Application
This unit describes the skills required to employ a range of electronic media forensic methodologies to produce an image of a storage device. Storage devices may include hard disk drives, solid state drives, read-only memory (ROM), random-access memory (RAM), flash drives, tape drives, basic input/output system (BIOS) and USBs. Common objectives may include keyword searches, files recovery, including deleted files, extraction of registry information and metadata. Mobile devices such as mobile phones may afford additional information, including location, but require the use of specific methodologies.
This unit applies to those working in the gathering and analysis of electronic information.
The skills and knowledge described in this unit must be applied within the legislative, regulatory and policy environment in which they are carried out. Organisational policies and procedures must be consulted and adhered to, particularly those relating to WHS and the search and seizure of electronic evidence.
Those undertaking this unit would work independently, with minimum of supervision, while performing complex tasks, including making complex judgements. They would use discretion and judgement and take responsibility for the quality of their outputs.
No licensing, legislative or certification requirements apply to this unit at the time of publication.
Elements and Performance Criteria
ELEMENTS | PERFORMANCE CRITERIA |
Elements describe the essential outcomes | Performance criteria describe the performance needed to demonstrate achievement of the element. Where bold italicised text is used, further information is detailed in the range of conditions section. |
1. Determine job requirements | 1.1 Detect electronic evidence using observation techniques and appropriate technological methods. 1.2 Isolate electronic evidence prior to examination. 1.3 Identify recording methods to document the electronic evidence. 1.4 Determine most appropriate methodology to image the electronic evidence based on the information being sought and the actual process of analysis of the investigation. |
2. Image storage device | 2.1 Prepare storage device for imaging. 2.2 Acquire image and check for accuracy by removing internal components from devices if appropriate. 2.3 Ensure image is sufficient in detail to allow all potential examinations and analyses to be carried out. |
3. Collect and package electronic evidence | 3.1 Collect electronic evidence so as to prevent contamination or loss. 3.2 Package and store evidence to maintain continuity and prevent degradation or contamination. 3.3 Enter details of electronic evidence collected in case notes and, where appropriate, in the exhibit register to maintain the chain of custody. |
Evidence of Performance
Evidence required to demonstrate competence must satisfy all of the requirements of the elements and performance criteria. If not otherwise specified the candidate must demonstrate evidence of performance of the following on at least one occasion.
using analytical, decision-making and problem-solving skills in response to a range of electronic evidence contexts, including the systematic examination of items of electronic evidence
applying resource management and time management
applying exhibit handling skills
preserving continuity of evidence
using specialised evidence-recording equipment as required
collecting, packaging and preserving specific evidence types
adhering to operational safety
maximising the potential evidentiary value of the electronic evidence
Evidence of Knowledge
Evidence required to demonstrate competence must satisfy all of the requirements of the elements and performance criteria. If not otherwise specified the depth of knowledge demonstrated must be appropriate to the job context of the candidate.
legislative, policy and quality system context
the range of techniques available for the recording, collection, packaging and preservation of electronic evidence
required forensic documentation for the recording and collection of electronic evidence
application and potential limitations of forensic investigative techniques
roles and functions of other forensic discipline specialists
WHS
Assessment Conditions
Competency should be assessed in an actual workplace or in a simulated environment, with access to equipment and infrastructure appropriate to the outcome. Competency should be demonstrated over time to ensure the candidate is assessed across a variety of situations, with access to electronic devices with content suitable for forensic extraction including mobile devices, computers or communications equipment.
Assessors must satisfy the NVR/AQTF mandatory competency requirements for assessors.
Foundation Skills
The foundation skills demands of this unit have been mapped for alignment with the Australian Core Skills Framework (ACSF). The following tables outline the performance levels indicated for successful attainment of the unit.
ACSF levels indicative of performance:
Further information on ACSF and the foundation skills underpinning this unit can be found in the Foundation Skills Guide on the GSA website.
Competency Field
Electronic Forensics