Job Code Pay Scale Group Pay Scale Type Bargaining Unit Civil Service or Non-Civil Service Last Executive Board Change Executive Board Change History
01509 09 ST B4 C 816-04 05/10/2023
Click on “Job Code” for current expanded job information.


JOB CODE: 01509

SERIES NATURE OF WORK: The Digital Forensic Examiner job series describes work in the forensic analysis of digital evidence gathered by law enforcement authorities as part of a criminal investigation.

DEFINITION: This is advanced technical work in the acquisition, examination, and analysis of digital criminal evidence within the Pennsylvania State Police (PSP).

An employee in this job performs independent casework involving the most complex analysis of digital evidence for law enforcement’s use in investigating criminal activity. Work involves applying digital forensic techniques to the acquisition and examination of the full range of electronic evidence which includes a variety of complex digital devices with diverse operating and storage systems. Work includes maintaining a detailed record of analysis and chain of custody, providing technical guidance to law enforcement officers, extracting digital evidence and preparing analytical reports associated with evidence processed, and maintaining and validating hardware and software used in laboratory and field environments. Work may include investigating and analyzing criminal network intrusions and communications of significant impact, identifying and preserving applicable evidence through examination of network systems, and providing guidance to network administrators or other IT professionals. Work may also include administering a local area network used by a group of examiners, performing field investigative work, providing expert testimony at court proceedings, and reviewing casework processed by other examiners. Work is performed with considerable independence under the guidance of a State Police sworn officer and is reviewed for quality, completeness, effectiveness of results, and compliance with policies and guidelines.


     • Work is differentiated from the lower-level job by the responsibility for independently performing advanced analysis of casework characterized by a wide variety of evidentiary material, numerous evidence items per case, and physical extraction and interpretation of data.

EXAMPLES OF WORK: (NOTE: The examples of work are representative of the work, but every position classified to this job may not perform all examples of work listed. Conversely, this is not an all-inclusive list of work examples.)

• Performs advanced and routine forensic analysis of casework that involves the full range of digital evidence and examination techniques.

• Examines criminal evidence which is or is expected to be, of significant interest to the news media or judicial system.

• Interacts with criminal investigators, legal authorities, and peers regarding evidence to be examined and the results of analysis.

• Preserves original evidence while producing and validating a working copy.

• Disassembles, reassembles, connects to, and accesses computer-related equipment such as personal computers, laptops, tablets, servers, routers, video and audio recorders and players, cellular phones, and GPS devices.

• Examines computer files from diverse operating systems and file system environments, identifies and interprets data, and uses carving techniques to extract digital evidence that may be useful to criminal investigators and prosecutors.

• Recovers deleted, encrypted, password-protected, corrupted, damaged, and hidden data files using forensic analytical techniques and software tools.

• Preserves and handles evidence and documents evidence chain of custody.

• Presents evidence in a readable format and prepares reports of analysis and findings that are compliant with laboratory policies and the laws governing the admissibility of evidence in court.

• Reviews casework processed by other staff by examining analytical reports to either concur with actions taken and concluded results or return for correction or further analysis.

• Testifies in court proceedings by describing techniques used to obtain data and by providing conclusions regarding processed evidence.

• Conducts network intrusion analysis for businesses, governmental agencies, and educational institutions to determine how an organization’s IT system was breached or attacked, what occurred, and the identity of criminal perpetrators.

• Provides technical guidance to help preserve data and identify network intruders to IT professionals of businesses, governmental agencies, and educational institutions in network intrusion cases.

• Conducts integrated analysis of multiple audit logs.

• Examines network communication systems to identify and interpret information sent and received by evidentiary material.

• Serves as a Local Area Network administrator for an Area Computer Crime Task Force by installing, configuring, and maintaining network infrastructure.

• Installs, configures, and maintains hardware and software required for the forensic acquisition and examination of digital evidence.

• Researches industry standards and protocols and develops operating procedures relating to the State Police’s seizure, examination, and management of digital evidence.

• Provides technical guidance involving digital evidence collection and examination techniques to law enforcement officers and lower-level examiners.

• Researches and studies new technology in order to understand its functions and capabilities and determine techniques for acquiring and examining digital evidence stored within it.

• Conducts validation tests of new digital forensics hardware, software, and examination procedures prior to implementation with casework.

• Attends and participates in staff meetings, conferences, and other training and development activities.

• Travels to crime scenes to identify, collect, preview, and secure digital evidence.

• Operates motor vehicles.

• Performs related work as required.


• Knowledge of the principles and practices of network communications.

• Knowledge of the functions and capabilities of network hardware and software in a networked environment.

• Knowledge of the processes and procedures involved in installing, configuring, and testing hardware and software on workstations, and peripherals in a networked environment.

• Knowledge of information technology security practices.

• Knowledge of the component parts of personal computers, peripherals, servers, mobile devices, and their associated functionality.

• Knowledge of the techniques used in acquisition, examination, and analysis of digital evidence.

• Knowledge of the procedures associated with maintaining evidence chain of custody.

• Knowledge of the procedures associated with testifying in a court of law.

• Knowledge of the use and functionality of Microsoft Office Suite software.

• Ability to operate motor vehicles.

• Ability to analyze and interpret the functionality of various operating systems.

• Ability to analyze and interpret computer file systems, partitioning schemes, network access, event logs, binary and hexadecimal numbering systems, and unallocated computer space.

• Ability to prepare reports of analysis and findings.

• Ability to analyze and interpret written information and numerical data.

• Ability to establish and maintain effective working relationships.

• Ability to communicate effectively orally.

• Ability to communicate effectively in writing.

MINIMUM EXPERIENCE AND TRAINING: (NOTE: Based on the Entry Level Knowledges, Skills, and Abilities):

• One year as a Digital Forensic Examiner 1 (commonwealth title);


• One year of professional work experience in the technical analysis of digital evidence and a bachelor’s degree in digital forensics, cyber forensics, forensic science, computer science, or any information technology field;


• An equivalent combination of experience and training that includes one year of professional work experience in the technical analysis of digital evidence.


• All positions require possession of an active motor vehicle license.