Occ. Code 9213100

STATE POLICE COMPUTER FORENSIC ANALYST 1, GRADE 14	9213100
STATE POLICE COMPUTER FORENSIC ANALYST 2, GRADE 18	9213200
STATE POLICE COMPUTER FORENSIC ANALYST 3, GRADE 20	9213300
STATE POLICE COMPUTER FORENSIC ANALYST 4, GRADE 23	9213400

New York State Department of Civil Service

Classification Standard

BRIEF DESCRIPTION OF CLASS SERIES

State Police Computer Forensic Analysts are non-competitive, technical positions, performing a full range of complex analyses of various types of electronic and digital evidence received at the New York State Police Computer Forensic Laboratory and handled by the Computer Crime Unit. These positions are located only in the Division of State Police and are located at the Forensic Investigation Center in Albany, New York.

DISTINGUISHING CHARACTERISTICS

STATE POLICE COMPUTER FORENSIC ANALYST 1: These entry level positions are for the analyst with limited forensic experience and training. Incumbents conduct data acquisition and archival; hardware, software, and tool testing and validation; and physical examinations of computers and other electronic devices. Incumbents must successfully complete technical training such as Basic Data Recovery and Acquisition, A+ Hardware, and Network+.

STATE POLICE COMPUTER FORENSIC ANALYST 2: Performs analysis on the less complex casework utilizing standard established procedures. Frequently testifies in court proceedings regarding casework which involves routine laboratory processes such as acquisition, archival and analysis. Incumbents plan and execute analyses, including proper quality control procedures, using instrumentation and techniques as necessary. The results of said analyses will be interpreted and findings reported for court purposes. Incumbents may testify in court on analysis limited to a few specific pieces of evidence. A State Police Computer Forensic Analyst 2 must be proficient in all the duties of a State Police Computer Forensic Analyst 1 and must successfully complete technical training such as Intermediate Data Recovery and Analysis, EnCase Computer Forensics I, and Access Data Boot Camp.

STATE POLICE COMPUTER FORENSIC ANALYST 3: Performs analysis of technically complex cases exercising considerable independent judgment; conducts technical peer review of computer forensic examinations and analysis; and interprets data and results for court purposes. Frequently testifies in court proceedings regarding casework which involves advanced laboratory processes in complex cases which may include network data acquisitions and advanced data recovery and analysis. Incumbents may testify in court as needed. Incumbents are proficient in all of the duties of a State Police Computer Forensic Analyst 2 and must successfully complete technical training such as Advanced Data Recovery and Analysis, EnCase Computer Forensics II, and Access Data Windows Forensics, while obtaining and maintaining necessary industry-related certifications.

STATE POLICE COMPUTER FORENSIC ANALYST 4: Analyzes the most complex cases which may involve multiple operating systems and mobile computing devices. Frequently testifies in court proceedings regarding casework which involves complex networks, operating systems and mobile computing devices. Participates in training and administers testing of State Police Computer Forensic Analysts 1, 2 and 3 under the direction of lab supervisor. Incumbents are proficient in all the duties of a State Police Computer Forensic Analyst 3 and must successfully complete training in multiple Operating Systems such as Linux, Unix and MacIntosh, and advanced technical training involving network and wireless devices, while obtaining and maintaining necessary industry-related certifications.

RELATED CLASSES

State Police Forensic Scientists are non-competitive, highly technical positions, performing a full range of complex analyses of various types of evidence and questioned documents received at the State Police Laboratories and handled in either the Drug Chemistry, Biological Sciences, Toxicology, Trace Evidence or Questioned Document Sections. These positions are located in the Forensic Investigation Center in Albany and in the Regional Crime Laboratories located in Newburgh, Port Crane and Olean, New York.

ILLUSTRATIVE DUTIES

Incumbents at all levels work as part of teams dedicated to the investigation of computer crimes. They are expected to perform the duties of the lower-level titles in the series, as well as those specific to their title.

STATE POLICE COMPUTER FORENSIC ANALYST 1:

· Abide by and follow all procedures relating to the proper handling and chain of custody of evidence in computer forensic laboratories.

· Use computer forensic software and robotic tools to forensically copy data found on electronic devices so that the integrity of original evidence is preserved and the copy can be used for forensic analysis.

· Verify the integrity of the forensic copies to be used for analysis according to State Police and National Institute of Standards for Technology standards. Use computer forensics and information technology utilities to verify the integrity of data to ensure that no data is lost or modified during the acquisition or copying process.

· Use automated technology to prepare copied data for archiving into digital media, such as compact disks. Archival process will preserve and prevent data loss by providing a stable long-term storage medium.

· Conduct physical examinations of computer and other electronic computing devices by inspecting the hardware peripherals in devices submitted to the laboratory as evidence. Inspection will encompass device functionality, including date and time verification of circuit board of computer or devices. Document the physical condition of evidence computers and devices by means of digital photography and completion of appropriate examiner reports.

· Disassemble and reassemble various types of electronic data or communication devices including but not limited to personal computers, laptops, cellular phones, pagers, and personal digital assistants during the examination process.

· Test and validate computer hardware, software, and forensic analytical tools using established laboratory procedures and National Institute of Standards for Technology guidelines. Testing and validation are conducted to verify the integrity of computer forensic software, data acquisition and archival hardware and to ensure tools do not report high rate of errors.

· Prepare and submit to superiors required documentation that catalogues and describes acquired data for admittance into evidence in court proceedings. Reports shall be prepared and submitted by all analysts after performing laboratory processes such as acquisition, archival and analysis.

· Perform computer hardware, software, network, and internet related research to troubleshoot and maintain computer forensic laboratory equipment and network.

· Review current scientific literature and attend seminars, courses, or professional meetings to stay abreast of developments within the field of Computer Forensics and Multimedia Digital Evidence.

In addition, STATE POLICE COMPUTER FORENSIC ANALYSTS 2:

Examine computers and other electronic storage devices submitted as evidence using non-intrusive forensic tools and methods to extract data for analysis.

Analyze data found in electronic devices by using computer forensic utilities and State Police laboratory analytical techniques to parse, locate and extract case relevant data with evidentiary value pursuant to investigative details and search warrant parameters.

Testify in court proceedings regarding casework involving routine laboratory processes such as acquisition, archival and analysis.

Using State Police report writing standards, prepare comprehensive analysis reports to be used in the course of investigations, and to be entered into evidence during court proceedings.

Research industry standards and assist State Police Investigators in developing Standard Operating Procedures for the various stages of computer forensic processes, such as acquisition, archival, and analysis of data.

Perform other laboratory forensic processes using State Police procedures and industry standards and techniques, such as Secure Erase and Hard Drive Restoration pursuant to judicial requests, such as court orders.

In addition, STATE POLICE COMPUTER FORENSIC ANALYSTS 3:

Provide technical assistance to State Police Investigators during the extraction of multimedia digital evidence from crime scenes, computer networks and other technical forensic processes in the field.

Testify in court proceedings regarding casework involving advanced laboratory processes in complex cases such as network data acquisitions and advanced data recovery and analysis.

· Under the guidance of State Police Investigators in the laboratory and prosecutors office prepare computer and multimedia digital evidence for court presentations. Preparation of court presentations involves the review of case relevant data and conversion into human readable format that may be displayed during court proceedings, whether in digital form or in printable form.

· Assist State Police Investigators in the review and preparation of evidentiary material pursuant to Rosario and Discovery court motions. May include the copying of multimedia digital data into media to be released to court recognized experts for the purpose of validation, court presentations and possible legal challenges.

· Testify in court regarding analytical processes and resulting findings for a wider range of evidence.

· Review the examinations and analyses completed by other State Police Computer Forensic Analysts according to technical peer review guidelines, to ensure that quality assurance standards are being met.

· Recommend changes in operating procedures, equipment, and personnel based on results of technical peer review.

· Assist the lab supervisor in the implementation of hardware and software, as well as modifications to the laboratory equipment and network.

In addition, STATE POLICE COMPUTER FORENSIC ANALYSTS 4:

Analyze complex cases based on State Police investigative and forensic procedures and search warrant parameters.

Document analysis laboratory findings in comprehensive reports.

Frequently testifies in court regarding: the validity of analysis performed by lower-level State Police Computer Forensic Analysts; the processes used when analyzing digital evidence; and the relation of said evidence to the overall investigation.

Advise State Police Investigators of possible alternative methods of analysis that would increase accuracy, efficiency, and timeliness.

Perform peer review of technically complex cases and report any unexpected quality control developments that may occur to the lab supervisor.

Analyze the most complex cases which may involve multiple operating systems and mobile computing devices.

Testify in court proceedings regarding casework in complex cases which may involve computer networks, multiple operating systems and mobile computing devices.

Administer competency and proficiency tests to all levels of State Police Computer Forensic Analysts to ensure that analysts possess the necessary training and experience to adequately analyze multimedia digital evidence.

RELATIONSHIPS WITH OTHERS

Incumbents of this title series are supervised by a State Police Senior Investigator assigned to the Computer Crimes Unit who acts as the Lab Supervisor. State Police Investigators lead teams consisting of two (2) or more professional civilian State Police Computer Forensic Analyst positions at various levels. When on assignment in the field assisting State Police Investigators, incumbents may also have contact with other law enforcement professionals assigned to particular cases. This is a non-supervisory class.

INDEPENDENCE OF OPERATION

Incumbents are supervised by a State Police Senior Investigator who, acting as the Lab Supervisor, assigns cases and sets up work teams based on schedules, knowledge, and workload. State Police Investigators act as team leaders and provide overall coordination of the work that is performed in assigned cases. Generally, incumbents perform their tasks with relative independence, but there are procedural guidelines related to forensic analysis and chain of custody that must be followed for the information to be used as evidence in a court of law. Incumbents are expected to advise their supervisor about problems and difficulties encountered and discuss solutions and alternate approaches to problems with them.

MINIMUM QUALIFICATIONS

STATE POLICE COMPUTER FORENSIC ANALYST 1

Bachelor of Science Degree in Computer Forensics, Computer Science, or related field.

Substitution: (4) years of work-related experience in the field of Computer Forensics. Preference will be given to those candidates who have completed or received verifiable training with computer forensic tools such as EnCase, Access Data FTK and ASR SMART.

STATE POLICE COMPUTER FORENSIC ANALYST 2

Substitution: (4) years of work-related experience in the field of Computer Forensics may be substituted for the required Bachelor's Degree.

STATE POLICE COMPUTER FORENSIC ANALYST 3

Bachelor of Science Degree in Computer Forensics, Computer Science, or related field AND a minimum of (24) months of satisfactory experience performing the duties of a State Police Computer Forensic Analyst 2 or its equivalent in another computer forensic environment; AND possession of a Computer Forensics certification such as EnCE, CFCE, ACE or similar certification. Certification may be substituted with a minimum of (128) hours of Computer Forensics training; AND completion of verifiable training with computer forensic tools such as EnCase, Access Data FTK and ASR SMART. Preference will be given to those candidates who have gained experience in testimony as an expert witness and have established his or her credentials as an expert in various courts of record.

Substitution: (4) years of work-related experience in the field of Computer Forensics may be substituted for the required Bachelor's Degree.

STATE POLICE COMPUTER FORENSIC ANALYST 4

Bachelor of Science Degree in Computer Forensics, Computer Science, or related field AND a minimum of (24) months of satisfactory experience performing the duties of a State Police Computer Forensic Analyst 3 or its equivalent in another computer forensic environment; AND possession of a Computer Forensics certification such as EnCE, CFCE, ACE or similar certification; AND a minimum of (160) hours of verifiable Computer Forensics training; AND verifiable training with computer forensics tools such as EnCase, Access Data FTK and ASR SMART; AND significant Computer Forensics casework experience, and experience testifying before a court of law or administrative hearing as a Computer Forensics expert. Preference will be given to those candidates who have (2) years of work-related experience in training and administering proficiency or competency examinations in a Computer Forensics lab or similar work environment.

Substitution: (4) years of work-related experience in the field of Computer Forensics may be substituted for the required Bachelor's Degree.

Date: 1/08

NOTE: Classification Standards illustrate the nature, extent and scope of duties and responsibilities of the classes they describe. Standards cannot and do not include all of the work that might be appropriately performed by a class. The minimum qualifications above are those which were required for appointment at the time the Classification Standard was written. Please contact the Division of Staffing Services for current information on minimum qualification requirements for appointment or examination.