forensic specialist - national skill development …...2019/01/14 · information/cyber security...

Forensic Specialist

Model Curriculum

Forensic Specialist

SECTOR: SUB-SECTOR: OCCUPATION:

REF ID:

NSQF LEVEL:

IT-ITeS IT SERVICES INFORMATION/CYBER SECURITY SSC/Q0922 V1.0 8

Forensic Specialist

Forensic Specialist

TABLE OF CONTENTS

1. Curriculum 01

2. Trainer Prerequisites 17

3. Assessment Criteria 18

Forensic Specialist 1

Forensic Specialist CURRICULUM / SYLLABUS

This program is aimed at training candidates for the job of a “Forensic Specialist”, in the “IT-Services” Sector/Industry and aims at building the following key competencies amongst the learner

Program Name Forensic Specialist

Qualification Pack Name & Reference ID. ID

SSC/Q0922, V1.0

Version No. 1.0 Version Update Date 13/01/2019

Pre-requisites to Training

Graduate in Security/ Computer Science/Electronics and Engineering /Information Technology

Training Outcomes After completing this programme, participants will be able to:

Identify, preserve, and seize digital/electronic devices or records for investigation of possible breach or crime.

Extract relevant data or information from digital/electronic forensic evidences.

Examine and analyse information or data extracted from digital/electronic forensic evidences.

Report and present the results of a forensic investigation.

Manage work to meet requirements.

Work effectively with colleagues.

Maintain a healthy, safe and secure working environment.

Provide data/information in standard formats.

Develop knowledge, skills and competence.


This course encompasses 9 out of 9 National Occupational Standards (NOS) of “Forensic Specialist”

Qualification Pack issued by “IT-ITeS SSC”.

Sr. No.

Module Key Learning Outcomes Equipment Required

1 IT-ITES/BPM Industry – An Introduction Theory Duration (hh:mm) 15:00 Practical Duration (hh:mm) 15:00 Corresponding NOS Code Bridge Module

Explain relevance of the IT-ITES

industry.

State the various sub-sectors in the IT-

ITES sector.

Explain the relevance of IT services

sector.

State the various occupations and

tracks in the IT-ITES sector.

Provide a general overview of the IT

services sub-sector.

State the profile of the IT services sub-

sector.

Describe the key trends in the IT

services sub-sector.

List roles in the IT services sub-sector.

Whiteboard and

Markers

LCD Projector and

Laptop for

presentations

Lab equipped with

the PCs/Laptops and

Internet with WiFi

(Min 2 Mbps

Dedicated)

Chart paper and

sketch pens

2 Information/Cyber Security – An Introduction Theory Duration (hh:mm) 15:00 Practical Duration (hh:mm) 15:00 Corresponding NOS Code Bridge Module

Explain the relevance of cyber security

in the society.

Provide an introduction to the job role/

qualification pack of forensic specialist.

Describe the role of a forensic

specialist and key responsibilities.

List the range of skills and behaviour,

expected from a forensic specialist.

Provide a general overview of

information/cyber security and its

roles.

Draw a career map for information/

cyber security.

Lab equipped with

the following:

o PCs/Laptops

o Internet with WiFi

(Min 2 Mbps

Dedicated)

Whiteboard and

Markers

Chart paper and

sketch pens

3 Fundamental Concepts Theory Duration (hh:mm) 20:00 Practical Duration (hh:mm) 20:00 Corresponding NOS Code SSC/N0929

Comprehend computer fundamentals

including, but not limited to hard

drives, networking, and encryption,

Internet ports, protocols, services and

their usefulness.

Explain basic cyber security concepts

such as the importance of

confidentiality, integrity and availability

for information systems; common

types of malicious code (virus, Trojan,

logic bomb, worm, spyware, malware,

DdoS attacks, Phishing); types of

threats facing the information security

of individuals and organisations;

sources of threats to information

security in terms of opportunity, ability

Whiteboard and

markers

LCD projector and

laptop for

presentation

Lab with:

o key devices,

software and

hardware in a large

network

o application of

multiple networking

topology; use of

various network

protocols; bandwidth

management


Sr. No.


and motive, etc.; principles of data

security; how vulnerabilities can be

identified and resolved.

Implement common cyber security

solutions.

List types of electronic evidence,

devices containing electronic evidence

and external connections to such

devices.

Recognize and analyse possible

electronic evidence sources relevant

networking concepts, devices and

terminologies.

Describe the forensic investigation

process.

tools; application of

host network access

controls; hubs;

switches; routers;

bridges; servers;

transmission media

IDS/IPS; application

of

SSL, VPN, 2FA,

encryption, etc.

Provision for software

development work in

the lab including

software and tools

Sources of data: With

internal drives (e.g.

desktop computers,

servers, network

storage devices,

laptops); external

storage forms (e.g.

thumb drives,

memory and flash

cards, optical discs,

and magnetic disks);

portable digital

devices (e.g., PDAs,

cell phones, digital

cameras, digital

recorders, audio

players); etc.

Other sources:

network activity logs;

application usage

data; logs generated

by security

monitoring controls

such as intrusion

etection software,

antivirus software,

and spyware

detection and

removal utilities;

keystroke monitoring;

etc.

4 First Response to a Cyber Crime Incident

Ensure that necessary

authorisations/resources are in place

Whiteboard and Markers


Sr. No.


Theory Duration (hh:mm) 20:00 Practical Duration (hh:mm) 15:00 Corresponding NOS Code SSC/N0929

to conduct a forensic evidence seizure

for an investigation.

Ensure that the scene is physically

secured to prevent unauthorized

access and alteration/damage of the

evidence as per containment policies

and situational considerations.

identify potential sources of data that

could be evidence by surveying a

physical area.

Create a plan that prioritizes the

sources, establishing the order in

which the computing devices or

records can be acquired.

Detail out the importance of crime

scene management and what does it

entail.

LCD Projector and Laptop for presentations

Provision for online research in the lab for all students

At least 4 sets of the following tools o General crime

scene processing tools

o Documentation tools

o Disassembly and removal tools

o Package and transport supplies

o Other tools o Notebook

computers

Standard Lab

5 Search and Seizure Theory Duration (hh:mm) 20:00 Practical Duration (hh:mm) 30:00 Corresponding NOS Code SSC/N0929

Identify whether data in the device or

record is volatile or non-volatile so that

both types of data can be adequately

preserved.

Collect volatile data using forensic

tools.

Replicate non-volatile data sources to

collect their data, securing the original

non-volatile data sources.

Preserve the integrity of the data

source device or record after verifying

the same in accordance with

investigation procedures.

Record current state, condition and

configuration of digital devices and

media and potentially relevant

information at the time of seizure.

Ensure that digital devices and media

are handled consistent with preserving

other potential evidence sources

including fingerprints or DNA.

Record any activity on the computer,

components, or devices by taking

photographs or recording any

information that may be relevant.

Terminate any destructive software

being running on any device that was

identified during checking.

Whiteboard and Markers

Multiple sets of a large sized flowchart showing the process for seizing and preserving digital evidence and maintaining chain of custody as per number of pair teams.

Various search and seizure tools.

Provision for online research in the lab.


Sr. No.


Maintain a detailed log of every step

that was taken to collect the data,

including information about each tool

used in the process and handlers.

List processes for seizing and

preserving digital evidence and

maintaining chain of custody.

Define methods of protecting and

concealing electronic information

including locking, encryption, sealing,

etc.

Describe how to conduct a preview of

the contents of electronic devices.

Examine which system files contain

relevant information and where to find

those system files.

Define how to preserve the information

on battery powered devices.

List the types of actions necessary to

preserve third party and volatile data

sources.

List do’s and don’ts for seizing and

recording electronic evidence sources.

Identify how to keep a record of the

seizure process, the condition and

state of the device and the reasons

why this is important.

Explain handling memory forensics

and volatile evidences

6 Cyber Security Policies, Procedures, Standards & Guidelines Theory Duration (hh:mm) 10:00 Practical Duration (hh:mm) 10:00 Corresponding NOS Code SSC/N0929

State relevant legislation, standards,

policies, and procedures followed in

the company.

Describe the organizational systems,

procedures and tasks/checklists within

the domain and how to use these.

Describe the operating procedures that

are applicable to the system(s) being

used, typical response times and

service times related to own work

area.

Whiteboard and

Markers

LCD Projector and

Laptop for

presentations

Provision for online

research in the lab

for all students

Access to free cyber

forensic tools and

methods and their

tutorials 2-3

computer

applications, 2-3

mobile applications

and 2-3 web

applications


Sr. No.


7 Technological Developments in Cyber Security Theory Duration (hh:mm) 10:00 Practical Duration (hh:mm) 05:00 Corresponding NOS Code SSC/N0929

Explain the importance of staying

abreast of technological upgradation in

cyber security

Explain next generation techniques for

controlling advanced threats to

applications.

Describe improved ways of preventing

remote applications by being

compromised.

Stay abreast of the latest

developments as per industry

standards and security tools to ensure

that corporate security methods and

tools.

Whiteboard and

Markers

LCD Projector and

Laptop for

presentations


research in the lab

for all students

8 The Examination and Extraction Process Theory Duration (hh:mm) 10:00 Practical Duration (hh:mm) 05:00 Corresponding NOS Code SSC/N0930

Explain basic steps of the examination

and analysis processes.

Identify necessary resources that

could be required for extracting

relevant data or information from the

evidences.

Whiteboard and

Markers

Multiple sets of a

large sized flowchart

showing the process

examination and

extraction of digital

evidence and

maintaining chain of

custody as per

number of pair

teams.

9 Creation of Forensics Duplicate of a Hard Drive Theory Duration (hh:mm) 10:00 Practical Duration (hh:mm) 25:00 Corresponding NOS Code SSC/N0930

Obtain items relevant to forensic

examinations in line with investigative

procedures from authorised channels.

Check forensic items against records

and identify and address any

inaccuracies.

Obtain necessary resources that could

be required for extracting relevant data

or information from evidences.

Create an image or copy of the original

storage device using clean storage

media to have a backup.

Describe how to take data backup or

make copies of data sources, types of

backups, data recovery concepts and

tools.

Explain what applications are used for

data back up.

Whiteboard and

Markers

Boot disk acquisition

and

remote/enterprise

grade tools to image

a hard disk

Blank media

Computers with Hard

disks that can be

removed

Computers with Hard

disk from which live

imaging can be done


Sr. No.


10 Locating the Files and Extracting Data Theory Duration (hh:mm) 20:00 Practical Duration (hh:mm) 30:00 Corresponding NOS Code SSC/N0930

Identify data required to be extracted

and most likely sources.

Select the best method and tools for

extraction as per the make and model

of device.

Locate the required files and electronic

data manually or using forensic tools.

Display the contents of slack space

with hex editors or special slack

recovery tools.

Search for files and information that

have been hidden, deleted or lost.

Identify the type of data stored in many

files by looking at their file headers or

simple histogram.

Identify presence of encrypted data or

the use of Steganography and the

feasibility of decryption or extracting

embedded data.

Identify the encryption method by

examining the file header, identifying

encryption programs installed on the

system, or finding encryption keys.

Extract the embedded data by finding

the Stegano key, or by using brute

force and cryptographic attacks to

determine a password.

Crack passwords placed on individual

files, as well as OS passwords using

various utilities and techniques.

Disable passwords placed on

individual files, as well as OS

passwords using various utilities and

techniques.

Bypass passwords placed on

individual files, as well as OS


techniques.

Identify data from disks that may have

been hidden, encrypted or damaged,

etc.

Recover data from disks that may

have been hidden, encrypted or

damaged, etc.

Copy data from disks that may have

been hidden, encrypted or damaged,

etc.

Whiteboard and

Markers

LCD, projector and

laptop for

presentation


or remote/enterprise

grade tools

Blank media

Computers with hard

disks and Windows,

Linux, and UNIX OS

File viewers

Software for

uncompressing files

Up-to-date antivirus

software

Searching tools that

can use Boolean,

fuzzy logic,

synonyms and

concepts, stemming,

and other search

methods

Special utilities that

can extract metadata

from files

De-encryption tools

Steganography

software

Utilities that can

crack passwords

placed on individual

files, as well as OS

passwords


Sr. No.


Recognize uncompressed files, and

how to read disk images.

Examine how to extract data and

metadata from files using forensic

toolkits.

Identify malicious activity against OSs

using security applications, such as file

integrity checkers and host IDSs, etc.

Perform string searches and pattern

matching using searching tools that

use Boolean, fuzzy logic, synonyms

and concepts, stemming, and other

search methods.

11 Data Acquisition Tools Theory Duration (hh:mm) 10:00 Practical Duration (hh:mm) 05:00 Corresponding NOS Code SSC/N0930

List various tools for examining and

extracting data and their limitations.

Describe usage of tools for gathering

and presenting network traffic data and

their limitations.

Recognise common forensic tool

configuration and support applications.

Select the best method and tools for extraction as per the make and model of data storage device.

Whiteboard and

Markers



grade tools

Blank media

Computers with hard

disks and Windows,

Linux, and UNIX OS

Write blockers

Forensic Duplicator

Forensic Dossier

Forensic Talon

12 Examining and Extracting Operating System Data Theory Duration (hh:mm) 05:00 Practical Duration (hh:mm) 15:00 Corresponding NOS Code SSC/N0930

Examine OS Data in binary files.

Determine how to handle large binary

files while extracting OS data.

Extract OS data from large binary files.

Whiteboard and

Markers



grade tools

Blank media

Computers with hard

disks and Windows,

Linux, and UNIX OS

Write blockers

Forensic Duplicator

Forensic Dossier

Forensic Talon

13 Extracting Network Traffic Data Theory Duration (hh:mm) 10:00

Describe the process for extracting

network traffic data.

Examine the data sources for network

traffic data.

Extract network traffic data with the

goal of determining what happened

Whiteboard and

Markers



grade tools

Blank media


Sr. No.


Practical Duration (hh:mm) 20:00 Corresponding NOS Code SSC/N0930

and how the organization’s systems

and networks have been affected.

Monitor network traffic data sources.

Package and transport the electronic

evidence.

Computers with hard

disks and Windows,

Linux, and UNIX OS

Write blockers

Forensic Duplicator

Forensic Dossier

Forensic Talon

14 Cyber Forensic Analysis Theory Duration (hh:mm) 20:00 Practical Duration (hh:mm) 30:00 Corresponding NOS Code SSC/N0931

Perform analysis of extracted data

from evidence collated using various

forensic tools.

Review file system time and date

stamps to the timeframes relevant to

the investigation.

Review system and application logs for

relevant information.

Correlate file headers to the

corresponding file extensions to

identify any mismatches.

Analyse programs and file metadata in

various ways to provide insight into the

capability of the system and the

knowledge of the user.

Analyse network traffic data with the

goal of determining what has

happened and how the organization’s

systems and networks have been

affected.

Fuse computer network attack

analyses with criminal and

counterintelligence investigations and

operations.

Identify additional systems/ networks

compromised by cyber-attacks.

Perform computer network defence

(CND) incident triage, to include

determining scope, urgency, and

potential impact; identifying the

specific vulnerability; and making

recommendations that enable

expeditious remediation.

Perform virus scanning on digital

media.

Identify external or insider attackers

attempting to gain and misuse non-

authorized privileges.

Follow investigation procedure in order

to determine the identity of attacker.

Whiteboard and

Markers

LCD Projector for

presentations

Image or duplicate of

hard drive with

sample data

SEM software

NFAT software

Binary analysis tools

Forensic tool

configuration and

support applications

Log file analysis tool,

Registry analysis tool

Web browser

analysis tool

Filesystem analysis

tool

Memory analysis

tools

Data Visualization

tool.

Debugging tools

Malware analysis

tools


Sr. No.


Safeguard the device and relevant

information for the application of

physical forensic examinations.

15 Analysis Tools Theory Duration (hh:mm) 15:00 Practical Duration (hh:mm) 10:00 Corresponding NOS Code SSC/N0931

Describe the various digital evidence

analysis tools such as log file analysis

tools, registry analysis tools, web

browser analysis tools, filesystem

analysis tools, memory analysis tools.

State the applications of the digital

evidence analysis tools.

Describe the data visualisation tool for

analysing data and presenting to

others.

Whiteboard and

Markers

LCD Projector for

presentations



Web browser

analysis tool

Filesystem analysis

tool

Memory analysis

tools

Data Visualization

tool.

16 CDR Analysis and Email Investigation Theory Duration (hh:mm) 15:00 Practical Duration (hh:mm) 20:00 Corresponding NOS Code SSC/N0931

Analyse email and mobile phone

records to trace devices to a particular

location (or to rule them out).

Uncover links between individuals or

groups by following electronic data

trails.

Connect strings of interactions that

provide a picture of activity using

evidence collected from other sources

than electronic devices.

Whiteboard and

Markers

LCD Projector for

presentations

Image or duplicate of

hard drive with

sample data

SEM software

NFAT software


Forensic tool

configuration and

support applications



Web browser

analysis tool

Filesystem analysis

tool

Memory analysis

tools

Data Visualization

tool.

Debugging tools

Malware analysis

tools

17 Drawing Conclusions

Identify risks to safety linked to

working with forensic items and take

the necessary actions to minimise the

risks.

Whiteboard and

Markers


Sr. No.


Theory Duration (hh:mm) 05:00 Practical Duration (hh:mm) 10:00 Corresponding NOS Code SSC/N0931

Develop conclusions based on the

data that is available and assumptions

regarding the missing data.

LCD Projector for

presentations

18 Documentation Theory Duration (hh:mm) 10:00 Practical Duration (hh:mm) 25:00 Corresponding NOS Code SSC/N0932

State relevant policies, and procedures

followed in the company with respect

to documentation.

List the tools, procedures and

tasks/checklists used in forensic

documentation.

Identify and obtain necessary

resources that could be required for

reporting and presenting forensic

investigation, its results and

evidences.

Ensure all relevant information is

collated and captured in the report

accurately and clearly.

List and organise for supporting

materials that are included with the

report, such as printouts of particular

items of evidence, digital copies of

evidence, chain of custody

documentation, photos, emails

(showing email headers, the path and

timing emails took to get from source

to destination), etc.

Ensure that the evidence remains

pristine and unaltered while

presenting.

safeguard the device and relevant

information for the application of

physical forensic examinations by

taking appropriate action.

Whiteboard and

Markers

Backup devices

Blank media

Forensic

workstations

Isolation chamber

Forensic examination

tools

Evidence handling

supplies, etc. (e.g.

clean blank media,

faraday bags,

evidence tags,

evidence tape, digital

cameras)

Firewalls

Publicly accessible

servers

Lab equipment as in

the search and

seizure unit

Lab equipment as in

the extraction of data

unit

Documentation of the

previous groups

(preferably of all the

best documentation

winners from the

previous sections)

Templates for

documenting the

extraction of data

process

Templates for

documenting the


Sr. No.


search and seizure

process

19 Reporting Theory Duration (hh:mm) 10:00 Practical Duration (hh:mm) 20:00 Corresponding NOS Code SSC/N0932

State policies, and procedures

followed in the company with respect

to reporting.

Create a brief summary of the results

of the examinations performed on the

items submitted for analysis.

Provide comprehensive details of

findings in the report.

Create a glossary with the report to

assist the reader using an accepted

source for the definition of the terms

and include appropriate references.

Present and explain track record of

information exchange, and the “hash!

Value”, also referred to as a

checksum, as a mark of authenticity.

Carefully document each stage of your

investigation.

Work within the level of authority and

expertise taking actions necessary

should these be exceeded.

Differentiate between fact and opinion

and express opinions within your area

of expertise while writing the report.

Identify any risks to safety linked to

working with forensic items in line with

health and safety procedures.

Take the necessary actions to

minimise any risks linked to working

with forensic items.

Whiteboard and

Markers

Sample forensic

examination reports

A caselets about

some forensic data

that can be analysed

using 3 different

techniques

Sample cyber

forensic reports

20 Manage your work to meet requirements Theory Duration (hh:mm) 20:00 Practical Duration (hh:mm) 25:00 Corresponding NOS Code SSC/N9001

Establish and agree your work

requirements with appropriate people.

Ensure the immediate work area is

clean and tidy.

Utilize your time effectively.

Use resources correctly and efficiently.

Process confidential information as

separately following standard

operating procedure.

Adhere to organization’s policies and

procedures.

Adhere to limits of responsibility and

access as per the job role.

Whiteboard and Markers.

LCD Projector and Laptop for presentations.

Training organization’s confidentiality policy.


Sr. No.


Obtain guidance from appropriate

people, where necessary.

Ensure your work meets the agreed

requirements.

21 Work effectively with colleagues Theory Duration (hh:mm) 20:00 Practical Duration (hh:mm) 25:00 Corresponding NOS Code SSC/N9002

Speak with colleagues clearly,

concisely and accurately.

Co-ordinate with colleagues to

integrate your work effectively with

them.

Provide essential information to

colleagues in line with organizational

requirements.

Show due respect for colleagues while

working.

Carry out commitments you have

made to colleagues.

Inform colleagues in good time if you

cannot carry out your commitments,

explaining the reasons.

Identify any problems you have

working with colleagues and take the

initiative to solve these problems.

Follow the organization’s policies and

procedures for working with

colleagues.

Whiteboard and

Markers.

LCD Projector and

Laptop for

presentations.

Provision to write

emails and send in

the lab.

Lab with provision for

internet, email, word

processor and

presentation

software.

Chart paper,

markers, picture

magazines and old

newspapers.

22 Maintain a healthy, safe and secure working environment Theory Duration (hh:mm) 20:00 Practical Duration (hh:mm) 25:00 Corresponding NOS Code SSC/N9003

Comply with your organization’s

current health, safety and security

policies and procedures.

Report any identified breaches in

health, safety, and security policies

and procedures to the designated

person.

Identify and correct any hazards that

you can deal with safely, competently

and within the limits of your authority.

Report any hazards that you are not

competent to deal with to the relevant

person in line with organizational

procedures and warn other people

who may be affected.

Follow your organization’s emergency

procedures promptly, calmly, and

efficiently.

Identify and recommend opportunities

for improving health, safety, and

security to the designated person.

Whiteboard and

Markers

LCD Projector and

Laptop for

presentations

The training

organization’s current

health, safety and

security policies and

procedures


research in the Lab

A sample health and

safety policy

document

Emergency

broadcast system

and mock emergency

signage in the

appropriate areas of

the training institute


Sr. No.


Complete any health and safety records legibly and accurately.

23 Provide data/information in standard formats Theory Duration (hh:mm) 20:00 Practical Duration (hh:mm) 25:00 Corresponding NOS Code SSC/N9004

Establish and agree with appropriate

people the data/information you need

to provide, the formats in which you

need to provide it, and when you need

to provide it.

Obtain the data/information from

reliable sources.

Check that the data/information is

accurate, complete and up-to-date.

Obtain advice or guidance from

appropriate people where there are

problems with the data/information.

Carry out rule-based analysis of the

data/information, if required

Insert the data/information into the

agreed formats.

Check the accuracy of your work,

involving colleagues where required.

Report any unresolved anomalies in

the data/information to appropriate

people.

Provide complete, accurate and up-to-

date data/information to the

appropriate people in the required

formats on time.

Whiteboard and

Markers.

LCD Projector and

Laptop for

presentations.


research in the lab.

24 Develop knowledge, skills and competence Theory Duration (hh:mm) 20:00 Practical Duration (hh:mm) 25:00 Corresponding NOS Code SSC/N9005

Obtain advice and guidance from

appropriate people to develop your

knowledge, skills and competence.

Identify accurately the knowledge and

skills you need for your job role.

Identify accurately your current level of

knowledge, skills and competence and

any learning and development needs.

Agree with appropriate people a plan

of learning and development activities

to address your learning needs.

Undertake learning and development

activities in line with your plan.

Apply your new knowledge and skills

in the workplace, under supervision.

Obtain feedback from appropriate

people on your knowledge and skills

and how effectively you apply them.

Whiteboard and

Markers.

LCD Projector and

Laptop for

presentations.

Soft copy of QP-

NOS.


access to all students

in the lab.

Questionnaire and

key for Honey and

Mumford learning

styles.


Sr. No.


Review your knowledge, skills and

competence regularly and take

appropriate action.

Total Duration Theory Duration 350:00 Practical Duration 450:00

Unique Equipment Required: Whiteboard and Markers, LCD Projector and Laptop for presentations, Chart paper Lab equipped with the following:

Pcs/Laptops and Internet with wifi (Min 2 Mbps Dedicated)

Provision for email

Word processor and presentation software

CRM application, such as Siebel, Zoho, Social networking tool / LMS tool to enable blog posts or discussion board, Instant messenger, chat

Email tools to enable mock exercises

Laptops for student presentations

Chart paper and sketch pens

Key devices, software and hardware in a large network

Application of multiple networking topology Use of various network protocols

Bandwidth management tools

Application of host network access controls

Hubs; switches; routers; bridges; servers

Transmission media IDS/IPS

Application of SSL, VPN, 2FA, encryption, etc.

Provision for software development work in the lab including software and tools

Sources of data that are internal drives (e.g. Desktop computers, servers, network storage devices, laptops)

Sources of data that are external storage forms (e.g. Thumb drives, memory and flash cards, optical discs, and magnetic disks)

Portable digital devices (e.g., pdas, cell phones, digital cameras, digital recorders, audio players)

Other sources of data like network activity logs, application usage data, logs generated by security monitoring controls such as intrusion detection software, antivirus software, spyware detection and removal utilities

Keystroke monitoring

General crime scene processing tools

Documentation tools

Disassembly and removal tools

Package and transport supplies

Notebook computers

Large sized flowchart showing the process for seizing and preserving digital evidence and maintaining chain of custody

Various search and seizure tools

Free cyber forensic tools and methods and their tutorials

Various computer applications

Various mobile applications

Various web applications

Multiple sets of a large sized flowchart showing the process examination and extraction of digital evidence and maintaining chain of custody


Boot disk acquisition and remote/enterprise grade tools to image a hard disk

Blank media

Computers with Hard disks that can be removed

Computers with Hard disk and Windows, Linux, and UNIX OS from which live imaging can be done

File viewers

Software for uncompressing files

Up-to-date antivirus software

Searching tools that can use Boolean, fuzzy logic, synonyms and concepts, stemming, and other search methods

Special utilities that can extract metadata from files

De-encryption tools

Steganography software

Utilities that can crack passwords placed on individual files, as well as OS passwords

Boot disk acquisition or remote/enterprise grade tools

Blank media

Write blockers

Forensic Duplicator

Forensic Dossier

Forensic Talon

Image or duplicate of hard drive with sample data

SEM software

NFAT software


Forensic tool configuration and support applications

Logfile analysis tool

Registery analysis tool

Web browser analysis tool

Filesystem analysis tool

Memory analysis tools

Data Visualization tool

Debugging tools

Malware analysis tools

Forensic workstations

Isolation chamber

Forensic examination tools

Evidence handling supplies, etc. (e.g. Clean blank media, faraday bags, evidence tags, evidence tape, digital cameras);

Firewalls

Publicly accessible servers

Templates for documenting the extraction of data process

Templates for documenting the search and seizure process

Sample forensic examination reports

A caselet about some forensic data that can be analysed using 3 different techniques

Sample cyber forensic reports; Training organization’s confidentiality policy

picture magazines and old newspapers

The training organization’s current health, safety and security policies and procedures

Provision for online research in the Lab

A sample health and safety policy document


Emergency broadcast system and mock emergency signage in the appropriate areas of the training institute

Grand Total Course Duration: 800 Hours, 0 Minutes

(This syllabus/ curriculum has been approved by SSC: IT-ITeS Sector Skills Council NASSCOM)


Trainer Prerequisites for Job role: “Forensic Specialist” mapped to Qualification Pack: “SSC/Q0922 v1.0”

Sr. No.

Area Details

1 Description To deliver accredited training service, mapping to the curriculum detailed Above, in accordance with the Qualification Pack “SSC/Q0922 Version 1.0”.

2 Personal Attributes

Aptitude for conducting training, and pre/ post work to ensure competent, Employable candidates at the end of the training. Strong communication skills, interpersonal skills, ability to work as part of a team; a passion for quality and for developing others; well-organized and focused, eager to learn and keep oneself updated with the latest in this field.

3 Minimum Educational Qualifications

Graduate in Security/ Computer Science/Electronics and Engineering /Information Technology

4a Domain Certification

Certified for Job Role “Forensic Specialist” mapped to Qualification Pack “SSC/Q0922” Version 1.0. Minimum accepted score is 80%.

4b Platform Certification

Recommended that the trainer is certified for the Job role “Trainer” mapped to the Qualification Pack “MEP/Q0102”. Minimum accepted score is 80% aggregate.

5 Experience Field experience: Minimum 2 years’ experience in the same domain Training experience: 1 year preferred


Assessment Criteria

Job Role Forensic Specialist

Qualification Pack SSC/Q0922, V1.0

Sector Skill Council IT-ITeS

Sr. No.

Guidelines for Assessment

1 Criteria for assessment for each Qualification Pack (QP) will be created by the Sector Skill Council (SSC). Each performance criteria (PC) will be assigned Theory and Skill/Practical marks proportional to its importance in NOS.

2 The assessment will be conducted online through assessment providers authorised by SSC.

3 Format of questions will include a variety of styles suitable to the PC being tested such as multiple-choice questions, fill in the blanks, situational judgment test, simulation and programming test.

4 To pass a QP, a trainee should pass each individual NOS. Standard passing criteria for each NOS is 70%.

5 For latest details on the assessment criteria, please visit www.sscnasscom.com.

6 In case of successfully passing only certain number of NOS's, the trainee is eligible to take subsequent assessment on the balance NOS's to pass the Qualification Pack

http://www.sscnasscom.com/


Assessable outcomes

Assessment criteria for the outcome Total Mark (900)

Out of

Theory Skills Practical

1. SSC/N0929

(Identify, preserve

and seize

digital/electronics

devices or records

for investigation of

possible breach or

crime )

PC1. Ensure that necessary authorisations

and resources are in place to conduct a

forensics evidence seizure for an

investigation.

100

3 1 2

PC2. Ensure that the scene is physically

secured to prevent unauthorized access and

alteration or damage of the evidence as per

containment policies and situational

considerations.

4 2 2

PC3. Survey a physical area and identify

potential sources of data that could be

evidence.

4 1 3

PC4. Identify other sources of data and the

owner of the same that can be accessed. 3 1 2

PC5. Identify and obtain materials related to

digital communications which are relevant to

the investigation.

3 1 2

PC6. Ensure identified device or component is

up and running however is being disconnected

from any network.

3 1 2

PC7. Check for and terminate any destructive

software running on any device while seeking

to save as much information as possible.

4 1 3

PC8. Estimate the relative likely value of each

potential data source for the investigation. 4 1 3

PC9. Identify whether data in the device or

record is volatile or non-volatile so that both

types of data can be adequately preserved.

4 1 3

PC10. Create a plan that prioritizes the

sources, establishing the order in which the

computing devices or records can be

acquired.

5 2 3

PC11. Use forensic tools to collect volatile

data. 5 2 3

PC12. Duplicate non-volatile data sources to

collect their data, securing the original non-

volatile data sources.

5 2 3

PC13. Verify and preserve the integrity of the

data source device or record in accordance

with investigation procedures.

5 1 4

PC14. Record current state, condition and

configuration of digital devices and media and

potentially relevant information at the time of

seizure.

6 2 4


PC15. Handle digital devices and media

consistent with preserving other potential

evidence sources including fingerprints or

DNA.

3 1 2

PC16. Document any activity on the computer,

components, or devices by taking

photographs or recording any information that

may be relevant.

4 1 3

PC17. Maintain a detailed log of every step

that was taken to collect the data, including

information about each tool used in the

process and handlers.

4 1 3

PC18. Photograph and label the components

of the device making specific reference to

ancillary leads and connections to the device.

4 1 3

PC19. Appropriately package, seal and label

the device in accordance with current

diligence procedures.

3 1 2

PC20. Check packaging of forensic items in

line with forensic procedures, and identify,

record and address any packaging problems.

4 1 3

PC21. Carefully document each stage of the

seizure and investigation. 3 1 2

PC22. Ensure chain of custody is followed for

all digital media acquired in accordance with

the rules of evidence.

3 1 2

PC23. Identify any risks to safety linked to

working with forensic items in line with health

and safety procedures.

3 1 2

PC24. Take the necessary actions to minimise

any risks linked to working with forensic items. 4 1 3

PC25. Transport and store forensic items to

relevant authorities in line with investigative

procedures, and in a way that avoids risk to

potential evidence, including loss, breakage,

contamination, cross-contamination,

degradation, etc.

4 1 3

PC26. Record details of the storage, handling,

transfer and packaging of forensic items in line

with organisational procedures.

3 1 2

Total 100 31 69

2.SSC/N0930

(Extract relevant

data or information

from digital forensic

evidences)

PC1. Obtain items relevant to forensic

examinations in line with investigative

procedures from authorised channels. 100 3 1 2


PC2. Check forensic items against records

and identify and address any inaccuracies. 4 1 3

PC3. Identify and obtain necessary resources

that could be required for extracting relevant

data or information from the evidences.

3 1 2

PC4. Create an image or copy of the original

storage device using clean storage media to

have a backup.

5 2 3

PC5. Install write blocking software to prevent

any change to the data on the device or

media.

5 2 3

PC6. Identify data that is required to be

extracted and most likely sources. 3 1 2

PC7. Select the best method and tools for

extraction as per the make and model of

device.

2 1 1

PC8. Locate the required files manually or

using forensic tools. 3 1 2

PC9. Display the contents of slack space with

hex editors or special slack recovery tools. 3 1 2

PC10. Hunt for files and information that have

been hidden, deleted or lost. 3 1 2

PC11. Identify the type of data stored in many

files by looking at their file headers or simple

histogram.

3 1 2

PC12. Identify presence of encrypted data or

the use of steganography and the feasibility of

decryption or extracting embedded data.

3 1 2

PC13. Identify the encryption method by

examining the file header, identifying

encryption programs installed on the system,

or finding encryption keys.

4 1 3

PC14. Extract the embedded data by finding

the stego key, or by using brute force and

cryptographic attacks to determine a

password.

5 1 4

PC15. Crack, disable or bypass passwords

placed on individual files, as well as OS


techniques.

4 1 3

PC16. Find, recover and copy data from disks

that may have been hidden, encrypted or

damaged, etc.

4 1 3

PC17. Uncompressed files and read disk

images. 3 1 2

PC18. Extract data and metadata from files

using forensic toolkits. 4 1 3


PC19. Identify malicious activity against OSs

using security applications, such as file

integrity checkers and host IDSs, etc.

4 2 2

PC20. Perform string searches and pattern

matching using searching tools that use

Boolean, fuzzy logic, synonyms and concepts,

stemming, and other search methods.

5 1 4

PC21. Assess and extract network traffic data

with the goal of determining what happened

and how the organization’s systems and

networks have been affected.

4 1 3

PC22. Obtain relevant information from ISP

and cloud service provider after taking due

authorisation from Law Enforcement

Authority/Agency.

3 1 2

PC23. Reveal (unlock) digital images that

have been altered to mask the identity of a

place or person.

4 1 3

PC24. Submit the device or original media for

physical evidence examination after removing

the data.

3 0 3

PC25. When equipment is damaged,

dismantle and rebuild the system in order to

recover lost data.

4 1 3

PC26. Carefully document the process

followed in extraction as well as the data

retrieved.

3 1 2

PC27. Identify and minimise any risks to

safety linked to working with forensic items in

line with health and safety procedures.

3 1 2

PC28. Take measures to ensure preservation

of physical evidence like finger prints, DNA

etc. while handling the evidence.

3 1 2

Total 100 30 70

3. SSC/N0931

(Analyze

information or data

extracted from

digital forensic

evidences)

PC1.Identify and obtain necessary resources

that could be required for examining and

analysing of forensic evidences.

100

3 1 2

PC2. Perform analysis of the extracted data

using various forensic tools. 5 2 3

PC3. Review the time and date stamps

contained in the file system metadata to link

files of interest to the timeframes relevant to

the investigation.

3 1 2

PC4. Review system and application logs for

relevant information. 3 1 2

PC5. Correlate file headers to the

corresponding file extensions to identify any

mismatches.

3 1 2


PC6. Perform data hiding analysis for

detecting and recovering data and may

indicate knowledge, ownership, or intent.

5 1 4

PC7. Analyse programs and files in various

ways to provide insight into the capability of

the system and the knowledge of the user.

5 1 4

PC8. Analyse file metadata typically through

the application that created it to provide insight

into detailed information like authorship, time

last edited, number of times edited, and print

or saved location, etc.

5 1 4

PC9. Determine ownership and

knowledgeable possession of the questioned

data using various methods.

4 1 3

PC10. Analyse network traffic data with the

goal of determining what has happened and

how the organization’s systems and networks

have been affected.

5 1 4

PC11. Analyse mobile phone records to trace

devices to a particular location (or to rule them

out).

4 2 2

PC12. Follow electronic data trails to uncover

links between individuals or groups. 4 1 3

PC13. Piece together strings of interactions

that provide a picture of activity using

evidence collected from other sources than

electronic devices.

5 2 3

PC14. Identify additional systems/networks

compromised by cyber-attacks. 3 1 2

PC15. Identify the most important

characteristics of the activity and the negative

impact it has caused or may cause the

organization.

4 2 2

PC16. Perform computer network defence

(CND) incident triage, to include determining

scope, urgency, and potential impact;

identifying the specific vulnerability; and

making recommendations that enable

expeditious remediation.

6 2 4

PC17. Perform various types of forensics

analysis as per the requirement of media type,

data or constraints.

6 2 4

PC18. Perform virus scanning on digital

media. 4 1 3

PC19. Fuse computer network attack

analyses with criminal and counterintelligence

investigations and operations.

4 1 3

PC20. Identify elements of proof of the crime. 3 1 2


PC21. Identify outside attackers accessing the

system from the internet or insider attackers,

that is, authorized users attempting to gain

and misuse non-authorized privileges.

3 1 2

PC22. Follow investigation procedure in order

to determine the identity of attacker. 3 1 2

PC23. Take appropriate action to safeguard

the device and relevant information for the

application of physical forensic examinations.

3 1 2

PC24. Carefully document each stage of the

investigation. 3 1 2

PC25. Identify risks to safety linked to working

with forensic items and take the necessary

actions to minimise the risks.

4 1 3

Total 100 31 69

4. SSC/N0932

(Report and present

the results of a

forensic

investigation)

PC1. Identify and obtain necessary resources

that could be required for reporting and

presenting forensic investigation, its results

and evidences.

100

7 2 5

PC2. Ensure all relevant information is

collated and captured in the report accurately

and clearly.

6 2 4

PC3. List and organise for supporting

materials that are included with the report,

such as printouts of particular items of

evidence, digital copies of evidence, chain of

custody documentation, photos, emails

(showing email headers, the path and timing

emails took to get from source to destination),

etc.

9 3 6

PC4. Create a brief summary of the results of

the examinations performed on the items

submitted for analysis.

9 3 6

PC5. Provide comprehensive details of

findings in the report. 9 3 6

PC6. Create a glossary with the report to

assist the reader using an accepted source for

the definition of the terms and include

appropriate references.

6 2 4

PC7. Ensure that the evidence remains

pristine and unaltered while presenting. 5 1 4

PC8. Present and explain track record of

information exchange, and the “hash! Value”,

also referred to as a checksum, as a mark of

authenticity.

6 2 4

PC9. Carefully document each stage of your

investigation. 7 2 5


PC10. Work within the level of authority and

expertise taking actions necessary should

these be exceeded.

6 2 4

PC11. Differentiate between fact and opinion

and express opinions within your area of

expertise while writing the report.

5 1 4

PC12. Identify any risks to safety linked to

working with forensic items in line with health

and safety procedures.

5 2 3

PC13. Take the necessary actions to minimise

any risks linked to working with forensic items. 6 2 4

PC14. Take appropriate action to safeguard

the device and relevant information for the

application of physical forensic examinations.

7 2 5

PC15. Take appropriate action to ensure

confidentiality and integrity of report and

related documents.

7 2 5

Total 100 31 69

4. SSC/N9001

(Manage your work

to meet

requirements)

PC1. Establish and agree your work

requirements with appropriate people.

100

7 0 7

PC2. Keep your immediate work area clean

and tidy. 12 6 6

PC3. Utilize your time effectively. 12 6 6

PC4. Use resources correctly and efficiently. 19 6 13

PC5. Treat confidential information correctly. 7 1 6

PC6. Work in line with your organization’s

policies and procedures. 12 0 12

PC7. Work within the limits of your job role. 6 0 6

PC8. Obtain guidance from appropriate

people, where necessary. 6 0 6

PC9. Ensure your work meets the agreed

requirements. 19 6 13

Total 100 25 75

5. SSC/N9002 (Work

effectively with

colleagues)

PC1. Communicate with colleagues clearly,

concisely and accurately.

100

20 0 20

PC2. Work with colleagues to integrate your

work effectively with theirs. 10 0 10

PC3. Pass on essential information to

colleagues in line with organizational

requirements.

10 10 0

PC4. Work in ways that show respect for

colleagues. 20 0 20

PC5. Carry out commitments you have made

to colleagues. 10 0 10


PC6. Let colleagues know in good time if you

cannot carry out your commitments,

explaining the reasons.

10 10 0

PC7. Identify any problems you have working

with colleagues and take the initiative to solve

these problems.

10 0 10

PC8. Follow the organization’s policies and

procedures for working with colleagues. 10 0 10

Total 100 20 80

6. SSC/N9003

(Maintain a healthy,

safe and secure

working

environment)

PC1. Comply with your organization’s current

health, safety and security policies and

procedures.

100

20 10 10

PC2. Report any identified breaches in health,

safety, and security policies and procedures to

the designated person.

10 0 10

PC3. Identify and correct any hazards that you

can deal with safely, competently and within

the limits of your authority.

20 10 10

PC4. Report any hazards that you are not

competent to deal with to the relevant person

in line with organizational procedures and

warn other people who may be affected.

10 0 10

PC5. Follow your organization’s emergency

procedures promptly, calmly, and efficiently. 20 10 10

PC6. Identify and recommend opportunities

for improving health, safety, and security to

the designated person.

10 0 10

PC7. Complete any health and safety records

legibly and accurately. 10 0 10

Total 100 30 70

7. SSC/N9004

(Provide

data/information in

standard formats)

PC1. Establish and agree with appropriate

people the data/information you need to

provide, the formats in which you need to

provide it, and when you need to provide it.

100

13 13 0

PC2. Obtain the data/information from reliable

sources. 13 0 13

PC3. Check that the data/information is

accurate, complete and up-to-date. 12 6 6

PC4. Obtain advice or guidance from

appropriate people where there are problems

with the data/information.

6 0 6

PC5. Carry out rule-based analysis of the

data/information, if required. 25 0 25

PC6. Insert the data/information into the

agreed formats. 13 0 13

PC7. Check the accuracy of your work,

involving colleagues where required. 6 0 6


PC8. Report any unresolved anomalies in the

data/information to appropriate people. 6 6 0

PC9. Provide complete, accurate and up-to-

date data/information to the appropriate

people in the required formats on time.

6 0 6

Total 100 25 75

8. SSC/N9005

(Develop your

knowledge, skills

and competence)

PC1. Obtain advice and guidance from

appropriate people to develop your

knowledge, skills and competence.

100

10 0 10

PC2. Identify accurately the knowledge and

skills you need for your job role. 10 0 10

PC3. Identify accurately your current level of

knowledge, skills and competence and any

learning and development needs.

20 10 10

PC4. Agree with appropriate people a plan of

learning and development activities to address

your learning needs.

10 0 10

PC5. Undertake learning and development

activities in line with your plan. 20 10 10

PC6. Apply your new knowledge and skills in

the workplace, under supervision. 10 0 10

PC7. Obtain feedback from appropriate

people on your knowledge and skills and how

effectively you apply them.

10 0 10

PC8. Review your knowledge, skills and

competence regularly and take appropriate

action.

10 0 10

Total 100 20 80

forensic specialist - national skill development …...2019/01/14 · information/cyber security...

Documents