Back to Details

digital-forensics-analyst

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Digital Forensics Analyst

Digital Forensics Analyst(数字取证分析师)

When to Use

适用场景

  • Plan and execute evidence acquisition with documented chain of custody
  • Analyze host, disk, memory, mobile, and cloud artifacts after preservation
  • Perform log, network, and cloud audit forensics with cited sources
  • Build super-timelines correlating UTC-normalized events across systems
  • Triage malware artifacts (hash, static/dynamic notes) without live detonation in prod
  • Draft forensic investigation reports for IR, legal, or insurance (factual, not legal advice)
  • Prepare expert witness preparation outlines (topics, exhibits, foundation)—not testimony strategy from counsel
  • 规划并执行带有Chain of Custody(保管链)记录的证据获取工作
  • 对已保存的主机、磁盘、内存、移动设备及云工件进行分析
  • 结合来源引用开展日志、网络及云审计取证工作
  • 构建跨系统的UTC标准化事件超级时间线
  • 对恶意软件工件进行分类(哈希值、静态/动态分析记录),禁止在生产环境中实时触发
  • 为事件响应(IR)、法律或保险方起草取证调查报告(仅陈述事实,非法律建议)
  • 准备专家证人准备大纲(主题、证物、基础内容)——不包含律师提供的证词策略

When NOT to Use

不适用场景

  • Run live incident command, war room, or executive comms cadence → 
    incident-responder
  • Triage SIEM/EDR alert queues or execute Tier 1–3 SOC playbooks → 
    soc-analyst
  • Proactive hypothesis-driven hunts across live telemetry → 
    threat-hunter
  • Authorized exploitation or pentest → 
    penetration-tester
  • Deep binary, firmware, or protocol reverse engineering → 
    reverse-engineer
  • LLM/agent adversarial testing → 
    ai-redteam
  • Design enterprise security strategy, policies, or GRC programs → 
    cybersecurity
  • Implement IAM, SIEM parsers, EDR, or security guardrails → 
    information-security-engineer
  • Map frameworks to audit evidence or continuous compliance monitoring → 
    compliance-engineer
  • Implement cloud org guardrails, CSPM remediation, or landing zone security → 
    cloud-security-engineer
  • 执行实时事件指挥、作战室协调或高管沟通流程 → 
    incident-responder
  • 分类SIEM/EDR警报队列或执行1-3级SOC剧本 → 
    soc-analyst
  • 基于假设对实时遥测数据进行主动狩猎 → 
    threat-hunter
  • 授权渗透测试 → 
    penetration-tester
  • 深度二进制、固件或协议逆向工程 → 
    reverse-engineer
  • LLM/Agent对抗性测试 → 
    ai-redteam
  • 设计企业安全策略、政策或GRC程序 → 
    cybersecurity
  • 实施IAM、SIEM解析器、EDR或安全防护措施 → 
    information-security-engineer
  • 将框架映射到审计证据或进行持续合规监控 → 
    compliance-engineer
  • 实施云组织防护措施、CSPM整改或着陆区安全配置 → 
    cloud-security-engineer

Related skills

相关技能

NeedSkill
Live incident command, containment cadence, stakeholder updates
incident-responder
Alert triage, SIEM/SOAR playbooks, shift handoff
soc-analyst
Proactive hunts before forensic acquisition is needed
threat-hunter
Security program, IR strategy, board narratives
cybersecurity
SIEM/EDR integration and control implementation
information-security-engineer
Cloud audit logs and misconfiguration forensics
cloud-security-engineer
Audit evidence and control mapping
compliance-engineer
Authorized pentest
penetration-tester
Binary/firmware/protocol RE, patch diff
reverse-engineer
LLM/adversarial AI testing
ai-redteam
On-call, SEV, postmortem program design
incident-management-engineer
Crisis and security incident messaging
communication-lead
需求技能
实时事件指挥、遏制流程、利益相关方更新
incident-responder
警报分类、SIEM/SOAR剧本、轮班交接
soc-analyst
在需要取证获取前进行主动狩猎
threat-hunter
安全方案、事件响应策略、董事会汇报
cybersecurity
SIEM/EDR集成及控制措施实施
information-security-engineer
云审计日志及配置错误取证
cloud-security-engineer
审计证据及控制映射
compliance-engineer
授权渗透测试
penetration-tester
二进制/固件/协议逆向工程、补丁差异分析
reverse-engineer
LLM/对抗性AI测试
ai-redteam
随叫随到、事件分级、事后复盘方案设计
incident-management-engineer
危机及安全事件沟通
communication-lead

Core Workflows

核心工作流程

1. Scope and legal/IR coordination

1. 范围界定与法律/事件响应协调

  1. Confirm authorization (internal counsel, contract, law enforcement liaison as applicable)
  2. Define objectives (what questions must artifacts answer)
  3. Identify custodians, systems, and data classes in scope
  4. Agree preservation before remediation; document what was touched pre-acquisition
  5. Route legal questions to counsel; produce factual findings only
See 
references/digital_forensics_scope.md
for role boundaries and engagement types.
  1. 确认授权(适用时需联系内部律师、合同方或执法联络员)
  2. 明确目标(工件需解答哪些问题)
  3. 确定范围内的负责人、系统及数据类别
  4. 在整改前达成保存共识;记录取证获取前已触碰的内容
  5. 将法律问题转交律师;仅提供事实性结论
角色边界及参与类型请参考 
references/digital_forensics_scope.md

2. Evidence acquisition and chain of custody

2. 证据获取与Chain of Custody(保管链)

identify sources → prioritize volatile → acquire → hash → seal → log transfers
  • Use write blockers or cloud-native snapshots per platform policy
  • Record who, what, when, where, how for every collection and handoff
  • Maintain master evidence log and per-item worksheets
See 
references/evidence_acquisition_chain_of_custody.md
for worksheets and custody rules.
identify sources → prioritize volatile → acquire → hash → seal → log transfers
  • 依据平台政策使用write blockers(写保护工具)或云原生快照
  • 记录每一次收集及交接的人员、内容、时间、地点、方式
  • 维护主证据日志及单项工作表
工作表及保管规则请参考 
references/evidence_acquisition_chain_of_custody.md

3. Host, disk, and memory artifacts

3. 主机、磁盘及内存工件

  • Prioritize volatile data when still available (memory, network connections, logged-on users)
  • Image disks or collect targeted logical collections when full imaging is impractical
  • Parse OS artifacts: registry, prefetch, shimcache, event logs, shellbags, browser, execution traces
  • Document tooling versions and parsing assumptions
See 
references/host_and_memory_artifacts.md
for artifact categories and analysis order.
  • 仍可获取时优先处理volatile(易失性)数据(内存、网络连接、已登录用户)
  • 全镜像不可行时,对磁盘进行镜像或收集针对性逻辑数据
  • 解析操作系统工件:注册表、预取文件、Shimcache、事件日志、Shellbags、浏览器数据、执行轨迹
  • 记录工具版本及解析假设
工件类别及分析顺序请参考 
references/host_and_memory_artifacts.md

4. Network, log, and cloud forensics

4. 网络、日志及云取证

  • Normalize timestamps to UTC; cite log source and retention limits
  • Correlate firewall, proxy, DNS, IdP, EDR, and cloud audit trails
  • Export cloud evidence via audit logs, snapshots, and API per provider runbook
  • Flag gaps (retention, missing sensors) explicitly in the report
See 
references/network_log_and_cloud_forensics.md
for source matrix and export patterns.
  • 将时间戳标准化为UTC;标注日志来源及保留期限
  • 关联防火墙、代理、DNS、IdP、EDR及云审计轨迹
  • 依据供应商手册通过审计日志、快照及API导出云证据
  • 在报告中明确标注缺口(保留期限、缺失传感器)
来源矩阵及导出模式请参考 
references/network_log_and_cloud_forensics.md

5. Timeline correlation and reporting

5. 时间线关联与报告

  • Build super-timeline merging host, network, cloud, and identity events
  • Separate facts from inferences; label confidence (confirmed, likely, speculative)
  • Produce executive summary, technical appendix, IOC list, and open questions
  • Prepare expert witness outline (exhibit list, methodology summary)—not legal conclusions
See 
references/timeline_correlation_and_reporting.md
for report sections and timeline fields.
  • 整合主机、网络、云及身份事件构建超级时间线
  • 区分事实与推断;标注可信度(已确认、可能、推测)
  • 生成执行摘要、技术附录、IOC列表及未解决问题
  • 准备专家证人大纲(证物清单、方法总结)——不包含法律结论
报告章节及时间线字段请参考 
references/timeline_correlation_and_reporting.md

6. Malware artifact triage

6. 恶意软件工件分类

  • Work in isolated lab; never execute unknown samples on production networks
  • Capture hashes, strings, metadata, and sandbox output per policy
  • Map behaviors to MITRE ATT&CK where useful; link to host/network findings
  • Package IOC exports for SOC blocklists via 
    soc-analyst
    handoff
See 
references/malware_artifact_triage.md
for safe triage workflow.
  • 在隔离实验室中操作;切勿在生产网络中执行未知样本
  • 依据政策捕获哈希值、字符串、元数据及沙箱输出
  • 必要时将行为映射至MITRE ATT&CK;关联主机/网络调查结果
  • 打包IOC导出文件,移交
    soc-analyst
    用于SOC黑名单
安全分类流程请参考 
references/malware_artifact_triage.md

When to load references

参考文档加载场景

  • Role boundary and engagement types
    references/digital_forensics_scope.md
  • Acquisition and chain of custody
    references/evidence_acquisition_chain_of_custody.md
  • Host, disk, memory artifacts
    references/host_and_memory_artifacts.md
  • Network, log, cloud forensics
    references/network_log_and_cloud_forensics.md
  • Timelines and reports
    references/timeline_correlation_and_reporting.md
  • Malware triage
    references/malware_artifact_triage.md
  • 角色边界及参与类型 → 
    references/digital_forensics_scope.md
  • 证据获取与保管链 → 
    references/evidence_acquisition_chain_of_custody.md
  • 主机、磁盘、内存工件 → 
    references/host_and_memory_artifacts.md
  • 网络、日志、云取证 → 
    references/network_log_and_cloud_forensics.md
  • 时间线与报告 → 
    references/timeline_correlation_and_reporting.md
  • 恶意软件分类 → 
    references/malware_artifact_triage.md

Outputs

输出成果

  • Evidence acquisition plan — sources, order, tools, approvers
  • Chain-of-custody log — item IDs, hashes, custodians, transfers
  • Super-timeline — UTC events with source citations
  • Forensic investigation report — facts, artifacts, methodology, gaps
  • Malware triage sheet — hashes, behaviors, IOCs, lab notes
  • Expert witness prep outline — topics, exhibits, foundation checklist (for counsel review)
  • 证据获取计划 —— 来源、顺序、工具、审批人
  • Chain of Custody(保管链)日志 —— 项目ID、哈希值、负责人、交接记录
  • 超级时间线 —— 带来源引用的UTC事件
  • 取证调查报告 —— 事实、工件、方法、缺口
  • 恶意软件分类表 —— 哈希值、行为、IOC、实验室记录
  • 专家证人准备大纲 —— 主题、证物、基础检查清单(供律师审核)

Principles

原则

  • Preserve first — acquisition before destructive remediation when feasible
  • Document everything — if it is not logged, it did not happen for counsel
  • UTC and cite sources — every timeline row has provenance
  • Separate fact from inference — confidence labels reduce dispute risk
  • Not legal advice — coordinate with counsel; do not opine on liability or guilt
  • 优先保存 —— 可行情况下,先获取证据再进行破坏性整改
  • 全面记录 —— 未记录的内容对律师而言等同于未发生
  • UTC时间与来源引用 —— 每条时间线记录均需注明来源
  • 区分事实与推断 —— 可信度标注可降低争议风险
  • 非法律建议 —— 与律师协作;不就责任或定罪发表意见