data from user digital activities under investigation
- The need to maintain digital forensic knowledge to maintain awareness of new digital devices and data storage technologies
That the results of a forensic investigation may need to be presented in a form that is admissible in a court of law
Know when to act and when not to act
The need to operate ethically when dealing with personal data