Job Specification
Position Title:
Investigator/Forensic Analyst
Job Code:
C0069 - Technical Analyst
Purpose of Position :
To conduct investigations that deal with computer technology as an element. Assist with the preparation and execution of search warrants. Oversee and conduct electronic search and seizure procedures. To extract, examine and analyze electronic data for the purpose of developing, enhancing and clarifying evidence. To provide court testimony regarding digital evidence investigations.
Duties / Responsibilities :
1. Conduct investigations involving technology as an element, including all computer data and electronic devices as defined by the Criminal Code; engage in criminal investigations with OPP specialized investigative units, detachments and regions, as well as municipal services within the Province of Ontario.
2. Assist with the execution of Judicial Authorizations, to locate the presence of digital evidence; assist with or conduct the seizure of electronic devices and peripherals during the execution of search warrants; document, and photograph evidence on scene as well as generate on scene reports.
3. Conduct digital examinations using forensic software and techniques on seized evidence relevant to criminal investigations. Generate forensic images of all evidentiary digital media and devices. Apply data recovery techniques to recover and extract evidence from all types of digital devices and media.
4. Maintain evidence continuity by cataloguing, preserving and transporting evidence and/or exhibits.
5. Maintain forensic equipment and tools through frequent testing and validation.
6. Utilize programming techniques to forensically acquire data from previously undocumented devices and technologies; participate in the research of new electronic evidence gathering technologies (e.g. computer hardware and software, chat channels, internet/web sites, search engines) to develop forensically sound practices that affect the gathering of computer evidence.
7. Prepare detailed forensic reports for disclosure purposes to assist with investigations and/or testimony in judicial proceedings as an expert witness.
8. Provide recommendations to the Team Leader regarding the financial and technological resources necessary to undertake computer-based investigations.
9. Generate occurrences on Niche RMS for new requests for service, occurrences and notes on in-house software for new incidents. Create summary reports on section intake and establish individual priorities, deadlines, etc. for assigned cases.
10. Provide expert advice for investigations dealing with technology to a diverse group of internal and external investigators, police services, Crown Attorneys and government agencies.
11. Provide training to police, other law enforcement agencies, and community groups on technological crime. Provide mentorship to new members of the unit.
12. Perform other duties, as assigned.
Staffing and Licensing :
Valid Ontario Driver's Licence.
Special Constable appointment status which include the ability to pass an OPP background security investigation.
Ability to work on a regularly scheduled on-call basis.
Ability to successfully complete the Digital Forensic Investigator Understudy Program and associated certifications.
Knowledge :
· Relevant federal and provincial statutes including current case law and decisions pertaining to the gathering and extracting of electronic data to perform assigned duties; understanding scope and limitations of judicial authorizations; development of court documents such as search warrants; reporting and presentation tools and techniques to produce and present findings for disclosure and in court testimony.
· Operation, networking, troubleshooting, security protocols and principles for PC based, Macintosh, Linux and various microcomputer systems; understanding of various types of computer hardware and technical specifications, including components, peripherals, network topologies, RAID systems, servers, desktop and laptop computers.
· Mobile devices such as cellular phones, GPS, Tablets, SIM cards and media storage cards and respective file systems and protocols. Network architectures (such as CDMA, HSPA, GSM and Blackberry Enterprise Servers), structure, data and voice transmission and the underlying data types associated to each.
· Bypassing lock codes to recover data from damaged devices such as tablets, mobile phones, and GPS's, by direct memory chip access (chip-off) and JTAG.
· Flash memory, NAND, NOR and EEPROM, their structure and operating characteristics, methodologies for extracting and understanding the data within such devices as cellular phones, USB flash drives and solid state drives.
· Various electronic media storage devices including but not limited to computer hard drives, portable flash media , CD/DVD-ROMs, magnetic tape units and floppy disks; various consumer devices containing electronic media including, but not limited to computers, laptops, tablets, media players, cell phones, GPS devices, digital cameras, DVR/PVRs and other devices capable of housing data.
· Forensic acquisition processes and methodology to extract, validate and secure digital evidence; physical workings of storage media; the difference between physical and logical acquisitions; specialized hardware and software write blocking and extraction tools; security, continuity and handling of evidence in accordance with Rules of Evidence, OPP policies, protocols, procedures and practices.
· Forensic data recovery software, validation and techniques; various file systems, such as NTFS and HFS, regarding their structure, limitations and usage such as; data carving, data parsing, encoding and decoding data, reverse engineering, filtering and querying. Computer mathematics including binary/hexadecimal/decimal conversions and endianness and encoding schemes.
· Processing evidence artifacts including but not limited to various documents, spreadsheets, email, chat, Internet history, call logs, SMS, log files, databases, compound documents, encrypted files, operating system artifacts and date/time validation
Judgement :
Position reports to Team Leader, Digital Forensics and requires working under minimal supervision and making decisions within established guidelines, protocols, methodologies and procedures. Judgement and discretion is applied when:
determining the appropriate cases/situations to bring forward to consult with the Team Leader
providing expert advice and assistance to internal and external stakeholders
preparing and executing search warrants, disclosure packages and delivering presentations throughout the province of Ontario
INTERPERSONAL AND COMMUNICATION SKILLS: :
· Document technology research, prepare technical documentation, methodologies and processes, create and amend training materials, prepare crown briefs, maintain logs, assist in preparing business cases.
· Oral communication skills and interpersonal skills to liaise with a diverse group of OPP staff, law enforcement agencies and crown attorneys, provide technical advice and support, communicate complex technical information and system capabilities and deliver presentations/ lectures.
· Ability to work effectively in a team environment.
· Ability to provide ongoing guidance and support to new employees as required in a mentorship role in Digital Forensics.
PROBLEM SOLVING/COMPLEXITY: :
Analytical, problem-solving and evaluative skills to conduct forensics investigations including the extraction, examination and analysis of electronic data.
Ability to develop and implement solutions regarding extraction and analysis of data from nonstandard storage devices (e.g. skimmers, gaming consoles, etc).
Ability to isolate relevant evidentiary forensic artifacts from within large volumes of data, assemble them within the context of an investigation and articulate their cohesive meaning and relevance to the matter being investigated.
RESPONSIBILITY FOR THE WORK OF OTHER EMPLOYEES: :
There is no formal responsibility for the work of other employees.
PHYSICAL AND SENSORY DEMANDS :
Physical Demands:
· Keyboarding for extended periods of time as most work is completed utilizing a computer. This involves sitting for extended periods of time with freedom to move around as required.
Extended sitting while driving to and from various sites to perform work. Frequent lifting, carrying and/or moving of equipment, tool boxes, monitors, computers, servers, laser printers.
Sensory Demands:
Visual: working with computer display and printed material, preparing technical/design specifications, presentations, training material, judicial disclosure, programming, etc.
Concentration required when preforming analysis and researching data.
Multi-tasking by managing substantial caseloads which often requires immediate response and attention. This may supersede scheduled work due to re-prioritizing of duties to meet requirements.
WORKING CONDITIONS: :
Often attend search warrants where members could be involved in volatile situations and exposed to biohazards.
Work is generally performed in a standard office environment. There are often times where a member will travel within and out of province/country. Frequent driving required.
Risk of frequent exposure to explicit imagery of child pornograghy/sexual abuse and graphic violence due to the requirement of supporting these types of investigations.