forensic specialist - national skill development …...2019/01/14 · information/cyber security...
TRANSCRIPT
Forensic Specialist
Model Curriculum
Forensic Specialist
SECTOR: SUB-SECTOR: OCCUPATION:
REF ID:
NSQF LEVEL:
IT-ITeS IT SERVICES INFORMATION/CYBER SECURITY SSC/Q0922 V1.0 8
Forensic Specialist
Forensic Specialist
TABLE OF CONTENTS
1. Curriculum 01
2. Trainer Prerequisites 17
3. Assessment Criteria 18
Forensic Specialist 1
Forensic Specialist CURRICULUM / SYLLABUS
This program is aimed at training candidates for the job of a “Forensic Specialist”, in the “IT-Services” Sector/Industry and aims at building the following key competencies amongst the learner
Program Name Forensic Specialist
Qualification Pack Name & Reference ID. ID
SSC/Q0922, V1.0
Version No. 1.0 Version Update Date 13/01/2019
Pre-requisites to Training
Graduate in Security/ Computer Science/Electronics and Engineering /Information Technology
Training Outcomes After completing this programme, participants will be able to:
Identify, preserve, and seize digital/electronic devices or records for investigation of possible breach or crime.
Extract relevant data or information from digital/electronic forensic evidences.
Examine and analyse information or data extracted from digital/electronic forensic evidences.
Report and present the results of a forensic investigation.
Manage work to meet requirements.
Work effectively with colleagues.
Maintain a healthy, safe and secure working environment.
Provide data/information in standard formats.
Develop knowledge, skills and competence.
Forensic Specialist 2
This course encompasses 9 out of 9 National Occupational Standards (NOS) of “Forensic Specialist”
Qualification Pack issued by “IT-ITeS SSC”.
Sr. No.
Module Key Learning Outcomes Equipment Required
1 IT-ITES/BPM Industry – An Introduction Theory Duration (hh:mm) 15:00 Practical Duration (hh:mm) 15:00 Corresponding NOS Code Bridge Module
Explain relevance of the IT-ITES
industry.
State the various sub-sectors in the IT-
ITES sector.
Explain the relevance of IT services
sector.
State the various occupations and
tracks in the IT-ITES sector.
Provide a general overview of the IT
services sub-sector.
State the profile of the IT services sub-
sector.
Describe the key trends in the IT
services sub-sector.
List roles in the IT services sub-sector.
Whiteboard and
Markers
LCD Projector and
Laptop for
presentations
Lab equipped with
the PCs/Laptops and
Internet with WiFi
(Min 2 Mbps
Dedicated)
Chart paper and
sketch pens
2 Information/Cyber Security – An Introduction Theory Duration (hh:mm) 15:00 Practical Duration (hh:mm) 15:00 Corresponding NOS Code Bridge Module
Explain the relevance of cyber security
in the society.
Provide an introduction to the job role/
qualification pack of forensic specialist.
Describe the role of a forensic
specialist and key responsibilities.
List the range of skills and behaviour,
expected from a forensic specialist.
Provide a general overview of
information/cyber security and its
roles.
Draw a career map for information/
cyber security.
Lab equipped with
the following:
o PCs/Laptops
o Internet with WiFi
(Min 2 Mbps
Dedicated)
Whiteboard and
Markers
Chart paper and
sketch pens
3 Fundamental Concepts Theory Duration (hh:mm) 20:00 Practical Duration (hh:mm) 20:00 Corresponding NOS Code SSC/N0929
Comprehend computer fundamentals
including, but not limited to hard
drives, networking, and encryption,
Internet ports, protocols, services and
their usefulness.
Explain basic cyber security concepts
such as the importance of
confidentiality, integrity and availability
for information systems; common
types of malicious code (virus, Trojan,
logic bomb, worm, spyware, malware,
DdoS attacks, Phishing); types of
threats facing the information security
of individuals and organisations;
sources of threats to information
security in terms of opportunity, ability
Whiteboard and
markers
LCD projector and
laptop for
presentation
Lab with:
o key devices,
software and
hardware in a large
network
o application of
multiple networking
topology; use of
various network
protocols; bandwidth
management
Forensic Specialist 3
Sr. No.
Module Key Learning Outcomes Equipment Required
and motive, etc.; principles of data
security; how vulnerabilities can be
identified and resolved.
Implement common cyber security
solutions.
List types of electronic evidence,
devices containing electronic evidence
and external connections to such
devices.
Recognize and analyse possible
electronic evidence sources relevant
networking concepts, devices and
terminologies.
Describe the forensic investigation
process.
tools; application of
host network access
controls; hubs;
switches; routers;
bridges; servers;
transmission media
IDS/IPS; application
of
SSL, VPN, 2FA,
encryption, etc.
Provision for software
development work in
the lab including
software and tools
Sources of data: With
internal drives (e.g.
desktop computers,
servers, network
storage devices,
laptops); external
storage forms (e.g.
thumb drives,
memory and flash
cards, optical discs,
and magnetic disks);
portable digital
devices (e.g., PDAs,
cell phones, digital
cameras, digital
recorders, audio
players); etc.
Other sources:
network activity logs;
application usage
data; logs generated
by security
monitoring controls
such as intrusion
etection software,
antivirus software,
and spyware
detection and
removal utilities;
keystroke monitoring;
etc.
4 First Response to a Cyber Crime Incident
Ensure that necessary
authorisations/resources are in place
Whiteboard and Markers
Forensic Specialist 4
Sr. No.
Module Key Learning Outcomes Equipment Required
Theory Duration (hh:mm) 20:00 Practical Duration (hh:mm) 15:00 Corresponding NOS Code SSC/N0929
to conduct a forensic evidence seizure
for an investigation.
Ensure that the scene is physically
secured to prevent unauthorized
access and alteration/damage of the
evidence as per containment policies
and situational considerations.
identify potential sources of data that
could be evidence by surveying a
physical area.
Create a plan that prioritizes the
sources, establishing the order in
which the computing devices or
records can be acquired.
Detail out the importance of crime
scene management and what does it
entail.
LCD Projector and Laptop for presentations
Provision for online research in the lab for all students
At least 4 sets of the following tools o General crime
scene processing tools
o Documentation tools
o Disassembly and removal tools
o Package and transport supplies
o Other tools o Notebook
computers
Standard Lab
5 Search and Seizure Theory Duration (hh:mm) 20:00 Practical Duration (hh:mm) 30:00 Corresponding NOS Code SSC/N0929
Identify whether data in the device or
record is volatile or non-volatile so that
both types of data can be adequately
preserved.
Collect volatile data using forensic
tools.
Replicate non-volatile data sources to
collect their data, securing the original
non-volatile data sources.
Preserve the integrity of the data
source device or record after verifying
the same in accordance with
investigation procedures.
Record current state, condition and
configuration of digital devices and
media and potentially relevant
information at the time of seizure.
Ensure that digital devices and media
are handled consistent with preserving
other potential evidence sources
including fingerprints or DNA.
Record any activity on the computer,
components, or devices by taking
photographs or recording any
information that may be relevant.
Terminate any destructive software
being running on any device that was
identified during checking.
Whiteboard and Markers
Multiple sets of a large sized flowchart showing the process for seizing and preserving digital evidence and maintaining chain of custody as per number of pair teams.
Various search and seizure tools.
Provision for online research in the lab.
Forensic Specialist 5
Sr. No.
Module Key Learning Outcomes Equipment Required
Maintain a detailed log of every step
that was taken to collect the data,
including information about each tool
used in the process and handlers.
List processes for seizing and
preserving digital evidence and
maintaining chain of custody.
Define methods of protecting and
concealing electronic information
including locking, encryption, sealing,
etc.
Describe how to conduct a preview of
the contents of electronic devices.
Examine which system files contain
relevant information and where to find
those system files.
Define how to preserve the information
on battery powered devices.
List the types of actions necessary to
preserve third party and volatile data
sources.
List do’s and don’ts for seizing and
recording electronic evidence sources.
Identify how to keep a record of the
seizure process, the condition and
state of the device and the reasons
why this is important.
Explain handling memory forensics
and volatile evidences
6 Cyber Security Policies, Procedures, Standards & Guidelines Theory Duration (hh:mm) 10:00 Practical Duration (hh:mm) 10:00 Corresponding NOS Code SSC/N0929
State relevant legislation, standards,
policies, and procedures followed in
the company.
Describe the organizational systems,
procedures and tasks/checklists within
the domain and how to use these.
Describe the operating procedures that
are applicable to the system(s) being
used, typical response times and
service times related to own work
area.
Whiteboard and
Markers
LCD Projector and
Laptop for
presentations
Provision for online
research in the lab
for all students
Access to free cyber
forensic tools and
methods and their
tutorials 2-3
computer
applications, 2-3
mobile applications
and 2-3 web
applications
Forensic Specialist 6
Sr. No.
Module Key Learning Outcomes Equipment Required
7 Technological Developments in Cyber Security Theory Duration (hh:mm) 10:00 Practical Duration (hh:mm) 05:00 Corresponding NOS Code SSC/N0929
Explain the importance of staying
abreast of technological upgradation in
cyber security
Explain next generation techniques for
controlling advanced threats to
applications.
Describe improved ways of preventing
remote applications by being
compromised.
Stay abreast of the latest
developments as per industry
standards and security tools to ensure
that corporate security methods and
tools.
Whiteboard and
Markers
LCD Projector and
Laptop for
presentations
Provision for online
research in the lab
for all students
8 The Examination and Extraction Process Theory Duration (hh:mm) 10:00 Practical Duration (hh:mm) 05:00 Corresponding NOS Code SSC/N0930
Explain basic steps of the examination
and analysis processes.
Identify necessary resources that
could be required for extracting
relevant data or information from the
evidences.
Whiteboard and
Markers
Multiple sets of a
large sized flowchart
showing the process
examination and
extraction of digital
evidence and
maintaining chain of
custody as per
number of pair
teams.
9 Creation of Forensics Duplicate of a Hard Drive Theory Duration (hh:mm) 10:00 Practical Duration (hh:mm) 25:00 Corresponding NOS Code SSC/N0930
Obtain items relevant to forensic
examinations in line with investigative
procedures from authorised channels.
Check forensic items against records
and identify and address any
inaccuracies.
Obtain necessary resources that could
be required for extracting relevant data
or information from evidences.
Create an image or copy of the original
storage device using clean storage
media to have a backup.
Describe how to take data backup or
make copies of data sources, types of
backups, data recovery concepts and
tools.
Explain what applications are used for
data back up.
Whiteboard and
Markers
Boot disk acquisition
and
remote/enterprise
grade tools to image
a hard disk
Blank media
Computers with Hard
disks that can be
removed
Computers with Hard
disk from which live
imaging can be done
Forensic Specialist 7
Sr. No.
Module Key Learning Outcomes Equipment Required
10 Locating the Files and Extracting Data Theory Duration (hh:mm) 20:00 Practical Duration (hh:mm) 30:00 Corresponding NOS Code SSC/N0930
Identify data required to be extracted
and most likely sources.
Select the best method and tools for
extraction as per the make and model
of device.
Locate the required files and electronic
data manually or using forensic tools.
Display the contents of slack space
with hex editors or special slack
recovery tools.
Search for files and information that
have been hidden, deleted or lost.
Identify the type of data stored in many
files by looking at their file headers or
simple histogram.
Identify presence of encrypted data or
the use of Steganography and the
feasibility of decryption or extracting
embedded data.
Identify the encryption method by
examining the file header, identifying
encryption programs installed on the
system, or finding encryption keys.
Extract the embedded data by finding
the Stegano key, or by using brute
force and cryptographic attacks to
determine a password.
Crack passwords placed on individual
files, as well as OS passwords using
various utilities and techniques.
Disable passwords placed on
individual files, as well as OS
passwords using various utilities and
techniques.
Bypass passwords placed on
individual files, as well as OS
passwords using various utilities and
techniques.
Identify data from disks that may have
been hidden, encrypted or damaged,
etc.
Recover data from disks that may
have been hidden, encrypted or
damaged, etc.
Copy data from disks that may have
been hidden, encrypted or damaged,
etc.
Whiteboard and
Markers
LCD, projector and
laptop for
presentation
Boot disk acquisition
or remote/enterprise
grade tools
Blank media
Computers with hard
disks and Windows,
Linux, and UNIX OS
File viewers
Software for
uncompressing files
Up-to-date antivirus
software
Searching tools that
can use Boolean,
fuzzy logic,
synonyms and
concepts, stemming,
and other search
methods
Special utilities that
can extract metadata
from files
De-encryption tools
Steganography
software
Utilities that can
crack passwords
placed on individual
files, as well as OS
passwords
Forensic Specialist 8
Sr. No.
Module Key Learning Outcomes Equipment Required
Recognize uncompressed files, and
how to read disk images.
Examine how to extract data and
metadata from files using forensic
toolkits.
Identify malicious activity against OSs
using security applications, such as file
integrity checkers and host IDSs, etc.
Perform string searches and pattern
matching using searching tools that
use Boolean, fuzzy logic, synonyms
and concepts, stemming, and other
search methods.
11 Data Acquisition Tools Theory Duration (hh:mm) 10:00 Practical Duration (hh:mm) 05:00 Corresponding NOS Code SSC/N0930
List various tools for examining and
extracting data and their limitations.
Describe usage of tools for gathering
and presenting network traffic data and
their limitations.
Recognise common forensic tool
configuration and support applications.
Select the best method and tools for extraction as per the make and model of data storage device.
Whiteboard and
Markers
Boot disk acquisition
or remote/enterprise
grade tools
Blank media
Computers with hard
disks and Windows,
Linux, and UNIX OS
Write blockers
Forensic Duplicator
Forensic Dossier
Forensic Talon
12 Examining and Extracting Operating System Data Theory Duration (hh:mm) 05:00 Practical Duration (hh:mm) 15:00 Corresponding NOS Code SSC/N0930
Examine OS Data in binary files.
Determine how to handle large binary
files while extracting OS data.
Extract OS data from large binary files.
Whiteboard and
Markers
Boot disk acquisition
or remote/enterprise
grade tools
Blank media
Computers with hard
disks and Windows,
Linux, and UNIX OS
Write blockers
Forensic Duplicator
Forensic Dossier
Forensic Talon
13 Extracting Network Traffic Data Theory Duration (hh:mm) 10:00
Describe the process for extracting
network traffic data.
Examine the data sources for network
traffic data.
Extract network traffic data with the
goal of determining what happened
Whiteboard and
Markers
Boot disk acquisition
or remote/enterprise
grade tools
Blank media
Forensic Specialist 9
Sr. No.
Module Key Learning Outcomes Equipment Required
Practical Duration (hh:mm) 20:00 Corresponding NOS Code SSC/N0930
and how the organization’s systems
and networks have been affected.
Monitor network traffic data sources.
Package and transport the electronic
evidence.
Computers with hard
disks and Windows,
Linux, and UNIX OS
Write blockers
Forensic Duplicator
Forensic Dossier
Forensic Talon
14 Cyber Forensic Analysis Theory Duration (hh:mm) 20:00 Practical Duration (hh:mm) 30:00 Corresponding NOS Code SSC/N0931
Perform analysis of extracted data
from evidence collated using various
forensic tools.
Review file system time and date
stamps to the timeframes relevant to
the investigation.
Review system and application logs for
relevant information.
Correlate file headers to the
corresponding file extensions to
identify any mismatches.
Analyse programs and file metadata in
various ways to provide insight into the
capability of the system and the
knowledge of the user.
Analyse network traffic data with the
goal of determining what has
happened and how the organization’s
systems and networks have been
affected.
Fuse computer network attack
analyses with criminal and
counterintelligence investigations and
operations.
Identify additional systems/ networks
compromised by cyber-attacks.
Perform computer network defence
(CND) incident triage, to include
determining scope, urgency, and
potential impact; identifying the
specific vulnerability; and making
recommendations that enable
expeditious remediation.
Perform virus scanning on digital
media.
Identify external or insider attackers
attempting to gain and misuse non-
authorized privileges.
Follow investigation procedure in order
to determine the identity of attacker.
Whiteboard and
Markers
LCD Projector for
presentations
Image or duplicate of
hard drive with
sample data
SEM software
NFAT software
Binary analysis tools
Forensic tool
configuration and
support applications
Log file analysis tool,
Registry analysis tool
Web browser
analysis tool
Filesystem analysis
tool
Memory analysis
tools
Data Visualization
tool.
Debugging tools
Malware analysis
tools
Forensic Specialist 10
Sr. No.
Module Key Learning Outcomes Equipment Required
Safeguard the device and relevant
information for the application of
physical forensic examinations.
15 Analysis Tools Theory Duration (hh:mm) 15:00 Practical Duration (hh:mm) 10:00 Corresponding NOS Code SSC/N0931
Describe the various digital evidence
analysis tools such as log file analysis
tools, registry analysis tools, web
browser analysis tools, filesystem
analysis tools, memory analysis tools.
State the applications of the digital
evidence analysis tools.
Describe the data visualisation tool for
analysing data and presenting to
others.
Whiteboard and
Markers
LCD Projector for
presentations
Log file analysis tool,
Registry analysis tool
Web browser
analysis tool
Filesystem analysis
tool
Memory analysis
tools
Data Visualization
tool.
16 CDR Analysis and Email Investigation Theory Duration (hh:mm) 15:00 Practical Duration (hh:mm) 20:00 Corresponding NOS Code SSC/N0931
Analyse email and mobile phone
records to trace devices to a particular
location (or to rule them out).
Uncover links between individuals or
groups by following electronic data
trails.
Connect strings of interactions that
provide a picture of activity using
evidence collected from other sources
than electronic devices.
Whiteboard and
Markers
LCD Projector for
presentations
Image or duplicate of
hard drive with
sample data
SEM software
NFAT software
Binary analysis tools
Forensic tool
configuration and
support applications
Log file analysis tool,
Registry analysis tool
Web browser
analysis tool
Filesystem analysis
tool
Memory analysis
tools
Data Visualization
tool.
Debugging tools
Malware analysis
tools
17 Drawing Conclusions
Identify risks to safety linked to
working with forensic items and take
the necessary actions to minimise the
risks.
Whiteboard and
Markers
Forensic Specialist 11
Sr. No.
Module Key Learning Outcomes Equipment Required
Theory Duration (hh:mm) 05:00 Practical Duration (hh:mm) 10:00 Corresponding NOS Code SSC/N0931
Develop conclusions based on the
data that is available and assumptions
regarding the missing data.
LCD Projector for
presentations
18 Documentation Theory Duration (hh:mm) 10:00 Practical Duration (hh:mm) 25:00 Corresponding NOS Code SSC/N0932
State relevant policies, and procedures
followed in the company with respect
to documentation.
List the tools, procedures and
tasks/checklists used in forensic
documentation.
Identify and obtain necessary
resources that could be required for
reporting and presenting forensic
investigation, its results and
evidences.
Ensure all relevant information is
collated and captured in the report
accurately and clearly.
List and organise for supporting
materials that are included with the
report, such as printouts of particular
items of evidence, digital copies of
evidence, chain of custody
documentation, photos, emails
(showing email headers, the path and
timing emails took to get from source
to destination), etc.
Ensure that the evidence remains
pristine and unaltered while
presenting.
safeguard the device and relevant
information for the application of
physical forensic examinations by
taking appropriate action.
Whiteboard and
Markers
Backup devices
Blank media
Forensic
workstations
Isolation chamber
Forensic examination
tools
Evidence handling
supplies, etc. (e.g.
clean blank media,
faraday bags,
evidence tags,
evidence tape, digital
cameras)
Firewalls
Publicly accessible
servers
Lab equipment as in
the search and
seizure unit
Lab equipment as in
the extraction of data
unit
Documentation of the
previous groups
(preferably of all the
best documentation
winners from the
previous sections)
Templates for
documenting the
extraction of data
process
Templates for
documenting the
Forensic Specialist 12
Sr. No.
Module Key Learning Outcomes Equipment Required
search and seizure
process
19 Reporting Theory Duration (hh:mm) 10:00 Practical Duration (hh:mm) 20:00 Corresponding NOS Code SSC/N0932
State policies, and procedures
followed in the company with respect
to reporting.
Create a brief summary of the results
of the examinations performed on the
items submitted for analysis.
Provide comprehensive details of
findings in the report.
Create a glossary with the report to
assist the reader using an accepted
source for the definition of the terms
and include appropriate references.
Present and explain track record of
information exchange, and the “hash!
Value”, also referred to as a
checksum, as a mark of authenticity.
Carefully document each stage of your
investigation.
Work within the level of authority and
expertise taking actions necessary
should these be exceeded.
Differentiate between fact and opinion
and express opinions within your area
of expertise while writing the report.
Identify any risks to safety linked to
working with forensic items in line with
health and safety procedures.
Take the necessary actions to
minimise any risks linked to working
with forensic items.
Whiteboard and
Markers
Sample forensic
examination reports
A caselets about
some forensic data
that can be analysed
using 3 different
techniques
Sample cyber
forensic reports
20 Manage your work to meet requirements Theory Duration (hh:mm) 20:00 Practical Duration (hh:mm) 25:00 Corresponding NOS Code SSC/N9001
Establish and agree your work
requirements with appropriate people.
Ensure the immediate work area is
clean and tidy.
Utilize your time effectively.
Use resources correctly and efficiently.
Process confidential information as
separately following standard
operating procedure.
Adhere to organization’s policies and
procedures.
Adhere to limits of responsibility and
access as per the job role.
Whiteboard and Markers.
LCD Projector and Laptop for presentations.
Training organization’s confidentiality policy.
Forensic Specialist 13
Sr. No.
Module Key Learning Outcomes Equipment Required
Obtain guidance from appropriate
people, where necessary.
Ensure your work meets the agreed
requirements.
21 Work effectively with colleagues Theory Duration (hh:mm) 20:00 Practical Duration (hh:mm) 25:00 Corresponding NOS Code SSC/N9002
Speak with colleagues clearly,
concisely and accurately.
Co-ordinate with colleagues to
integrate your work effectively with
them.
Provide essential information to
colleagues in line with organizational
requirements.
Show due respect for colleagues while
working.
Carry out commitments you have
made to colleagues.
Inform colleagues in good time if you
cannot carry out your commitments,
explaining the reasons.
Identify any problems you have
working with colleagues and take the
initiative to solve these problems.
Follow the organization’s policies and
procedures for working with
colleagues.
Whiteboard and
Markers.
LCD Projector and
Laptop for
presentations.
Provision to write
emails and send in
the lab.
Lab with provision for
internet, email, word
processor and
presentation
software.
Chart paper,
markers, picture
magazines and old
newspapers.
22 Maintain a healthy, safe and secure working environment Theory Duration (hh:mm) 20:00 Practical Duration (hh:mm) 25:00 Corresponding NOS Code SSC/N9003
Comply with your organization’s
current health, safety and security
policies and procedures.
Report any identified breaches in
health, safety, and security policies
and procedures to the designated
person.
Identify and correct any hazards that
you can deal with safely, competently
and within the limits of your authority.
Report any hazards that you are not
competent to deal with to the relevant
person in line with organizational
procedures and warn other people
who may be affected.
Follow your organization’s emergency
procedures promptly, calmly, and
efficiently.
Identify and recommend opportunities
for improving health, safety, and
security to the designated person.
Whiteboard and
Markers
LCD Projector and
Laptop for
presentations
The training
organization’s current
health, safety and
security policies and
procedures
Provision for online
research in the Lab
A sample health and
safety policy
document
Emergency
broadcast system
and mock emergency
signage in the
appropriate areas of
the training institute
Forensic Specialist 14
Sr. No.
Module Key Learning Outcomes Equipment Required
Complete any health and safety records legibly and accurately.
23 Provide data/information in standard formats Theory Duration (hh:mm) 20:00 Practical Duration (hh:mm) 25:00 Corresponding NOS Code SSC/N9004
Establish and agree with appropriate
people the data/information you need
to provide, the formats in which you
need to provide it, and when you need
to provide it.
Obtain the data/information from
reliable sources.
Check that the data/information is
accurate, complete and up-to-date.
Obtain advice or guidance from
appropriate people where there are
problems with the data/information.
Carry out rule-based analysis of the
data/information, if required
Insert the data/information into the
agreed formats.
Check the accuracy of your work,
involving colleagues where required.
Report any unresolved anomalies in
the data/information to appropriate
people.
Provide complete, accurate and up-to-
date data/information to the
appropriate people in the required
formats on time.
Whiteboard and
Markers.
LCD Projector and
Laptop for
presentations.
Provision for online
research in the lab.
24 Develop knowledge, skills and competence Theory Duration (hh:mm) 20:00 Practical Duration (hh:mm) 25:00 Corresponding NOS Code SSC/N9005
Obtain advice and guidance from
appropriate people to develop your
knowledge, skills and competence.
Identify accurately the knowledge and
skills you need for your job role.
Identify accurately your current level of
knowledge, skills and competence and
any learning and development needs.
Agree with appropriate people a plan
of learning and development activities
to address your learning needs.
Undertake learning and development
activities in line with your plan.
Apply your new knowledge and skills
in the workplace, under supervision.
Obtain feedback from appropriate
people on your knowledge and skills
and how effectively you apply them.
Whiteboard and
Markers.
LCD Projector and
Laptop for
presentations.
Soft copy of QP-
NOS.
Provision for online
access to all students
in the lab.
Questionnaire and
key for Honey and
Mumford learning
styles.
Forensic Specialist 15
Sr. No.
Module Key Learning Outcomes Equipment Required
Review your knowledge, skills and
competence regularly and take
appropriate action.
Total Duration Theory Duration 350:00 Practical Duration 450:00
Unique Equipment Required: Whiteboard and Markers, LCD Projector and Laptop for presentations, Chart paper Lab equipped with the following:
Pcs/Laptops and Internet with wifi (Min 2 Mbps Dedicated)
Provision for email
Word processor and presentation software
CRM application, such as Siebel, Zoho, Social networking tool / LMS tool to enable blog posts or discussion board, Instant messenger, chat
Email tools to enable mock exercises
Laptops for student presentations
Chart paper and sketch pens
Key devices, software and hardware in a large network
Application of multiple networking topology Use of various network protocols
Bandwidth management tools
Application of host network access controls
Hubs; switches; routers; bridges; servers
Transmission media IDS/IPS
Application of SSL, VPN, 2FA, encryption, etc.
Provision for software development work in the lab including software and tools
Sources of data that are internal drives (e.g. Desktop computers, servers, network storage devices, laptops)
Sources of data that are external storage forms (e.g. Thumb drives, memory and flash cards, optical discs, and magnetic disks)
Portable digital devices (e.g., pdas, cell phones, digital cameras, digital recorders, audio players)
Other sources of data like network activity logs, application usage data, logs generated by security monitoring controls such as intrusion detection software, antivirus software, spyware detection and removal utilities
Keystroke monitoring
General crime scene processing tools
Documentation tools
Disassembly and removal tools
Package and transport supplies
Notebook computers
Large sized flowchart showing the process for seizing and preserving digital evidence and maintaining chain of custody
Various search and seizure tools
Free cyber forensic tools and methods and their tutorials
Various computer applications
Various mobile applications
Various web applications
Multiple sets of a large sized flowchart showing the process examination and extraction of digital evidence and maintaining chain of custody
Forensic Specialist 16
Boot disk acquisition and remote/enterprise grade tools to image a hard disk
Blank media
Computers with Hard disks that can be removed
Computers with Hard disk and Windows, Linux, and UNIX OS from which live imaging can be done
File viewers
Software for uncompressing files
Up-to-date antivirus software
Searching tools that can use Boolean, fuzzy logic, synonyms and concepts, stemming, and other search methods
Special utilities that can extract metadata from files
De-encryption tools
Steganography software
Utilities that can crack passwords placed on individual files, as well as OS passwords
Boot disk acquisition or remote/enterprise grade tools
Blank media
Write blockers
Forensic Duplicator
Forensic Dossier
Forensic Talon
Image or duplicate of hard drive with sample data
SEM software
NFAT software
Binary analysis tools
Forensic tool configuration and support applications
Logfile analysis tool
Registery analysis tool
Web browser analysis tool
Filesystem analysis tool
Memory analysis tools
Data Visualization tool
Debugging tools
Malware analysis tools
Forensic workstations
Isolation chamber
Forensic examination tools
Evidence handling supplies, etc. (e.g. Clean blank media, faraday bags, evidence tags, evidence tape, digital cameras);
Firewalls
Publicly accessible servers
Templates for documenting the extraction of data process
Templates for documenting the search and seizure process
Sample forensic examination reports
A caselet about some forensic data that can be analysed using 3 different techniques
Sample cyber forensic reports; Training organization’s confidentiality policy
picture magazines and old newspapers
The training organization’s current health, safety and security policies and procedures
Provision for online research in the Lab
A sample health and safety policy document
Forensic Specialist 17
Emergency broadcast system and mock emergency signage in the appropriate areas of the training institute
Grand Total Course Duration: 800 Hours, 0 Minutes
(This syllabus/ curriculum has been approved by SSC: IT-ITeS Sector Skills Council NASSCOM)
Forensic Specialist 18
Trainer Prerequisites for Job role: “Forensic Specialist” mapped to Qualification Pack: “SSC/Q0922 v1.0”
Sr. No.
Area Details
1 Description To deliver accredited training service, mapping to the curriculum detailed Above, in accordance with the Qualification Pack “SSC/Q0922 Version 1.0”.
2 Personal Attributes
Aptitude for conducting training, and pre/ post work to ensure competent, Employable candidates at the end of the training. Strong communication skills, interpersonal skills, ability to work as part of a team; a passion for quality and for developing others; well-organized and focused, eager to learn and keep oneself updated with the latest in this field.
3 Minimum Educational Qualifications
Graduate in Security/ Computer Science/Electronics and Engineering /Information Technology
4a Domain Certification
Certified for Job Role “Forensic Specialist” mapped to Qualification Pack “SSC/Q0922” Version 1.0. Minimum accepted score is 80%.
4b Platform Certification
Recommended that the trainer is certified for the Job role “Trainer” mapped to the Qualification Pack “MEP/Q0102”. Minimum accepted score is 80% aggregate.
5 Experience Field experience: Minimum 2 years’ experience in the same domain Training experience: 1 year preferred
Forensic Specialist 19
Assessment Criteria
Job Role Forensic Specialist
Qualification Pack SSC/Q0922, V1.0
Sector Skill Council IT-ITeS
Sr. No.
Guidelines for Assessment
1 Criteria for assessment for each Qualification Pack (QP) will be created by the Sector Skill Council (SSC). Each performance criteria (PC) will be assigned Theory and Skill/Practical marks proportional to its importance in NOS.
2 The assessment will be conducted online through assessment providers authorised by SSC.
3 Format of questions will include a variety of styles suitable to the PC being tested such as multiple-choice questions, fill in the blanks, situational judgment test, simulation and programming test.
4 To pass a QP, a trainee should pass each individual NOS. Standard passing criteria for each NOS is 70%.
5 For latest details on the assessment criteria, please visit www.sscnasscom.com.
6 In case of successfully passing only certain number of NOS's, the trainee is eligible to take subsequent assessment on the balance NOS's to pass the Qualification Pack
Forensic Specialist 20
Assessable outcomes
Assessment criteria for the outcome Total Mark (900)
Out of
Theory Skills Practical
1. SSC/N0929
(Identify, preserve
and seize
digital/electronics
devices or records
for investigation of
possible breach or
crime )
PC1. Ensure that necessary authorisations
and resources are in place to conduct a
forensics evidence seizure for an
investigation.
100
3 1 2
PC2. Ensure that the scene is physically
secured to prevent unauthorized access and
alteration or damage of the evidence as per
containment policies and situational
considerations.
4 2 2
PC3. Survey a physical area and identify
potential sources of data that could be
evidence.
4 1 3
PC4. Identify other sources of data and the
owner of the same that can be accessed. 3 1 2
PC5. Identify and obtain materials related to
digital communications which are relevant to
the investigation.
3 1 2
PC6. Ensure identified device or component is
up and running however is being disconnected
from any network.
3 1 2
PC7. Check for and terminate any destructive
software running on any device while seeking
to save as much information as possible.
4 1 3
PC8. Estimate the relative likely value of each
potential data source for the investigation. 4 1 3
PC9. Identify whether data in the device or
record is volatile or non-volatile so that both
types of data can be adequately preserved.
4 1 3
PC10. Create a plan that prioritizes the
sources, establishing the order in which the
computing devices or records can be
acquired.
5 2 3
PC11. Use forensic tools to collect volatile
data. 5 2 3
PC12. Duplicate non-volatile data sources to
collect their data, securing the original non-
volatile data sources.
5 2 3
PC13. Verify and preserve the integrity of the
data source device or record in accordance
with investigation procedures.
5 1 4
PC14. Record current state, condition and
configuration of digital devices and media and
potentially relevant information at the time of
seizure.
6 2 4
Forensic Specialist 21
PC15. Handle digital devices and media
consistent with preserving other potential
evidence sources including fingerprints or
DNA.
3 1 2
PC16. Document any activity on the computer,
components, or devices by taking
photographs or recording any information that
may be relevant.
4 1 3
PC17. Maintain a detailed log of every step
that was taken to collect the data, including
information about each tool used in the
process and handlers.
4 1 3
PC18. Photograph and label the components
of the device making specific reference to
ancillary leads and connections to the device.
4 1 3
PC19. Appropriately package, seal and label
the device in accordance with current
diligence procedures.
3 1 2
PC20. Check packaging of forensic items in
line with forensic procedures, and identify,
record and address any packaging problems.
4 1 3
PC21. Carefully document each stage of the
seizure and investigation. 3 1 2
PC22. Ensure chain of custody is followed for
all digital media acquired in accordance with
the rules of evidence.
3 1 2
PC23. Identify any risks to safety linked to
working with forensic items in line with health
and safety procedures.
3 1 2
PC24. Take the necessary actions to minimise
any risks linked to working with forensic items. 4 1 3
PC25. Transport and store forensic items to
relevant authorities in line with investigative
procedures, and in a way that avoids risk to
potential evidence, including loss, breakage,
contamination, cross-contamination,
degradation, etc.
4 1 3
PC26. Record details of the storage, handling,
transfer and packaging of forensic items in line
with organisational procedures.
3 1 2
Total 100 31 69
2.SSC/N0930
(Extract relevant
data or information
from digital forensic
evidences)
PC1. Obtain items relevant to forensic
examinations in line with investigative
procedures from authorised channels. 100 3 1 2
Forensic Specialist 22
PC2. Check forensic items against records
and identify and address any inaccuracies. 4 1 3
PC3. Identify and obtain necessary resources
that could be required for extracting relevant
data or information from the evidences.
3 1 2
PC4. Create an image or copy of the original
storage device using clean storage media to
have a backup.
5 2 3
PC5. Install write blocking software to prevent
any change to the data on the device or
media.
5 2 3
PC6. Identify data that is required to be
extracted and most likely sources. 3 1 2
PC7. Select the best method and tools for
extraction as per the make and model of
device.
2 1 1
PC8. Locate the required files manually or
using forensic tools. 3 1 2
PC9. Display the contents of slack space with
hex editors or special slack recovery tools. 3 1 2
PC10. Hunt for files and information that have
been hidden, deleted or lost. 3 1 2
PC11. Identify the type of data stored in many
files by looking at their file headers or simple
histogram.
3 1 2
PC12. Identify presence of encrypted data or
the use of steganography and the feasibility of
decryption or extracting embedded data.
3 1 2
PC13. Identify the encryption method by
examining the file header, identifying
encryption programs installed on the system,
or finding encryption keys.
4 1 3
PC14. Extract the embedded data by finding
the stego key, or by using brute force and
cryptographic attacks to determine a
password.
5 1 4
PC15. Crack, disable or bypass passwords
placed on individual files, as well as OS
passwords using various utilities and
techniques.
4 1 3
PC16. Find, recover and copy data from disks
that may have been hidden, encrypted or
damaged, etc.
4 1 3
PC17. Uncompressed files and read disk
images. 3 1 2
PC18. Extract data and metadata from files
using forensic toolkits. 4 1 3
Forensic Specialist 23
PC19. Identify malicious activity against OSs
using security applications, such as file
integrity checkers and host IDSs, etc.
4 2 2
PC20. Perform string searches and pattern
matching using searching tools that use
Boolean, fuzzy logic, synonyms and concepts,
stemming, and other search methods.
5 1 4
PC21. Assess and extract network traffic data
with the goal of determining what happened
and how the organization’s systems and
networks have been affected.
4 1 3
PC22. Obtain relevant information from ISP
and cloud service provider after taking due
authorisation from Law Enforcement
Authority/Agency.
3 1 2
PC23. Reveal (unlock) digital images that
have been altered to mask the identity of a
place or person.
4 1 3
PC24. Submit the device or original media for
physical evidence examination after removing
the data.
3 0 3
PC25. When equipment is damaged,
dismantle and rebuild the system in order to
recover lost data.
4 1 3
PC26. Carefully document the process
followed in extraction as well as the data
retrieved.
3 1 2
PC27. Identify and minimise any risks to
safety linked to working with forensic items in
line with health and safety procedures.
3 1 2
PC28. Take measures to ensure preservation
of physical evidence like finger prints, DNA
etc. while handling the evidence.
3 1 2
Total 100 30 70
3. SSC/N0931
(Analyze
information or data
extracted from
digital forensic
evidences)
PC1.Identify and obtain necessary resources
that could be required for examining and
analysing of forensic evidences.
100
3 1 2
PC2. Perform analysis of the extracted data
using various forensic tools. 5 2 3
PC3. Review the time and date stamps
contained in the file system metadata to link
files of interest to the timeframes relevant to
the investigation.
3 1 2
PC4. Review system and application logs for
relevant information. 3 1 2
PC5. Correlate file headers to the
corresponding file extensions to identify any
mismatches.
3 1 2
Forensic Specialist 24
PC6. Perform data hiding analysis for
detecting and recovering data and may
indicate knowledge, ownership, or intent.
5 1 4
PC7. Analyse programs and files in various
ways to provide insight into the capability of
the system and the knowledge of the user.
5 1 4
PC8. Analyse file metadata typically through
the application that created it to provide insight
into detailed information like authorship, time
last edited, number of times edited, and print
or saved location, etc.
5 1 4
PC9. Determine ownership and
knowledgeable possession of the questioned
data using various methods.
4 1 3
PC10. Analyse network traffic data with the
goal of determining what has happened and
how the organization’s systems and networks
have been affected.
5 1 4
PC11. Analyse mobile phone records to trace
devices to a particular location (or to rule them
out).
4 2 2
PC12. Follow electronic data trails to uncover
links between individuals or groups. 4 1 3
PC13. Piece together strings of interactions
that provide a picture of activity using
evidence collected from other sources than
electronic devices.
5 2 3
PC14. Identify additional systems/networks
compromised by cyber-attacks. 3 1 2
PC15. Identify the most important
characteristics of the activity and the negative
impact it has caused or may cause the
organization.
4 2 2
PC16. Perform computer network defence
(CND) incident triage, to include determining
scope, urgency, and potential impact;
identifying the specific vulnerability; and
making recommendations that enable
expeditious remediation.
6 2 4
PC17. Perform various types of forensics
analysis as per the requirement of media type,
data or constraints.
6 2 4
PC18. Perform virus scanning on digital
media. 4 1 3
PC19. Fuse computer network attack
analyses with criminal and counterintelligence
investigations and operations.
4 1 3
PC20. Identify elements of proof of the crime. 3 1 2
Forensic Specialist 25
PC21. Identify outside attackers accessing the
system from the internet or insider attackers,
that is, authorized users attempting to gain
and misuse non-authorized privileges.
3 1 2
PC22. Follow investigation procedure in order
to determine the identity of attacker. 3 1 2
PC23. Take appropriate action to safeguard
the device and relevant information for the
application of physical forensic examinations.
3 1 2
PC24. Carefully document each stage of the
investigation. 3 1 2
PC25. Identify risks to safety linked to working
with forensic items and take the necessary
actions to minimise the risks.
4 1 3
Total 100 31 69
4. SSC/N0932
(Report and present
the results of a
forensic
investigation)
PC1. Identify and obtain necessary resources
that could be required for reporting and
presenting forensic investigation, its results
and evidences.
100
7 2 5
PC2. Ensure all relevant information is
collated and captured in the report accurately
and clearly.
6 2 4
PC3. List and organise for supporting
materials that are included with the report,
such as printouts of particular items of
evidence, digital copies of evidence, chain of
custody documentation, photos, emails
(showing email headers, the path and timing
emails took to get from source to destination),
etc.
9 3 6
PC4. Create a brief summary of the results of
the examinations performed on the items
submitted for analysis.
9 3 6
PC5. Provide comprehensive details of
findings in the report. 9 3 6
PC6. Create a glossary with the report to
assist the reader using an accepted source for
the definition of the terms and include
appropriate references.
6 2 4
PC7. Ensure that the evidence remains
pristine and unaltered while presenting. 5 1 4
PC8. Present and explain track record of
information exchange, and the “hash! Value”,
also referred to as a checksum, as a mark of
authenticity.
6 2 4
PC9. Carefully document each stage of your
investigation. 7 2 5
Forensic Specialist 26
PC10. Work within the level of authority and
expertise taking actions necessary should
these be exceeded.
6 2 4
PC11. Differentiate between fact and opinion
and express opinions within your area of
expertise while writing the report.
5 1 4
PC12. Identify any risks to safety linked to
working with forensic items in line with health
and safety procedures.
5 2 3
PC13. Take the necessary actions to minimise
any risks linked to working with forensic items. 6 2 4
PC14. Take appropriate action to safeguard
the device and relevant information for the
application of physical forensic examinations.
7 2 5
PC15. Take appropriate action to ensure
confidentiality and integrity of report and
related documents.
7 2 5
Total 100 31 69
4. SSC/N9001
(Manage your work
to meet
requirements)
PC1. Establish and agree your work
requirements with appropriate people.
100
7 0 7
PC2. Keep your immediate work area clean
and tidy. 12 6 6
PC3. Utilize your time effectively. 12 6 6
PC4. Use resources correctly and efficiently. 19 6 13
PC5. Treat confidential information correctly. 7 1 6
PC6. Work in line with your organization’s
policies and procedures. 12 0 12
PC7. Work within the limits of your job role. 6 0 6
PC8. Obtain guidance from appropriate
people, where necessary. 6 0 6
PC9. Ensure your work meets the agreed
requirements. 19 6 13
Total 100 25 75
5. SSC/N9002 (Work
effectively with
colleagues)
PC1. Communicate with colleagues clearly,
concisely and accurately.
100
20 0 20
PC2. Work with colleagues to integrate your
work effectively with theirs. 10 0 10
PC3. Pass on essential information to
colleagues in line with organizational
requirements.
10 10 0
PC4. Work in ways that show respect for
colleagues. 20 0 20
PC5. Carry out commitments you have made
to colleagues. 10 0 10
Forensic Specialist 27
PC6. Let colleagues know in good time if you
cannot carry out your commitments,
explaining the reasons.
10 10 0
PC7. Identify any problems you have working
with colleagues and take the initiative to solve
these problems.
10 0 10
PC8. Follow the organization’s policies and
procedures for working with colleagues. 10 0 10
Total 100 20 80
6. SSC/N9003
(Maintain a healthy,
safe and secure
working
environment)
PC1. Comply with your organization’s current
health, safety and security policies and
procedures.
100
20 10 10
PC2. Report any identified breaches in health,
safety, and security policies and procedures to
the designated person.
10 0 10
PC3. Identify and correct any hazards that you
can deal with safely, competently and within
the limits of your authority.
20 10 10
PC4. Report any hazards that you are not
competent to deal with to the relevant person
in line with organizational procedures and
warn other people who may be affected.
10 0 10
PC5. Follow your organization’s emergency
procedures promptly, calmly, and efficiently. 20 10 10
PC6. Identify and recommend opportunities
for improving health, safety, and security to
the designated person.
10 0 10
PC7. Complete any health and safety records
legibly and accurately. 10 0 10
Total 100 30 70
7. SSC/N9004
(Provide
data/information in
standard formats)
PC1. Establish and agree with appropriate
people the data/information you need to
provide, the formats in which you need to
provide it, and when you need to provide it.
100
13 13 0
PC2. Obtain the data/information from reliable
sources. 13 0 13
PC3. Check that the data/information is
accurate, complete and up-to-date. 12 6 6
PC4. Obtain advice or guidance from
appropriate people where there are problems
with the data/information.
6 0 6
PC5. Carry out rule-based analysis of the
data/information, if required. 25 0 25
PC6. Insert the data/information into the
agreed formats. 13 0 13
PC7. Check the accuracy of your work,
involving colleagues where required. 6 0 6
Forensic Specialist 28
PC8. Report any unresolved anomalies in the
data/information to appropriate people. 6 6 0
PC9. Provide complete, accurate and up-to-
date data/information to the appropriate
people in the required formats on time.
6 0 6
Total 100 25 75
8. SSC/N9005
(Develop your
knowledge, skills
and competence)
PC1. Obtain advice and guidance from
appropriate people to develop your
knowledge, skills and competence.
100
10 0 10
PC2. Identify accurately the knowledge and
skills you need for your job role. 10 0 10
PC3. Identify accurately your current level of
knowledge, skills and competence and any
learning and development needs.
20 10 10
PC4. Agree with appropriate people a plan of
learning and development activities to address
your learning needs.
10 0 10
PC5. Undertake learning and development
activities in line with your plan. 20 10 10
PC6. Apply your new knowledge and skills in
the workplace, under supervision. 10 0 10
PC7. Obtain feedback from appropriate
people on your knowledge and skills and how
effectively you apply them.
10 0 10
PC8. Review your knowledge, skills and
competence regularly and take appropriate
action.
10 0 10
Total 100 20 80