This apprenticeship standard has been approved for delivery by the Institute for Apprenticeships and Technical Education. However, starts on the apprenticeship will only be possible once a suitable end-point assessment organisation (EPAO) has joined the Apprenticeship Provider and Assessment Register (APAR). Once the EPAO has joined the APAR, funding for apprentice starts will be permitted and this message will be removed.

Key information

  1. Status: Approved for delivery
  2. Reference: ST1409
  3. Version: 1.0
  4. Level: 7
  5. Typical duration to gateway: 36 months
  6. Typical EPA period: 6 months
  7. Maximum funding: £27000
  8. Route: Digital
  9. Integration: Degree-apprenticeship
  10. Date updated: 15/07/2024
  11. Approved for delivery: 15 July 2024
  12. Lars code: 764
  13. Review: this apprenticeship will be reviewed in accordance with our change request policy.
Print apprenticeship summary

Apprenticeship summary

Overview of the role

Undertake and innovate the capture, processing, and analysis of specialist digital forensic evidence.

Occupation summary

This occupation is found in organisations that undertake and innovate regarding the capture, processing, and analysis of specialist digital forensic evidence. These roles can be found in different public and private sector bodies and organisations that include digital forensics and criminal investigations within their service delivery. There is a significant demand on policing to examine digital devices making this a primary service offered by forensic service providers to policing. The role is relevant to Security and Defence teams including the National Crime Agency, Ministry of Defence, Border Force, Academia, and other aspects of the Criminal Justice System. Private forensic service providers service all public sector requirements for device examinations as well as other investigation types not just criminal, including internal corporate and Intellectual Property theft investigations. These companies vary in size and breadth of digital capability.

The broad purpose of the occupation is to act as a senior advisor within the digital forensic environment and support and manage the delivery of digital services for major crimes, incidents, operations, or any investigations that require specialist digital forensic investigative assistance. They provide an enhanced specialist service and knowledge regarding the detecting, preserving, seizing, gathering and analysing of digital intelligence and evidence for investigations where digital technology and data acquisition opportunities exist. They have an advanced understanding of digital forensic investigation techniques and demonstrate an ability to work independently, managing processes and complex technical problem solving. They can produce, develop, design and implement appropriate tactical digital forensic strategies for challenging and atypical crime investigation scenarios and/or emerging digital forensic practice. A key aspect of this role is the research and development of emerging digital technologies and ensuring practices are developed to support investigations. As such it is critical to attract talented experienced digital staff into this role. The titles of the roles may vary across different organisations including police forces, but the core skills required of the role remain the same.

In their daily work, an employee in this occupation interacts with their local forensics team and across the forensic capability and academia nationally where emerging technology is encountered. They will provide technical advice and guidance to digital forensic practitioners and advise investigating officers on digital strategy. They will support the criminal justice system understand the impact of the evidence which will include legal counsel. As part of their role to embed emerging practice and improve effectiveness they will have daily interaction with unit lead and quality managers.

An employee in this occupation will be responsible for the exercise of broad autonomy and judgement across a specialism developing digital forensic strategy. Explaining complex technical concepts in a clear and understandable manner to support criminal or civil prosecutions. 

They will critically capture, process and analyse complex digital material and information, concepts and theories to produce investigative best practice. Taking responsibility for planning and developing innovative practice that initiate or underpin substantial changes or developments. Advise and influence on the financial implication of technological and process improvements considerate of return on investment. 

Engage with external stakeholders, such as digital forensic service providers, academia, and industry experts, to foster collaborations, share knowledge, and remain informed and embed advancements in the digital forensic field. Continuously monitor and research emerging technologies, tools, and techniques in the field of digital forensics, staying up to date with the latest developments and best practices to enhance investigative capabilities. Adherence to strict professional ethics, ensuring the confidentiality, privacy, and security of all digital evidence and maintaining the highest standards of integrity throughout the forensic process. 

The role requires security vetting, adhering to the legal framework, and an expectation to work to professional policing standards and Forensic Science Regulator Codes of Practice and the Conduct of Forensic Science Providers codes of practice. 

 

Typical job titles include:

Digital forensic specialist Senior digital forensic investigator Senior digital forensic practitioner

Duties

  • Duty 1 Establish a comprehensive understanding of the legislation for the examination of digital devices and material for use in the criminal justice system and investigations.
  • Duty 2 Lead the advanced application of specialist principles for digital forensic science, utilising cutting edge technical evidence for the investigative process.
  • Duty 3 Establish actionable forensic evidence for investigations by processing, analysing and interpreting digital information from data and electronic devices.
  • Duty 4 Forensically interrogate the components and artefacts of complex digital material to find evidence relevant to investigations.
  • Duty 5 Adhere to strict professional ethics when implementing systems that ensure confidentiality, security, and integrity of all digital evidence throughout the forensic process.
  • Duty 6 Ensure privacy when handling and managing evidential material and its sources.
  • Duty 7 Solve complex problems and technically challenge the constraints of digital forensic methodologies legally and ethically, reacting to any changing circumstances to maximize evidence gathering for digital investigations.
  • Duty 8 Transition technical proof of concepts from unpredictable digital environments to embedding as approved techniques within an established quality-controlled laboratory.
  • Duty 9 Act as a proactive critical point of contact for complex technical investigative challenges, providing specialist technical knowledge and advice to senior investigators on forensic strategies for digital forensic opportunities in serious and complex investigations.
  • Duty 10 Workplace technical transformation to improve productivity, capability, and forensic impact.
  • Duty 11 Use competency frameworks to implement technical transformation for continuous business improvement.
  • Duty 12 Meet current and future business requirements by conducting technology foresight activities to review changes to the IT and digital landscape.
  • Duty 13 Communicate with technical and non-technical stakeholders, negotiating and influencing effectively to ensure understanding of highly technical concepts and issues.
  • Duty 14 Provide unbiased digital forensics evidence for the legal process that distinguishes between factual and interpretive expert reporting, producing comprehensive reports, technical explanations and statements for court in accordance with rules of evidence.
  • Duty 15 Develop, promote and manage a working culture that is safe and lawful when dealing with digital devices and data that contain personal, sensitive or potentially distressing information.
  • Duty 16 Engage and collaborate with cross-sector partners to build relationships that advance national digital forensics.
  • Duty 17 Supervise staff to perform their duties. Manage their welfare and development through coaching and mentoring.
  • Duty 18 Co-ordinate the allocation, delivery, and priority of team workload to advance and support investigations.

Apprenticeship summary

ST1409, advanced digital forensic professional level 7

This is a summary of the key things that you – the apprentice and your employer need to know about your end-point assessment (EPA). You and your employer should read the EPA plan for the full details. It has information on assessment method requirements, roles and responsibilities, and re-sits and re-takes.

What is an end-point assessment and why it happens

An EPA is an assessment at the end of your apprenticeship. It will assess you against the knowledge, skills, and behaviours (KSBs) in the occupational standard. Your training will cover the KSBs. The EPA is your opportunity to show an independent assessor how well you can carry out the occupation you have been trained for.

Your employer will choose an end-point assessment organisation (EPAO) to deliver the EPA. Your employer and training provider should tell you what to expect and how to prepare for your EPA.

The length of the training for this apprenticeship is typically 36 months. The EPA period is typically 6 months.

The overall grades available for this apprenticeship are:

  • fail
  • pass
  • merit
  • distinction

When you pass the EPA, you will be awarded your apprenticeship certificate.


EPA gateway

The EPA gateway is when the EPAO checks and confirms that you have met any requirements required before you start the EPA. You will only enter the gateway when your employer says you are ready.

The gateway requirements for your EPA are:

  • achieved English and mathematics qualifications in line with the apprenticeship funding rules
  • for the dissertation including presentation with questions, the project's title and scope must be agreed with the EPAO and a project summary submitted

  • for the professional discussion underpinned by a portfolio, you must submit a portfolio of evidence

Assessment methods

A project with a dissertation

You will be asked to complete a Dissertation. The title and scope will be agreed with the EPAO at the gateway. As part of the project, you need to write a Dissertation and submit this to the EPAO. The Dissertation should be a maximum of 8000 (with a 10% tolerance).

You will have 26 weeks to complete the project and submit the Dissertation to the EPAO.

You need to prepare and give a presentation to an independent assessor. Your presentation slides and any supporting materials should be submitted at the same time as the project output. The presentation with questions will last at least 90 minutes. The independent assessor will ask at least 10 questions about the project and presentation.


Professional discussion underpinned by a portfolio of evidence

You will have a professional discussion with an independent assessor. It will last 90 minutes. They will ask you at least 10 questions. The questions will be about certain aspects of your occupation. You need to compile a portfolio of evidence before the EPA gateway. You can use it to help answer the questions.


Who to contact for help or more information

You should speak to your employer if you have a query that relates to your job.

You should speak to your training provider if you have any questions about your training or EPA before it starts.

You should receive detailed information and support from the EPAO before the EPA starts. You should speak to them if you have any questions about your EPA once it has started.Reasonable adjustments

If you have a disability, a physical or mental health condition or other special considerations, you may be able to have a reasonable adjustment that takes this into account. You should speak to your employer, training provider and EPAO and ask them what support you can get. The EPAO will decide if an adjustment is appropriate.


Professional recognition

This apprenticeship aligns with The Chartered Institute of Information Security for Chartered

Please contact the professional body for more details.

This apprenticeship aligns with Institute of Cyber Digital Investigation Professionals for Chartered

Please contact the professional body for more details.

Print occupational standard

Details of the occupational standard

Occupation summary

This occupation is found in organisations that undertake and innovate regarding the capture, processing, and analysis of specialist digital forensic evidence. These roles can be found in different public and private sector bodies and organisations that include digital forensics and criminal investigations within their service delivery. There is a significant demand on policing to examine digital devices making this a primary service offered by forensic service providers to policing. The role is relevant to Security and Defence teams including the National Crime Agency, Ministry of Defence, Border Force, Academia, and other aspects of the Criminal Justice System. Private forensic service providers service all public sector requirements for device examinations as well as other investigation types not just criminal, including internal corporate and Intellectual Property theft investigations. These companies vary in size and breadth of digital capability.

The broad purpose of the occupation is to act as a senior advisor within the digital forensic environment and support and manage the delivery of digital services for major crimes, incidents, operations, or any investigations that require specialist digital forensic investigative assistance. They provide an enhanced specialist service and knowledge regarding the detecting, preserving, seizing, gathering and analysing of digital intelligence and evidence for investigations where digital technology and data acquisition opportunities exist. They have an advanced understanding of digital forensic investigation techniques and demonstrate an ability to work independently, managing processes and complex technical problem solving. They can produce, develop, design and implement appropriate tactical digital forensic strategies for challenging and atypical crime investigation scenarios and/or emerging digital forensic practice. A key aspect of this role is the research and development of emerging digital technologies and ensuring practices are developed to support investigations. As such it is critical to attract talented experienced digital staff into this role. The titles of the roles may vary across different organisations including police forces, but the core skills required of the role remain the same.

In their daily work, an employee in this occupation interacts with their local forensics team and across the forensic capability and academia nationally where emerging technology is encountered. They will provide technical advice and guidance to digital forensic practitioners and advise investigating officers on digital strategy. They will support the criminal justice system understand the impact of the evidence which will include legal counsel. As part of their role to embed emerging practice and improve effectiveness they will have daily interaction with unit lead and quality managers.

An employee in this occupation will be responsible for the exercise of broad autonomy and judgement across a specialism developing digital forensic strategy. Explaining complex technical concepts in a clear and understandable manner to support criminal or civil prosecutions. 

They will critically capture, process and analyse complex digital material and information, concepts and theories to produce investigative best practice. Taking responsibility for planning and developing innovative practice that initiate or underpin substantial changes or developments. Advise and influence on the financial implication of technological and process improvements considerate of return on investment. 

Engage with external stakeholders, such as digital forensic service providers, academia, and industry experts, to foster collaborations, share knowledge, and remain informed and embed advancements in the digital forensic field. Continuously monitor and research emerging technologies, tools, and techniques in the field of digital forensics, staying up to date with the latest developments and best practices to enhance investigative capabilities. Adherence to strict professional ethics, ensuring the confidentiality, privacy, and security of all digital evidence and maintaining the highest standards of integrity throughout the forensic process. 

The role requires security vetting, adhering to the legal framework, and an expectation to work to professional policing standards and Forensic Science Regulator Codes of Practice and the Conduct of Forensic Science Providers codes of practice. 

 

Typical job titles include:

Digital forensic specialist Senior digital forensic investigator Senior digital forensic practitioner

Occupation duties

Duty KSBs

Duty 1 Establish a comprehensive understanding of the legislation for the examination of digital devices and material for use in the criminal justice system and investigations.

K1 K2 K3 K5 K13 K14 K15 K16 K17 K18 K19 K20 K21 K22 K23 K24 K27 K29 K33 K34 K35 K36

S1 S2 S4 S8 S9 S10 S11 S13 S15

B1 B2

Duty 2 Lead the advanced application of specialist principles for digital forensic science, utilising cutting edge technical evidence for the investigative process.

K1 K2 K5 K7 K13 K14 K15 K16 K17 K18 K19 K20 K21 K22 K23 K24 K25 K28 K29 K31 K33 K34 K35 K36 K39 K40

S1 S4 S8 S9 S10 S13 S18

B1 B2 B3

Duty 3 Establish actionable forensic evidence for investigations by processing, analysing and interpreting digital information from data and electronic devices.

K2 K7 K8 K12 K13 K14 K15 K16 K17 K18 K19 K20 K21 K22 K24 K25 K28 K29 K31 K33 K34 K35 K36

S1 S4 S8 S9 S10 S13 S19

B1 B2 B3

Duty 4 Forensically interrogate the components and artefacts of complex digital material to find evidence relevant to investigations.

K1 K2 K7 K8 K12 K13 K14 K15 K16 K17 K18 K19 K20 K21 K22 K23 K24 K25 K29 K31 K33 K34 K35 K36 K39

S1 S4 S8 S9 S10 S13 S18

B1 B2 B3

Duty 5 Adhere to strict professional ethics when implementing systems that ensure confidentiality, security, and integrity of all digital evidence throughout the forensic process.

K1 K2 K3 K5 K6 K7 K8 K12 K13 K14 K15 K16 K17 K18 K19 K20 K21 K22 K23 K24 K25 K26 K27 K29 K33 K34 K35 K36 K39 K40

S1 S4 S8 S9 S10 S13 S15 S18 S19

B1 B2 B3

Duty 6 Ensure privacy when handling and managing evidential material and its sources.

K7 K8 K12 K14 K15 K16 K17 K18 K19 K20 K21 K22 K23 K24 K25 K28 K29 K31 K34 K35

S1 S4 S8 S9 S10 S13 S15

B1 B2 B3

Duty 7 Solve complex problems and technically challenge the constraints of digital forensic methodologies legally and ethically, reacting to any changing circumstances to maximize evidence gathering for digital investigations.

K1 K2 K7 K8 K12 K13 K14 K15 K16 K17 K18 K19 K20 K21 K22 K23 K24 K25 K26 K28 K29 K31 K33 K34 K35 K36 K39 K40

S1 S4 S8 S9 S10 S11 S13 S15 S18 S19

B1 B2 B3

Duty 8 Transition technical proof of concepts from unpredictable digital environments to embedding as approved techniques within an established quality-controlled laboratory.

K5 K6 K11 K14 K15 K23 K32 K40

S1 S3 S7 S11 S14 S19

B1 B2 B6 B7

Duty 9 Act as a proactive critical point of contact for complex technical investigative challenges, providing specialist technical knowledge and advice to senior investigators on forensic strategies for digital forensic opportunities in serious and complex investigations.

K2 K5 K6 K7 K11 K13 K14 K15 K16 K17 K18 K19 K20 K21 K22 K23 K27 K35 K36 K40

S1 S7 S9 S19

B1 B2 B6 B7

Duty 10 Workplace technical transformation to improve productivity, capability, and forensic impact.

K6

S1 S3 S5 S7 S11 S14

B1 B2 B4 B6 B7

Duty 11 Use competency frameworks to implement technical transformation for continuous business improvement.

K11 K30

S3 S5 S7 S11 S14

B1 B2 B4 B6 B7

Duty 12 Meet current and future business requirements by conducting technology foresight activities to review changes to the IT and digital landscape.

K5 K6 K7 K11 K15 K40

S3 S7 S11 S14 S19

B1 B2 B4 B6 B7

Duty 13 Communicate with technical and non-technical stakeholders, negotiating and influencing effectively to ensure understanding of highly technical concepts and issues.

K9 K15 K26 K27 K40

S2 S4 S5 S9 S10 S12 S13 S15 S17 S19

B1 B2 B3 B4 B5 B7

Duty 14 Provide unbiased digital forensics evidence for the legal process that distinguishes between factual and interpretive expert reporting, producing comprehensive reports, technical explanations and statements for court in accordance with rules of evidence.

K3 K14 K15 K16 K17 K20 K21 K22 K23 K24 K25 K26 K30 K31 K39

S2 S9 S10 S13 S17

B1 B2 B3 B5

Duty 15 Develop, promote and manage a working culture that is safe and lawful when dealing with digital devices and data that contain personal, sensitive or potentially distressing information.

K3 K4 K9 K38

S2 S6 S17

B1 B2 B8

Duty 16 Engage and collaborate with cross-sector partners to build relationships that advance national digital forensics.

K5 K6 K11 K26 K32 K37 K38

S3 S4 S7 S14 S16 S17

B1 B2 B4 B5 B6 B7 B8

Duty 17 Supervise staff to perform their duties. Manage their welfare and development through coaching and mentoring.

K4 K9 K10 K37 K38

S2 S5 S6 S12 S17

B1 B2 B3 B5 B8

Duty 18 Co-ordinate the allocation, delivery, and priority of team workload to advance and support investigations.

K4 K9 K10 K27 K38

S5 S6 S12 S17

B1 B2 B3

KSBs

Knowledge

K1: Interpretation, implication and application of legislation and guidance for the examination of digital devices and material for use in investigations. Back to Duty

K2: How to conduct investigations and leverage intelligence in order to identify and safeguard victims and vulnerable persons. Back to Duty

K3: Ethical handling and management of evidential material and its sources to ensure privacy. Back to Duty

K4: Techniques for identifying and managing well-being within a digital forensic team and the strategies to address trauma and how to access support due to the impact that processing sensitive or potentially distressing content can have on an individual. Back to Duty

K5: Processes for accrediting and embedding novel techniques in the laboratory, from proof of concept to approved techniques, associated risks and the impact of Quality Standard Requirements and Forensic Science Regulator (FSR) Codes of Practice (including information security, assurance, and business continuity). Back to Duty

K6: Scientific requirements needed to establish a technical standard for a new forensic science activity, including validation of methods and tools, practitioner competency, and training. Back to Duty

K7: Scope of techniques within digital forensics regarding the acquisition, preservation, handling, processing and analysis of digital intelligence. Back to Duty

K8: What a digital forensic strategy entails, and how this supports the investigation whilst mitigating the risks presented. Back to Duty

K9: Mentoring and how to support the professional development of others. Back to Duty

K10: Techniques to co-ordinate the allocation, delivery, and priority of team workload to advance and support investigation in line with organisational priorities. Back to Duty

K11: Horizon scanning, technological advances, and their value to inform strategies for triage and frontline and investigative capability. Back to Duty

K12: Core network design and storage technologies across multiple devices and common architectures. Back to Duty

K13: Specialist video multimedia, recovery, processing and analysis to enhance digital forensics compliance. Back to Duty

K14: Common data features across specialist forensics capabilities, including forensic linguistics, and image authenticity relevant to evidence handling and interpretation of digital forensic material. Back to Duty

K15: Opportunities for complementary evidence, for example open source, cell site, communications intelligence, text encoding initiative and vehicles. Back to Duty

K16: The function of, and forensic opportunities presented by, common block device file systems, for example New Technology File System (NTFS), File Allocation Table (FAT), Extended File System (ext), Hierarchical File System Plus (HFS+), Apple File System (APFS) and partitioning technologies. Back to Duty

K17: Common data structures for storage of text and media, for example text, XML, JSON, image, and video formats. Back to Duty

K18: Data and database-type structures for storage of system and application data, for example system logs, Windows Registry, system configuration, (b)plists, SQLite, RealmDB, ProtoBuffers. Back to Duty

K19: The complexities of technical and dynamic risks identified through the investigative process, for example data vulnerabilities. Back to Duty

K20: Encryption technologies and security methods employed by device manufacturers and their impact on forensic activity and circumventions. Back to Duty

K21: Artefact types across digital forensic disciplines, and how they can be exploited in investigations. Back to Duty

K22: Handling treatment opportunities and challenges of various storage media, including magnetic, optical, and flash memory. Back to Duty

K23: Applications and uses of artificial intelligence to identify and generate evidential material. Back to Duty

K24: Fault-finding and diagnostic techniques and equipment, including use of voltmeters, thermal imagers and continuity checkers for non-functional electronic devices. Back to Duty

K25: How to capture evidence compromised by environmental conditions. Back to Duty

K26: The importance of independent, impartial decision-making that respects the opinions and views of others in complex, unpredictable and changing circumstances. Back to Duty

K27: Tactical solutions and interpretation of local network architecture to inform plans for examining digital evidence. Back to Duty

K28: Script programs to extract and report data not processed by extraction tool capability, including writing structured query language (SQL) and scripts for interpretation of data, for example Python. Back to Duty

K29: Decomplication, reverse-engineering, static and dynamic analysis approaches, including application virtualisation. Back to Duty

K30: Requirements for providing unbiased interpretive evidence, understanding of the limitations of results, including unconscious bias and performance of tools. Back to Duty

K31: E-Discovery strategy for large and complex cases. Back to Duty

K32: Conducting literature reviews. Back to Duty

K33: Research methods and statistical analysis, including data science and Artificial Intelligence. Back to Duty

K34: Statistical methods and data interpretation. Back to Duty

K35: How to draw meaningful conclusions and the communication of research findings. Back to Duty

K36: How to effectively collaborate with partners and across disciplines to advance national digital forensics and evaluate emerging technology. Back to Duty

K37: How their role contributes to sustainability goals. Back to Duty

K38: Principles and policies of equity, diversity and inclusion in the workplace and their impact on the organisation. Back to Duty

K39: Techniques to identify evidential anomalies associated with manipulated or faked material. Back to Duty

K40: Emerging trends and technological threats that could disrupt and influence the credibility of forensic evidence. Back to Duty

Skills

S1: Apply legislation and guidance for the capture and examination of digital data to casework and decision-making. Back to Duty

S2: Conduct investigations and manage evidence ethically to ensure safeguarding of victims and vulnerable persons, including providing support in the technical working environment when dealing with digital devices and data that may contain personal, sensitive or potentially distressing information. Back to Duty

S3: Undertake work to support the accreditation of novel techniques, from proof of concept through to embedding approved techniques within the laboratory. Back to Duty

S4: Develop legal and ethical digital forensic strategies and communicate with a range of stakeholders to implement these to proactively support serious and complex investigations. Back to Duty

S5: Mentoring skills to support the performance of the digital forensics team. Providing advice and guidance with particular emphasis on embedding specialist techniques. Back to Duty

S6: Co-ordinate the allocation, delivery, and priority of team workload to advance and support investigation. Back to Duty

S7: Lead the advanced application of specialist principles for digital forensic science, ensuring the use of cutting-edge technical evidence for the investigative process. Back to Duty

S8: Process, analyse and interpret complex digital data for the purposes of establishing forensic evidence for investigations. Back to Duty

S9: Interrogate the components and artefacts of complex digital material in a forensic manner to find evidence relevant to investigations. Back to Duty

S10: Physically examine damaged or broken devices and remove data, utilising specialist tools and techniques, for example Chip-off and Joint Test Action Group (JTAG). Back to Duty

S11: Solve complex problems and technically challenge the constraints of digital forensic methodologies. Back to Duty

S12: Communicate, negotiate, and influence on various skill and sensitivity levels to support all parts of the investigative process, including addressing highly technical concepts in an accessible format. Back to Duty

S13: Provide trusted digital forensic evidence for the investigative process, producing comprehensive reports, technical explanations, and statements in accordance with rules of evidence. Distinguishing between factual and interpretive expert reporting. Back to Duty

S14: Conduct literature reviews and select appropriate research methodologies to address research gaps in digital forensics. Back to Duty

S15: Research data collection, analyse information to draw meaningful conclusions, and communicate the research findings. Back to Duty

S16: Collaborate with partners across disciplines to advance national digital forensics and evaluate emerging technology. Back to Duty

S17: Follow and apply sustainability, equity, diversity and inclusion policies and procedures. Back to Duty

S18: Use specialist multi-capability techniques to forensically identify and examine the authenticity of evidential material. Back to Duty

S19: Apply knowledge of new technological risks and threats to influence change to the digital forensic examination process. Back to Duty

Behaviours

B1: A strong work ethic and commitment in order to meet the standards required. Back to Duty

B2: Acts with integrity with respect to ethical, legal and regulation ensuring the protection of personal data, safety and security. Back to Duty

B3: Shows initiative and personal responsibility to overcome digital forensic challenges. Back to Duty

B4: Commitment to continuous professional development; maintaining knowledge and skills in digital forensic developments that influence their work. Back to Duty

B5: Comfortable and confident interacting with people from technical and non-technical backgrounds. Back to Duty

B6: Participates and shares best practice in their organisation and the wider community of Digital Forensics. Back to Duty

B7: Maintains awareness of trends and innovations utilising a range of academic literature, online sources, community interaction, conference attendance and other methods that can deliver business value. Back to Duty

B8: Leads by example, acting as a role model for equity, diversity and inclusion. Back to Duty

Qualifications

English and Maths

Apprentices without level 2 English and maths will need to achieve this level prior to taking the End-Point Assessment. For those with an education, health and care plan or a legacy statement, the apprenticeship’s English and maths minimum requirement is Entry Level 3. A British Sign Language (BSL) qualification is an alternative to the English qualification for those whose primary language is BSL.

Professional recognition

This standard aligns with the following professional recognition:

  • The Chartered Institute of Information Security for Chartered
  • Institute of Cyber Digital Investigation Professionals for Chartered
Print EPA plan

End-point assessment plan

v1.0

Introduction and overview

This document explains the requirements for end-point assessment (EPA) for the advanced digital forensic professional apprenticeship. End-point assessment organisations (EPAOs) must follow this when designing and delivering the EPA.

Advanced digital forensic professional apprentices, their employers and training providers should read this document.

A full-time advanced digital forensic professional apprentice typically spends 36 months on-programme. The apprentice must spend at least 12 months on-programme and complete the required amount of off-the-job training in line with the apprenticeship funding rules.

The EPA should be completed within an EPA period lasting typically 6 months.

The apprentice must complete their training and meet the gateway requirements before starting their EPA. The EPA will assess occupational competence.

An approved EPAO must conduct the EPA for this apprenticeship. Employers must work with the training provider to select an approved EPAO from the apprenticeship providers and assessment register (APAR).

This EPA has 2 assessment methods.

The grades available for each assessment method are below.

Assessment method 1 - dissertation including presentation with questions:

  • fail
  • pass
  • distinction

Assessment method 2 - professional discussion underpinned by a portfolio:

  • fail
  • pass
  • distinction

The result from each assessment method is combined to decide the overall apprenticeship grade. The following grades are available for the apprenticeship:

  • fail
  • pass
  • merit
  • distinction

EPA summary table

On-programme - typically 36 months

The apprentice must:

  • complete training to develop the knowledge, skills and behaviours (KSBs) outlined in this apprenticeship’s standard
  • complete training towards English and mathematics qualifications in line with the apprenticeship funding rules

  • compile a portfolio of evidence

End-point assessment gateway

The apprentice’s employer must be content that the apprentice is occupationally competent.

The apprentice must:

  • confirm they are ready to take the EPA
  • have achieved English and mathematics qualifications in line with the apprenticeship funding rules

For the dissertation including presentation with questions, the apprentice must submit a project brief. To ensure the project allows the apprentice to meet the KSBs mapped to this assessment method to the highest available grade, the EPAO should sign-off the project’s title and scope at the gateway to confirm it is suitable. A brief project summary must be submitted to the EPAO. It should be no more than 500 words. This needs to show that the project will provide the opportunity for the apprentice to cover the KSBs mapped to this assessment method. It is not assessed.

For the professional discussion underpinned by a portfolio, the apprentice must submit a portfolio of evidence.

Gateway evidence must be submitted to the EPAO, along with any organisation specific policies and procedures requested by the EPAO.

End-point assessment - typically 6 months

The grades available for each assessment method are below

Dissertation including presentation with questions:

  • fail

  • pass

  • distinction

Professional discussion underpinned by a portfolio:

  • fail

  • pass

  • distinction

Overall EPA and apprenticeship can be graded:

    • fail
    • pass
    • merit
    • distinction

Professional recognition

This apprenticeship aligns with:

  • The Chartered Institute of Information Security for Chartered

This apprenticeship aligns with:

  • Institute of Cyber Digital Investigation Professionals for Chartered

Duration of end-point assessment period

The EPA is taken in the EPA period. The EPA period starts when the EPAO confirms the gateway requirements have been met and is typically 6 months.

The EPAO should confirm the gateway requirements have been met and start the EPA as quickly as possible.

EPA gateway

The apprentice’s employer must be content that the apprentice is occupationally competent. That is, they are deemed to be working at or above the level set out in the apprenticeship standard and ready to undertake the EPA. The employer may take advice from the apprentice's training provider, but the employer must make the decision. The apprentice will then enter the gateway.

The apprentice must meet the gateway requirements before starting their EPA.

They must:

  • confirm they are ready to take the EPA
  • have achieved English and mathematics qualifications in line with the apprenticeship funding rules

  • submit a project brief for the dissertation including presentation with questions

  • submit a portfolio of evidence for the professional discussion underpinned by a portfolio

Portfolio of evidence requirements:

The apprentice must compile a portfolio of evidence during the on-programme period of the apprenticeship. It should only contain evidence related to the KSBs that will be assessed by the professional discussion. It will typically contain 10 discrete pieces of evidence. Evidence must be mapped against the KSBs. Evidence may be used to demonstrate more than one KSB; a qualitative as opposed to quantitative approach is suggested.

Evidence sources may include:

  • workplace documentation and records, for example:
  • workplace policies and procedures
  • witness statements
  • annotated photographs
  • Evidence of practical work undertaken
  • video clips with a maximum total duration 10 minutes; the apprentice must be in view and identifiable

This is not a definitive list; other evidence sources can be included.

The portfolio of evidence should not include reflective accounts or any methods of self-assessment. Any employer contributions should focus on direct observation of performance, for example, witness statements, rather than opinions. The evidence provided should be valid and attributable to the apprentice; the portfolio of evidence should contain a statement from the employer and apprentice confirming this.

The EPAO should not assess the portfolio of evidence directly as it underpins the discussion. The independent assessor should review the portfolio of evidence to prepare questions for the discussion. They are not required to provide feedback after this review.

Gateway evidence must be submitted to the EPAO, along with any organisation specific policies and procedures requested by the EPAO.

Order of assessment methods

The assessment methods can be delivered in any order.

The result of one assessment method does not need to be known before starting the next.

Dissertation including presentation with questions

Overview

A project involves the apprentice completing a significant and defined piece of work that has a real business application and benefit. The project must meet the needs of the employer’s business and be relevant to the apprentice’s occupation and apprenticeship.

This assessment method has 2 components:

  • project with a project output

  • presentation with questions and answers

Together, these components give the apprentice the opportunity to demonstrate the KSBs mapped to this assessment method. They are assessed by an independent assessor.

Rationale

This assessment method is being used because:

  • it allows for the assessment of KSBs that take place over a long period of time
  • it allows for a broad set of KSBs to be evidence during the post-gateway period
  • it assesses knowledge, skills and behaviour holistically it can produce something that is of genuine business benefit to the apprentice’s employer therefore is cost effective
  • it allows the apprentice to directly demonstrate KSBs relating to communication and presentation
  • it allows for the presentation of evidence and testing of responses where there are a range of potential answer
  • it provides full integration of the degree
  • it tests the ability to research and provide solutions to potential problems
  • it is appropriate for a level 7 qualification
  • it reduces over assessment
  • it provides the opportunity to assess KSBs unable to be observed in the workplace as the work cycle is too long
  • it provides the opportunity to demonstrate and evidence practical skills
  • it tests the requirement for professionals to be at the forefront of research and development assessing the ability to utilise these techniques into the workplace
  • the dissertation must be completed after gateway
  • the dissertation is an assessment method therefore no further learning can be provided after gateway

Delivery

The apprentice must complete a project based on any of the following:

The continuous improvement review of a current digital forensic process, service or product to ensure it is fit for purpose and meets the current needs of the business.

The recommendation and implementation of an innovative digital forensic technique or process that would benefit across their team, department, or organisation.

Addressing an issue or concern raised through quality inspections to align practice to the regulators codes.

That includes the demonstration of practical skills.

A cross sector collaboration to address future challenges and technologies.

To ensure the project allows the apprentice to meet the KSBs mapped to this assessment method to the highest available grade, the EPAO must sign-off the project’s title and scope at the gateway to confirm it is suitable. The EPAO must refer to the grading descriptors to ensure that projects are pitched appropriately.

The project output must be in the form of dissertation.

The apprentice must start the project after the gateway. The employer should ensure the apprentice has the time and resources, within the project period, to plan and complete their project.

The apprentice may work as part of a team to complete the project, which could include internal colleagues or technical experts. The apprentice must however, complete their dissertation and presentation unaided and they must be reflective of their own role and contribution. The apprentice and their employer must confirm this when the dissertation and any presentation materials are submitted.

Component 1: A project with dissertation

The dissertation must include at least:

  • introduction
  • background
  • aims and objectives
  • research and methodology
  • approach taken
  • Including practical techniques utilised
  • data selection, collection & pre-processing
  • stakeholder engagement
  • risks to consider
  • outcomes
  • discussion
  • survey of potential alternatives
  • implementation including performance metrics
  • impact of the project
  • business implications
  • measure of success
  • conclusions
  • recommendations
  • caveats & limitations
  • statistical rigour - to include uncertainty, bias, error, caveats, limitations of data collected, research methods used, sample chosen and estimates

The dissertation must cover the use of different analytical development techniques in the workplace. The apprentice needs to explain how these techniques have identified gaps and opportunities for further analysis. How they engaged with clients, their own organisation and other interested parties and should explain their critical thinking in both their analysis and generation of their overall findings and recommendations.

The dissertation must have a word count of 8000 words. A tolerance of 10% above or below the word count is allowed at the apprentice's discretion. Appendices, references and diagrams are not included in this total. The apprentice must produce and include an appendix, showing how the output evidences the KSBs mapped to this assessment method.

The apprentice must complete and submit the dissertation and any presentation materials to the EPAO by the end of week of the EPA period.

Component 2: Presentation with questions

The presentation with questions must be structured to give the apprentice the opportunity to demonstrate the KSBs mapped to this assessment method to the highest available grade.

The apprentice must prepare and deliver a presentation to an independent assessor. After the presentation, the independent assessor must ask the apprentice questions about their project, dissertation and presentation.

The presentation should cover:

  • an overview of the project
  • the project scope (including key performance indicators)
  • summary of actions undertaken by the apprentice
  • project outcomes and how these were achieved

The presentation with questions must last 90 minutes. This will typically include a presentation of 30 minutes and questioning lasting 60 minutes. The independent assessor must use the full time available for questioning. The independent assessor can increase the time of the presentation and questioning by up to 10%. This time is to allow the apprentice to complete their last point or respond to a question if necessary.

The independent assessor must ask at least 10 questions. They must use the questions from the EPAO’s question bank or create their own questions in line with the EPAO’s training. Follow up questions are allowed where clarification is required.

The purpose of the independent assessor's questions is:

  • to verify that the activity was completed by the apprentice
  • to seek clarification where required
  • to assess those KSBs that the apprentice did not have the opportunity to demonstrate with the dissertation, although these should be kept to a minimum
  • to assess level of competence against the grading descriptors

The apprentice must submit their presentation materials to the EPAO at the same time as the dissertation - by the end of week 26 of the EPA period. The apprentice must notify the EPAO, at that point, of any technical requirements for the presentation.

During the presentation, the apprentice must have access to:

  • audio-visual presentation equipment
  • flip chart and writing and drawing materials
  • computer
  • work products
  • notes
  • interactive boards
  • videos
  • interactive demonstrations

The independent assessor must have at least 4 weeks to review the dissertation and any presentation materials, to allow them to prepare questions.

The apprentice must be given at least 2 weeks’ notice of the presentation with questions.

Assessment decision

The independent assessor must make the grading decision. They must assess the project components holistically when deciding the grade.

The independent assessor must keep accurate records of the assessment. They must record:

  • the KSBs demonstrated in the dissertation and presentation with questions
  • the apprentice’s answers to questions
  • the grade achieved

Assessment location

The presentation with questions must take place in a suitable venue selected by the EPAO for example, the EPAO’s or employer’s premises. It should take place in a quiet room, free from distractions and influence.

The presentation with questions can be conducted by video conferencing. The EPAO must have processes in place to verify the identity of the apprentice and ensure the apprentice is not being aided.

Question and resource development

The EPAO must develop a purpose-built assessment specification and question bank. It is recommended this is done in consultation with employers of this occupation. The EPAO must maintain the security and confidentiality of EPA materials when consulting with employers. The assessment specification and question bank must be reviewed at least once a year to ensure they remain fit-for-purpose.

The assessment specification must be relevant to the occupation and demonstrate how to assess the KSBs mapped to this assessment method. The EPAO must ensure that questions are refined and developed to a high standard. The questions must be unpredictable. A question bank of sufficient size will support this.

The EPAO must ensure that the apprentice has a different set of questions in the case of re-sits or re-takes.

EPAO must produce the following materials to support the project:

  • independent assessor EPA materials which include:
    • training materials
    • administration materials
    • moderation and standardisation materials
    • guidance materials
    • grading guidance
    • question bank
  • EPA guidance for the apprentice and the employer

The EPAO must ensure that the EPA materials are subject to quality assurance procedures including standardisation and moderation.

Professional discussion underpinned by a portfolio

Overview

In the professional discussion, an independent assessor and apprentice have a formal two-way conversation. It gives the apprentice the opportunity to demonstrate the KSBs mapped to this assessment method.

The apprentice can refer to and illustrate their answers with evidence from their portfolio of evidence.

Rationale

This assessment method is being used because:

  • it assesses KSBs holistically and objectively
  • it allows for the assessment of KSBs that do not occur on a predictable or regular basis
  • it allows for assessment of responses where there are a range of potential answers
  • it can be conducted remotely, potentially reducing cost
  • it is part of the occupation to engage in detailed technical discussions and present findings and recommendations, so this assessment method mirrors day-to-day work

Delivery

The professional discussion must be structured to give the apprentice the opportunity to demonstrate the KSBs mapped to this assessment method to the highest available grade.

An independent assessor must conduct and assess the professional discussion. Questions based on the following themes:

  • digital forensic science: investigation, legislation, ethics and quality assurance
  • complex data capture and processing
  • complex data analysis and reporting

The EPAO must give an apprentice 2 weeks' notice of the professional discussion.

The independent assessor must have at least 4 weeks to review the supporting documentation.

The apprentice must have access to their portfolio of evidence during the professional discussion.

The apprentice can refer to and illustrate their answers with evidence from their portfolio of evidence however, the portfolio of evidence is not directly assessed.

The professional discussion must last for 90 minutes. The independent assessor can increase the time of the professional discussion by up to 10%. This time is to allow the apprentice to respond to a question if necessary.

The independent assessor must ask at least 10 questions. The independent assessor must use the questions from the EPAO’s question bank or create their own questions in line with the EPAO’s training. Follow-up questions are allowed where clarification is required.

The independent assessor must make the grading decision.

The independent assessor must keep accurate records of the assessment. They must record:

  • the apprentice’s answers to questions
  • the KSBs demonstrated in answers to questions
  • the grade achieved 

Assessment location

The professional discussion must take place in a suitable venue selected by the EPAO for example, the EPAO’s or employer’s premises.

The professional discussion can be conducted by video conferencing. The EPAO must have processes in place to verify the identity of the apprentice and ensure the apprentice is not being aided.

The professional discussion should take place in a quiet room, free from distractions and influence.

Question and resource development

The EPAO must develop a purpose-built assessment specification and question bank. It is recommended this is done in consultation with employers of this occupation. The EPAO must maintain the security and confidentiality of EPA materials when consulting with employers. The assessment specification and question bank must be reviewed at least once a year to ensure they remain fit-for-purpose.

The assessment specification must be relevant to the occupation and demonstrate how to assess the KSBs mapped to this assessment method. The EPAO must ensure that questions are refined and developed to a high standard. The questions must be unpredictable. A question bank of sufficient size will support this.

The EPAO must ensure that the apprentice has a different set of questions in the case of re-sits or re-takes.

The EPAO must produce the following materials to support the professional discussion underpinned by a portfolio:

  • independent assessor assessment materials which include:
    • training materials
    • administration materials
    • moderation and standardisation materials
    • guidance materials
    • grading guidance
    • question bank
  • EPA guidance for the apprentice and the employer

The EPAO must ensure that the EPA materials are subject to quality assurance procedures including standardisation and moderation.

Grading

Dissertation including presentation with questions

Theme
KSBs
Pass
Apprentices must demonstrate all of the pass descriptors
Distinction
Apprentices must demonstrate all of the pass descriptors and all of the distinction descriptors
Digital Forensic Science: Investigation, legislation, Ethics and Quality Assurance
K1 K2 K3 K5 K6 K38 K39 S1 S2 S3 S17 S18 B6 B8

Outlines how they have interpreted and applied legislation and guidance for the examination of digital devices and the capture of digital data and material in investigations casework and decision making. K1, S1

Explains how to develop, promote and use a governance culture in the technical working environment that is a safe, lawful, ethical and unbiased when dealing with digital devices and data  and conducting investigations to ensure privacy and safeguard victims and vulnerable persons.  K2, K3, S2

Explains the impact and risks presented to embedding novel techniques from proof of concept through to embedding as an approved technique within the laboratory and the quality standard requirements involved, sharing best practice in their organisation and the wider community. K5, S3, B6

Identifies the scientific requirements needed to establish a technical standard for a new forensic science activity, including validation of methods and tools, practitioner competency and training. K6

Explains how they have acted as a role model when following and applying equity, diversity, and inclusion rules and procedures in the workplace and the impact this had on the organisation. K38, S17, B8

Uses specialist multi-capability techniques to forensically identify and examine the authenticity of evidential material and anomalies associated with manipulated or faked material. K39, S18

 

 

Critically evaluates how using a safe, lawful, ethical and unbiased governance culture impacts the victims and vulnerable persons. K2, K3, S2

 

 

Complex Data Analysis and Reporting
K26 K27 S11

Applies tactical solutions and interpretations of local network architecture to inform crime scene examination plans whilst using independent, impartial decision making when solving complex problems and technically challenge the constraints of digital forensic methodologies. K26, K27, S11

 

 

Justifies their decision making in relation to tactical solutions and how this resulted in the solving of complex problems. K26, K27, S11

Research Methods and Emerging Technologies
K32 K33 K34 K35 K36 K37 S14 S15 S16 B5 B7

Uses literature reviews and appropriate research methodologies to address the research gaps in digital forensics, utilising a range of academic literature, online sources, community interaction and conferences to maintain an awareness of trends and innovations. K32, S14, B7

Uses research methods and statistical analysis including data science and AI to critically analyse information and communicate meaningful conclusions of their findings. K33, K34, K35, S15

Explains how they have interacted and collaborated with a range of people and partners from technical and non-technical backgrounds to advance national digital forensics and evaluate emerging technologies whilst contributing to sustainability goals. K36, K37, S16, B5

 

Evaluates how they have used a broad partnership approach across a range of police force, government organisations, private sector, and academia to share knowledge nationally. K36, K37, S16

 

Professional discussion underpinned by a portfolio

Theme
KSBs
Pass
Apprentices must demonstrate all of the pass descriptors
Distinction
Apprentices must demonstrate all of the pass descriptors and all of the distinction descriptors
Digital Forensic Science: Investigation, legislation, Ethics and Quality Assurance
K4 K7 K8 K9 K10 K30 K31 K40 S4 S5 S6 S13 S19 B1 B2 B4

Identifies what a digital forensic strategy entails, particularly regarding the acquisition, preservation, handling, processing, and analysis of digital intelligence, and how this supports the investigation whilst mitigating the risks presented K7, K8

Explains how they mentor and support the professional development of others whilst maintaining their own knowledge and skills in relation to the digital forensic developments that influence their work. K9, B4

Explains the techniques used for identifying and managing the wellbeing of others involved in the processing of sensitive content, including strategies that can address trauma and support team performance with particular emphasis on embedding specialist techniques. K4, S5

Explains how they worked in line with organisational priorities and standards to co-ordinate the allocation, delivery and priority of team workload to advance and support investigations, demonstrating commitment and a strong work ethic. K10, S6, B1

Outlines how they distinguish between factual and interpretive expert reporting to provide unbiased, fair and transparent evidence for the investigative process, taking into account e-discovery strategy for complex cases and producing reports, technical explanation and statements whilst understanding the limitations of results. K30, K31, S13

Explains how they act with integrity to develop, communicate, and implement legal and ethical forensic strategies that ensure the protection of personal data, safety, and security and proactively support serious and complex investigations. S4, B2

Explains how they apply knowledge of new technological risks and threats to influence change to the digital forensic examination process. K40, S19

 

Justifies their decision and articulates levels of uncertainty with the methodology and declaration of when forensic activity falls outside of the FSR codes. S13

Complex Data Capture and Processing
K11 K12 K13 K14 K15 K20 K21 K22 K23 K24 K25 S7 S9 S10 B3

Describes how they have lead the advanced application of specialist principles for digital forensic science using their knowledge of horizon scanning to inform triage decisions, core network design across multiple devices, recovery processing, and analysis, data features including forensic linguistics and image authenticity and complementary evidence, whilst ensuring the use of cross cutting-edge technical evidence for the investigative process. K11, K12, K13, K14, K15, S7

Explains how they interrogate the components and artefacts of complex digital material across digital forensic disciplines, in a forensic manner, taking in to account the correct handling, and challenges of storage media, to find evidence relevant to investigations, and explain how these artefacts can be exploited in investigations and how artificial intelligence could be used to help identify and generate relevant evidential material, always considering the encryption technologies that device manufacturers employ and the impact this has on forensic activity and circumventions. K20, K21, K22, K23, S9

Describes the use of common fault finding techniques to examine non-functional electronic devices and the use of specialist tools and techniques  to capture and remove evidence and data which has been compromised by environmental conditions, demonstrating  initiative and personal responsibility to overcome digital forensic challenges. K24, K25, S10, B3

 

 

Critically evaluates their research to back up their decision making. Making reference to relevant emerging technologies and challenges whist demonstrating their understanding of encryption technology and its application. K20, K21, K22, S9

Critically evaluates how their leading of advanced applications of specialist principles has impacted the investigative process. K11, K12, K13, K14, K15, S7

Complex Data Analysis and Reporting
K16 K17 K18 K19 K28 K29 S8 S12

Outlines how they process, analyse and interpret complex digital data to establish forensic evidence for investigations, using their understanding of the function of forensic opportunities presented by common block device file systems, common data and database structures for the storage of text, media and system application data and taking into account the complexities of technical and dynamic risks identified through the investigative process. K16, K17, K18 K19, S8

Explains how to write scripts and programs for extracting and reporting data, including decomplication, reverse engineering, static and dynamic analysis approaches in order to communicate, negotiate, influence, and support all parts of the investigative process. K28, K29, S12

 

 

Critically evaluates their approaches to writing scripts and programs for extracting and reporting data, and the methods used to communicate, negotiate, influence and support all parts of the investigative process. K28, K29, S12

Overall EPA grading

Performance in the EPA determines the overall grade of:

  • fail

  • pass

  • merit

  • distinction

An independent assessor must individually grade the dissertation including presentation with questions and professional discussion underpinned by a portfolio in line with this EPA plan.

The EPAO must combine the individual assessment method grades to determine the overall EPA grade.

If the apprentice fails one assessment method or more, they will be awarded an overall fail.

To achieve an overall pass, the apprentice must achieve at least a pass in all the assessment methods. All EPA methods must be passed for the EPA to be passed overall. Apprentices must gain at least a pass in all assessment methods to achieve a pass overall. Apprentices must gain at least a pass in one assessment method and a distinction in the other assessment methods to gain a merit overall. Apprentices must gain a distinction in all assessment methods to gain a distinction overall. There is equal weighting of assessment methods. Grades from individual assessment methods should be combined in the following way to determine the grade of the EPA as a whole:

Grades from individual assessment methods must be combined in the following way to determine the grade of the EPA overall.

Dissertation including presentation with questions Professional discussion underpinned by a portfolio Overall Grading
Fail Fail Fail
Fail Any grade Fail
Any grade Fail Fail
Pass Pass Pass
Distinction Pass Merit
Pass Distinction Merit
Distinction Distinction Distinction

Re-sits and re-takes

If the apprentice fails one assessment method or more, they can take a re-sit or a re-take at their employer’s discretion. The apprentice’s employer needs to agree that a re-sit or re-take is appropriate. A re-sit does not need further learning, whereas a re-take does. The apprentice should have a supportive action plan to prepare for a re-sit or a re-take.

The employer and the EPAO should agree the timescale for a re-sit or re-take. A re-sit is typically taken within 1 months of the EPA outcome notification. The timescale for a re-take is dependent on how much re-training is required and is typically taken within 6 months of the EPA outcome notification.


If the apprentice fails the project assessment method, they must amend the project output in line with the independent assessor’s feedback. The apprentice will be given 2 weeks to rework and submit the amended Dissertation.

Failed assessment methods must be re-sat or re-taken within a 6-month period from the EPA outcome notification, otherwise the entire EPA will need to be re-sat or re-taken in full.

Re-sits and re-takes are not offered to an apprentice wishing to move from pass to a higher grade.

The apprentice will get a maximum EPA grade of if pass they need to re-sit or re-take one or more assessment methods, unless the EPAO determines there are exceptional circumstances.

Roles and responsibilities

Roles Responsibilities

Apprentice

As a minimum, the apprentice should:

  • complete on-programme training to meet the KSBs as outlined in the apprenticeship standard for a minimum of 12 months
  • complete the required amount of off-the-job training specified by the apprenticeship funding rules and as arranged by the employer and training provider
  • understand the purpose and importance of EPA
  • prepare for and undertake the EPA including meeting all gateway requirements

Employer

As a minimum, the apprentice's employer must:

  • select the training provider
  • work with the training provider to select the EPAO
  • work with the training provider, where applicable, to support the apprentice in the workplace and to provide the opportunities for the apprentice to develop the KSBs
  • arrange and support off-the-job training to be undertaken by the apprentice 
  • decide when the apprentice is working at or above the apprenticeship standard and is ready for EPA
  • ensure the apprentice is prepared for the EPA
  • ensure that all supporting evidence required at the gateway is submitted in line with this EPA plan
  • confirm arrangements with the EPAO for the EPA in a timely manner, including who, when, where
  • provide the EPAO with access to any employer-specific documentation as required for example, company policies
  • ensure that the EPA is scheduled with the EPAO for a date and time which allows appropriate opportunity for the apprentice to meet the KSBs
  • ensure the apprentice is given sufficient time away from regular duties to prepare for, and complete the EPA
  • ensure that any required supervision during the EPA period, as stated within this EPA plan, is in place
  • ensure the apprentice has access to the resources used to fulfil their role and carry out the EPA for workplace based assessments
  • remain independent from the delivery of the EPA
  • pass the certificate to the apprentice upon receipt

EPAO

As a minimum, the EPAO must:

  • conform to the requirements of this EPA plan and deliver its requirements in a timely manner
  • conform to the requirements of the apprenticeship provider and assessment register
  • conform to the requirements of the external quality assurance provider (EQAP)
  • understand the apprenticeship including the occupational standard and EPA plan
  • make all necessary contractual arrangements including agreeing the price of the EPA
  • develop and produce assessment materials including specifications and marking materials, for example mark schemes, practice materials, training material
  • maintain and apply a policy for the declaration and management of conflict of interests and independence. This must ensure, as a minimum, there is no personal benefit or detriment for those delivering the EPA or from the result of an assessment. It must cover:
    • apprentices
    • employers
    • independent assessors
    • any other roles involved in delivery or grading of the EPA
  • have quality assurance systems and procedures that ensure fair, reliable and consistent assessment and maintain records of internal quality assurance (IQA) activity for external quality assurance (EQA) purposes
  • appoint independent, competent, and suitably qualified assessors in line with the requirements of this EPA plan
  • appoint administrators, invigilators and any other roles where required to facilitate the EPA
  • deliver induction, initial and on-going training for all their independent assessors and any other roles involved in the delivery or grading of the EPA as specified within this EPA plan. This should include how to record the rationale and evidence for grading decisions where required
  • conduct standardisation with all their independent assessors before allowing them to deliver an EPA, when the EPA is updated, and at least once a year
  • conduct moderation across all of their independent assessors decisions once EPAs have started according to a sampling plan, with associated risk rating of independent assessors
  • monitor the performance of all their independent assessors and provide additional training where necessary
  • develop and provide assessment recording documentation to ensure a clear and auditable process is in place for providing assessment decisions and feedback to all relevant stakeholders
  • use language in the development and delivery of the EPA that is appropriate to the level of the apprenticeship
  • arrange for the EPA to take place in a timely manner, in consultation with the employer
  • provide information, advice, and guidance documentation to enable apprentices, employers and training providers to prepare for the EPA
  • confirm the gateway requirements have been met before they start the EPA for an apprentice
  • arrange a suitable venue for the EPA
  • maintain the security of the EPA including, but not limited to, verifying the identity of the apprentice, invigilation and security of materials
  • where the EPA plan permits assessment away from the workplace, ensure that the apprentice has access to the required resources and liaise with the employer to agree this if necessary
  • confirm the overall grade awarded
  • maintain and apply a policy for conducting appeals

Independent assessor

As a minimum, an independent assessor must:

  • be independent, with no conflict of interest with the apprentice, their employer or training provider, specifically, they must not receive a personal benefit or detriment from the result of the assessment
  • have, maintain and be able to evidence up-to-date knowledge and expertise of the occupation
  • have the competence to assess the EPA and meet the requirements of the IQA section of this EPA plan
  • understand the apprenticeship’s occupational standard and EPA plan
  • attend induction and standardisation events before they conduct an EPA for the first time, when the EPA is updated, and at least once a year
  • use language in the delivery of the EPA that is appropriate to the level of the apprenticeship
  • work with other personnel, where used, in the preparation and delivery of assessment methods
  • conduct the EPA to assess the apprentice against the KSBs and in line with the EPA plan
  • make final grading decisions in line with this EPA plan
  • record and report assessment outcome decisions
  • comply with the IQA requirements of the EPAO
  • comply with external quality assurance (EQA) requirements

Training provider

As a minimum, the training provider must:

  • conform to the requirements of the apprenticeship provider and assessment register
  • ensure procedures are in place to mitigate against any conflict of interest
  • work with the employer and support the apprentice during the off-the-job training to provide the opportunities to develop the KSBs as outlined in the occupational standard
  • deliver training to the apprentice as outlined in their apprenticeship agreement
  • monitor the apprentice’s progress during any training provider led on-programme learning
  • ensure the apprentice is prepared for the EPA
  • work with the employer to select the EPAO
  • advise the employer, upon request, on the apprentice’s readiness for EPA
  • ensure that all supporting evidence required at the gateway is submitted in line with this EPA plan
  • remain independent from the delivery of the EPA

Technical expert

As a minimum, the technical expert should:

  • have no direct connection or conflict of interest with the apprentice or training provider
  • provide technical support, advice and guidance such as confirming company policies, procedures or processes, and providing context on technical information or on emerging technologies
  • provide information only at the request of the independent assessor (who has the final say over the assessment and grade awarded)
  • not provide information on behalf of the apprentice, ask the apprentice questions or influence the apprentice or the assessment judgement in any way
  • not amplify or clarify points made by the apprentice

Reasonable adjustments

The EPAO must have reasonable adjustments arrangements for the EPA.

This should include:

  • how an apprentice qualifies for a reasonable adjustment
  • what reasonable adjustments may be made

Adjustments must maintain the validity, reliability and integrity of the EPA as outlined in this EPA plan.

Special considerations

The EPAO must have special consideration arrangements for the EPA.

This should include:

  • how an apprentice qualifies for a special consideration
  • what special considerations will be given

Special considerations must maintain the validity, reliability and integrity of the EPA as outlined in this EPA plan.

Internal quality assurance

Internal quality assurance refers to the strategies, policies and procedures that an EPAO must have in place to ensure valid, consistent and reliable EPA decisions.

EPAOs for this EPA must adhere to the requirements within the roles and responsibilities table.

They must also appoint independent assessors who:

  • have recent relevant experience of the occupation or sector to at least occupational level 7 gained in the last 2 years or significant experience of the occupation or sector

Value for money

Affordability of the EPA will be aided by using at least some of the following:

  • utilising digital remote platforms to conduct applicable assessment methods
  • using the employer’s premises

Professional recognition

This apprenticeship aligns with:

  • The Chartered Institute of Information Security for Chartered

This apprenticeship aligns with:

  • Institute of Cyber Digital Investigation Professionals for Chartered

KSB mapping table

Knowledge Assessment methods
K1

Interpretation, implication and application of legislation and guidance for the examination of digital devices and material for use in investigations.

Back to Grading
Dissertation including presentation with questions
K2

How to conduct investigations and leverage intelligence in order to identify and safeguard victims and vulnerable persons.

Back to Grading
Dissertation including presentation with questions
K3

Ethical handling and management of evidential material and its sources to ensure privacy.

Back to Grading
Dissertation including presentation with questions
K4

Techniques for identifying and managing well-being within a digital forensic team and the strategies to address trauma and how to access support due to the impact that processing sensitive or potentially distressing content can have on an individual.

Back to Grading
Professional discussion underpinned by a portfolio
K5

Processes for accrediting and embedding novel techniques in the laboratory, from proof of concept to approved techniques, associated risks and the impact of Quality Standard Requirements and Forensic Science Regulator (FSR) Codes of Practice (including information security, assurance, and business continuity).

Back to Grading
Dissertation including presentation with questions
K6

Scientific requirements needed to establish a technical standard for a new forensic science activity, including validation of methods and tools, practitioner competency, and training.

Back to Grading
Dissertation including presentation with questions
K7

Scope of techniques within digital forensics regarding the acquisition, preservation, handling, processing and analysis of digital intelligence.

Back to Grading
Professional discussion underpinned by a portfolio
K8

What a digital forensic strategy entails, and how this supports the investigation whilst mitigating the risks presented.

Back to Grading
Professional discussion underpinned by a portfolio
K9

Mentoring and how to support the professional development of others.

Back to Grading
Professional discussion underpinned by a portfolio
K10

Techniques to co-ordinate the allocation, delivery, and priority of team workload to advance and support investigation in line with organisational priorities.

Back to Grading
Professional discussion underpinned by a portfolio
K11

Horizon scanning, technological advances, and their value to inform strategies for triage and frontline and investigative capability.

Back to Grading
Professional discussion underpinned by a portfolio
K12

Core network design and storage technologies across multiple devices and common architectures.

Back to Grading
Professional discussion underpinned by a portfolio
K13

Specialist video multimedia, recovery, processing and analysis to enhance digital forensics compliance.

Back to Grading
Professional discussion underpinned by a portfolio
K14

Common data features across specialist forensics capabilities, including forensic linguistics, and image authenticity relevant to evidence handling and interpretation of digital forensic material.

Back to Grading
Professional discussion underpinned by a portfolio
K15

Opportunities for complementary evidence, for example open source, cell site, communications intelligence, text encoding initiative and vehicles.

Back to Grading
Professional discussion underpinned by a portfolio
K16

The function of, and forensic opportunities presented by, common block device file systems, for example New Technology File System (NTFS), File Allocation Table (FAT), Extended File System (ext), Hierarchical File System Plus (HFS+), Apple File System (APFS) and partitioning technologies.

Back to Grading
Professional discussion underpinned by a portfolio
K17

Common data structures for storage of text and media, for example text, XML, JSON, image, and video formats.

Back to Grading
Professional discussion underpinned by a portfolio
K18

Data and database-type structures for storage of system and application data, for example system logs, Windows Registry, system configuration, (b)plists, SQLite, RealmDB, ProtoBuffers.

Back to Grading
Professional discussion underpinned by a portfolio
K19

The complexities of technical and dynamic risks identified through the investigative process, for example data vulnerabilities.

Back to Grading
Professional discussion underpinned by a portfolio
K20

Encryption technologies and security methods employed by device manufacturers and their impact on forensic activity and circumventions.

Back to Grading
Professional discussion underpinned by a portfolio
K21

Artefact types across digital forensic disciplines, and how they can be exploited in investigations.

Back to Grading
Professional discussion underpinned by a portfolio
K22

Handling treatment opportunities and challenges of various storage media, including magnetic, optical, and flash memory.

Back to Grading
Professional discussion underpinned by a portfolio
K23

Applications and uses of artificial intelligence to identify and generate evidential material.

Back to Grading
Professional discussion underpinned by a portfolio
K24

Fault-finding and diagnostic techniques and equipment, including use of voltmeters, thermal imagers and continuity checkers for non-functional electronic devices.

Back to Grading
Professional discussion underpinned by a portfolio
K25

How to capture evidence compromised by environmental conditions.

Back to Grading
Professional discussion underpinned by a portfolio
K26

The importance of independent, impartial decision-making that respects the opinions and views of others in complex, unpredictable and changing circumstances.

Back to Grading
Dissertation including presentation with questions
K27

Tactical solutions and interpretation of local network architecture to inform plans for examining digital evidence.

Back to Grading
Dissertation including presentation with questions
K28

Script programs to extract and report data not processed by extraction tool capability, including writing structured query language (SQL) and scripts for interpretation of data, for example Python.

Back to Grading
Professional discussion underpinned by a portfolio
K29

Decomplication, reverse-engineering, static and dynamic analysis approaches, including application virtualisation.

Back to Grading
Professional discussion underpinned by a portfolio
K30

Requirements for providing unbiased interpretive evidence, understanding of the limitations of results, including unconscious bias and performance of tools.

Back to Grading
Professional discussion underpinned by a portfolio
K31

E-Discovery strategy for large and complex cases.

Back to Grading
Professional discussion underpinned by a portfolio
K32

Conducting literature reviews.

Back to Grading
Dissertation including presentation with questions
K33

Research methods and statistical analysis, including data science and Artificial Intelligence.

Back to Grading
Dissertation including presentation with questions
K34

Statistical methods and data interpretation.

Back to Grading
Dissertation including presentation with questions
K35

How to draw meaningful conclusions and the communication of research findings.

Back to Grading
Dissertation including presentation with questions
K36

How to effectively collaborate with partners and across disciplines to advance national digital forensics and evaluate emerging technology.

Back to Grading
Dissertation including presentation with questions
K37

How their role contributes to sustainability goals.

Back to Grading
Dissertation including presentation with questions
K38

Principles and policies of equity, diversity and inclusion in the workplace and their impact on the organisation.

Back to Grading
Dissertation including presentation with questions
K39

Techniques to identify evidential anomalies associated with manipulated or faked material.

Back to Grading
Dissertation including presentation with questions
K40

Emerging trends and technological threats that could disrupt and influence the credibility of forensic evidence.

Back to Grading
Professional discussion underpinned by a portfolio
Skill Assessment methods
S1

Apply legislation and guidance for the capture and examination of digital data to casework and decision-making.

Back to Grading
Dissertation including presentation with questions
S2

Conduct investigations and manage evidence ethically to ensure safeguarding of victims and vulnerable persons, including providing support in the technical working environment when dealing with digital devices and data that may contain personal, sensitive or potentially distressing information.

Back to Grading
Dissertation including presentation with questions
S3

Undertake work to support the accreditation of novel techniques, from proof of concept through to embedding approved techniques within the laboratory.

Back to Grading
Dissertation including presentation with questions
S4

Develop legal and ethical digital forensic strategies and communicate with a range of stakeholders to implement these to proactively support serious and complex investigations.

Back to Grading
Professional discussion underpinned by a portfolio
S5

Mentoring skills to support the performance of the digital forensics team. Providing advice and guidance with particular emphasis on embedding specialist techniques.

Back to Grading
Professional discussion underpinned by a portfolio
S6

Co-ordinate the allocation, delivery, and priority of team workload to advance and support investigation.

Back to Grading
Professional discussion underpinned by a portfolio
S7

Lead the advanced application of specialist principles for digital forensic science, ensuring the use of cutting-edge technical evidence for the investigative process.

Back to Grading
Professional discussion underpinned by a portfolio
S8

Process, analyse and interpret complex digital data for the purposes of establishing forensic evidence for investigations.

Back to Grading
Professional discussion underpinned by a portfolio
S9

Interrogate the components and artefacts of complex digital material in a forensic manner to find evidence relevant to investigations.

Back to Grading
Professional discussion underpinned by a portfolio
S10

Physically examine damaged or broken devices and remove data, utilising specialist tools and techniques, for example Chip-off and Joint Test Action Group (JTAG).

Back to Grading
Professional discussion underpinned by a portfolio
S11

Solve complex problems and technically challenge the constraints of digital forensic methodologies.

Back to Grading
Dissertation including presentation with questions
S12

Communicate, negotiate, and influence on various skill and sensitivity levels to support all parts of the investigative process, including addressing highly technical concepts in an accessible format.

Back to Grading
Professional discussion underpinned by a portfolio
S13

Provide trusted digital forensic evidence for the investigative process, producing comprehensive reports, technical explanations, and statements in accordance with rules of evidence. Distinguishing between factual and interpretive expert reporting.

Back to Grading
Professional discussion underpinned by a portfolio
S14

Conduct literature reviews and select appropriate research methodologies to address research gaps in digital forensics.

Back to Grading
Dissertation including presentation with questions
S15

Research data collection, analyse information to draw meaningful conclusions, and communicate the research findings.

Back to Grading
Dissertation including presentation with questions
S16

Collaborate with partners across disciplines to advance national digital forensics and evaluate emerging technology.

Back to Grading
Dissertation including presentation with questions
S17

Follow and apply sustainability, equity, diversity and inclusion policies and procedures.

Back to Grading
Dissertation including presentation with questions
S18

Use specialist multi-capability techniques to forensically identify and examine the authenticity of evidential material.

Back to Grading
Dissertation including presentation with questions
S19

Apply knowledge of new technological risks and threats to influence change to the digital forensic examination process.

Back to Grading
Professional discussion underpinned by a portfolio
Behaviour Assessment methods
B1

A strong work ethic and commitment in order to meet the standards required.

Back to Grading
Professional discussion underpinned by a portfolio
B2

Acts with integrity with respect to ethical, legal and regulation ensuring the protection of personal data, safety and security.

Back to Grading
Professional discussion underpinned by a portfolio
B3

Shows initiative and personal responsibility to overcome digital forensic challenges.

Back to Grading
Professional discussion underpinned by a portfolio
B4

Commitment to continuous professional development; maintaining knowledge and skills in digital forensic developments that influence their work.

Back to Grading
Professional discussion underpinned by a portfolio
B5

Comfortable and confident interacting with people from technical and non-technical backgrounds.

Back to Grading
Dissertation including presentation with questions
B6

Participates and shares best practice in their organisation and the wider community of Digital Forensics.

Back to Grading
Dissertation including presentation with questions
B7

Maintains awareness of trends and innovations utilising a range of academic literature, online sources, community interaction, conference attendance and other methods that can deliver business value.

Back to Grading
Dissertation including presentation with questions
B8

Leads by example, acting as a role model for equity, diversity and inclusion.

Back to Grading
Dissertation including presentation with questions

Mapping of KSBs to grade themes

Dissertation including presentation with questions

KSBS GROUPED BY THEME Knowledge Skills Behaviour
Digital Forensic Science: Investigation, legislation, Ethics and Quality Assurance
K1 K2 K3 K5 K6 K38 K39
S1 S2 S3 S17 S18
B6 B8

Interpretation, implication and application of legislation and guidance for the examination of digital devices and material for use in investigations. (K1)

How to conduct investigations and leverage intelligence in order to identify and safeguard victims and vulnerable persons. (K2)

Ethical handling and management of evidential material and its sources to ensure privacy. (K3)

Processes for accrediting and embedding novel techniques in the laboratory, from proof of concept to approved techniques, associated risks and the impact of Quality Standard Requirements and Forensic Science Regulator (FSR) Codes of Practice (including information security, assurance, and business continuity). (K5)

Scientific requirements needed to establish a technical standard for a new forensic science activity, including validation of methods and tools, practitioner competency, and training. (K6)

Principles and policies of equity, diversity and inclusion in the workplace and their impact on the organisation. (K38)

Techniques to identify evidential anomalies associated with manipulated or faked material. (K39)

Apply legislation and guidance for the capture and examination of digital data to casework and decision-making. (S1)

Conduct investigations and manage evidence ethically to ensure safeguarding of victims and vulnerable persons, including providing support in the technical working environment when dealing with digital devices and data that may contain personal, sensitive or potentially distressing information. (S2)

Undertake work to support the accreditation of novel techniques, from proof of concept through to embedding approved techniques within the laboratory. (S3)

Follow and apply sustainability, equity, diversity and inclusion policies and procedures. (S17)

Use specialist multi-capability techniques to forensically identify and examine the authenticity of evidential material. (S18)

Participates and shares best practice in their organisation and the wider community of Digital Forensics. (B6)

Leads by example, acting as a role model for equity, diversity and inclusion. (B8)

Complex Data Analysis and Reporting
K26 K27
S11

The importance of independent, impartial decision-making that respects the opinions and views of others in complex, unpredictable and changing circumstances. (K26)

Tactical solutions and interpretation of local network architecture to inform plans for examining digital evidence. (K27)

Solve complex problems and technically challenge the constraints of digital forensic methodologies. (S11)

None

Research Methods and Emerging Technologies
K32 K33 K34 K35 K36 K37
S14 S15 S16
B5 B7

Conducting literature reviews. (K32)

Research methods and statistical analysis, including data science and Artificial Intelligence. (K33)

Statistical methods and data interpretation. (K34)

How to draw meaningful conclusions and the communication of research findings. (K35)

How to effectively collaborate with partners and across disciplines to advance national digital forensics and evaluate emerging technology. (K36)

How their role contributes to sustainability goals. (K37)

Conduct literature reviews and select appropriate research methodologies to address research gaps in digital forensics. (S14)

Research data collection, analyse information to draw meaningful conclusions, and communicate the research findings. (S15)

Collaborate with partners across disciplines to advance national digital forensics and evaluate emerging technology. (S16)

Comfortable and confident interacting with people from technical and non-technical backgrounds. (B5)

Maintains awareness of trends and innovations utilising a range of academic literature, online sources, community interaction, conference attendance and other methods that can deliver business value. (B7)

Professional discussion underpinned by a portfolio

KSBS GROUPED BY THEME Knowledge Skills Behaviour
Digital Forensic Science: Investigation, legislation, Ethics and Quality Assurance
K4 K7 K8 K9 K10 K30 K31 K40
S4 S5 S6 S13 S19
B1 B2 B4

Techniques for identifying and managing well-being within a digital forensic team and the strategies to address trauma and how to access support due to the impact that processing sensitive or potentially distressing content can have on an individual. (K4)

Scope of techniques within digital forensics regarding the acquisition, preservation, handling, processing and analysis of digital intelligence. (K7)

What a digital forensic strategy entails, and how this supports the investigation whilst mitigating the risks presented. (K8)

Mentoring and how to support the professional development of others. (K9)

Techniques to co-ordinate the allocation, delivery, and priority of team workload to advance and support investigation in line with organisational priorities. (K10)

Requirements for providing unbiased interpretive evidence, understanding of the limitations of results, including unconscious bias and performance of tools. (K30)

E-Discovery strategy for large and complex cases. (K31)

Emerging trends and technological threats that could disrupt and influence the credibility of forensic evidence. (K40)

Develop legal and ethical digital forensic strategies and communicate with a range of stakeholders to implement these to proactively support serious and complex investigations. (S4)

Mentoring skills to support the performance of the digital forensics team. Providing advice and guidance with particular emphasis on embedding specialist techniques. (S5)

Co-ordinate the allocation, delivery, and priority of team workload to advance and support investigation. (S6)

Provide trusted digital forensic evidence for the investigative process, producing comprehensive reports, technical explanations, and statements in accordance with rules of evidence. Distinguishing between factual and interpretive expert reporting. (S13)

Apply knowledge of new technological risks and threats to influence change to the digital forensic examination process. (S19)

A strong work ethic and commitment in order to meet the standards required. (B1)

Acts with integrity with respect to ethical, legal and regulation ensuring the protection of personal data, safety and security. (B2)

Commitment to continuous professional development; maintaining knowledge and skills in digital forensic developments that influence their work. (B4)

Complex Data Capture and Processing
K11 K12 K13 K14 K15 K20 K21 K22 K23 K24 K25
S7 S9 S10
B3

Horizon scanning, technological advances, and their value to inform strategies for triage and frontline and investigative capability. (K11)

Core network design and storage technologies across multiple devices and common architectures. (K12)

Specialist video multimedia, recovery, processing and analysis to enhance digital forensics compliance. (K13)

Common data features across specialist forensics capabilities, including forensic linguistics, and image authenticity relevant to evidence handling and interpretation of digital forensic material. (K14)

Opportunities for complementary evidence, for example open source, cell site, communications intelligence, text encoding initiative and vehicles. (K15)

Encryption technologies and security methods employed by device manufacturers and their impact on forensic activity and circumventions. (K20)

Artefact types across digital forensic disciplines, and how they can be exploited in investigations. (K21)

Handling treatment opportunities and challenges of various storage media, including magnetic, optical, and flash memory. (K22)

Applications and uses of artificial intelligence to identify and generate evidential material. (K23)

Fault-finding and diagnostic techniques and equipment, including use of voltmeters, thermal imagers and continuity checkers for non-functional electronic devices. (K24)

How to capture evidence compromised by environmental conditions. (K25)

Lead the advanced application of specialist principles for digital forensic science, ensuring the use of cutting-edge technical evidence for the investigative process. (S7)

Interrogate the components and artefacts of complex digital material in a forensic manner to find evidence relevant to investigations. (S9)

Physically examine damaged or broken devices and remove data, utilising specialist tools and techniques, for example Chip-off and Joint Test Action Group (JTAG). (S10)

Shows initiative and personal responsibility to overcome digital forensic challenges. (B3)

Complex Data Analysis and Reporting
K16 K17 K18 K19 K28 K29
S8 S12

The function of, and forensic opportunities presented by, common block device file systems, for example New Technology File System (NTFS), File Allocation Table (FAT), Extended File System (ext), Hierarchical File System Plus (HFS+), Apple File System (APFS) and partitioning technologies. (K16)

Common data structures for storage of text and media, for example text, XML, JSON, image, and video formats. (K17)

Data and database-type structures for storage of system and application data, for example system logs, Windows Registry, system configuration, (b)plists, SQLite, RealmDB, ProtoBuffers. (K18)

The complexities of technical and dynamic risks identified through the investigative process, for example data vulnerabilities. (K19)

Script programs to extract and report data not processed by extraction tool capability, including writing structured query language (SQL) and scripts for interpretation of data, for example Python. (K28)

Decomplication, reverse-engineering, static and dynamic analysis approaches, including application virtualisation. (K29)

Process, analyse and interpret complex digital data for the purposes of establishing forensic evidence for investigations. (S8)

Communicate, negotiate, and influence on various skill and sensitivity levels to support all parts of the investigative process, including addressing highly technical concepts in an accessible format. (S12)

None

Employers involved in creating the standard: Cambridge Regional College, Associated British Foods, BCS - The Chartered Institute for IT, Bedfordshire Police , Birmingham Metropolitan College, British Transport Police , Cambridge Police Force , CCL Solutions , College of Policing, College of Policing , Cranfield University, Deloitte, Forensic Capability Network, Forensics Access , Forgerock, Hertfordshire Constabulary , IntaForensics, Kent Police , Lancashire Police, London Metropolitan Police , MSAB, National Crime Agency, NCI - College, North Wales Police, Northamptonshire Police , Serious Fraud Office, South Wales Police , South West Police Collaboration , Staffordshire , Staffordshire University, Sytech-Consultants , Teesside University, West Midlands Police, West Yorkshire Police

Version log

Version Change detail Earliest start date Latest start date Latest end date
1.0 Approved for delivery 15/07/2024 Not set Not set

Crown copyright © 2024. You may re-use this information (not including logos) free of charge in any format or medium, under the terms of the Open Government Licence. Visit www.nationalarchives.gov.uk/doc/open-government-licence

Is this webpage useful?

Thank you for your feedback

Tell us about your experience