GCFA Certification Bulletin
(Part 2 of Candidate Handbook)
GIAC Certified Forensics Analyst (GCFA) was created to provide assurance that a certified individual holds the appropriate level of knowledge and skill necessary for any technical staff responsible for forensic investigation/analysis, advanced incident handling, or formal incident investigation.
All GIAC certifications expire in a period of 4 years. In order to maintain certified status after the initial 4-year certification, candidates must complete the certification renewal process, as described at http://www.giac.org/certification-renewal. Although there are other entry level certifications available, GIAC is the only information security certification family including advanced technical subject areas.
The practice tests are taken on-line and are designed to simulate the format of the actual GIAC exams with the same number of tests, multiple-choice questions and time-limits. The practice test questions, which are selected from our Online Training quiz bins, are written by the same authors who write the GIAC exams. During the practice tests, each time you choose a wrong answer, you will receive the correct answer and an explanation that will help to reinforce the subject matter presented in the question. The practice tests also include a counter that shows the current number of questions that you answered correctly, wrong and how many questions are left in the test. You will only have one attempt at each practice test, if you need more attempts you will need to purchase another set. If you purchase a new practice test set, the on-line system will quiz you again on the questions that were originally answered incorrectly while asking new questions.
- Type:
- Certification
- Target:
Individuals responsible for forensic investigation/analysis, advanced incident handling, or formal incident investigation.
GIAC Certified Forensic Analysts (GCFAs) have the knowledge, skills, and abilities to handle advanced incident handling scenarios, conduct formal incident investigations, and carry out forensic investigation of networks and hosts.
- Requirements:
- 1 proctored exam - 150 questions - 4-hour time limit - 69.3% (104 of 150 questions) minimum passing score
- Renewal:
- Every 4 years
The topic areas for each exam part follow:
| Exam Certification Objectives | Certification Objective Outcome Statement |
|---|---|
Application Footprinting | The candidate will demonstrate an understanding of how application footprinting can be used in forensic investigations |
Automated GUI Based Forensic Toolkits | The candidate will be able to discuss the Automated GUI Based Forensic Toolkits such as (Autopsy, PTK, Encase, or FTK) and their capabilities and drawbacks during a forensic investigation. |
Computer Forensics Core | The candidate will demonstrate a fundamental understanding of the procedures and core concepts utilized in the investigative process, the scientific process, crime scene/incident examination, and the importance of documentation, reporting, and presentation. |
E.U. Laws Investigators Should Know | The candidate will demonstrate an understanding of E.U. civil and criminal laws related to forensic investigations. |
Evidence Acquisition/Analysis/Preservation Laws and Guidelines | The candidate will demonstrate an understanding of how to collect and preserve the state of the data by maintaining chain of custody and following evidence acquisition/analysis/preservation guidelines. |
Evidence Integrity | The candidate will demonstrate an understanding of the methods and procedures utilized to create and maintain evidence integrity. |
File Name Layer | The candidate will demonstrate an understanding of how to analyze the file name layer on Linux systems. |
File Sorting and Hash Comparisons | The candidate will demonstrate an understanding of how to use MD5, SHA-1, or fuzzy hashes to identify known good and bad files and how to sort files based on content type. |
File System and Data Layer Examination | The candidate will demonstrate an understanding of how to analyze and recover evidence from the file system and data layer on major file systems. |
File System Essentials | The candidate will demonstrate an understanding of the essential forensic concepts for file systems, including common metadata. |
File System Timeline Analysis | The candidate will demonstrate an understanding of creating and analyzing a file system timeline through examining the details of the file system’s time-stamps and how temporal data is useful in an investigation. |
Forensic Evidence Acquisition Imaging | The candidate will demonstrate an understanding of the methods to use for collecting computer evidence from a powered-on or powered-off computer system or hard drive. |
Forensic Investigation | The candidate will demonstrate an understanding of the computer forensics investigation methodology. |
Forensic Reports | The candidate will demonstrate an understanding of the guidelines associated with the fundamentals or report writing including a description the scientific process utilized and the legal utility of forensic investigative reports. |
Key Forensic Acquisition/Analysis Concepts | The candidate will demonstrate an understanding of the methods and techniques utilized to acquire/analyze evidence, maintain integrity, and conduct a forensics investigation. |
Key Forensic Analysis Methods | The candidate will demonstrate an understanding of key evidence analysis methods/concepts and how they are used during a forensics investigation. |
Key Windows File System Analysis Concepts | The candidate will demonstrate an understanding of how to collect evidence and analyze critical Windows concepts for a forensic investigation including, but not limited to, volume metadata files, restore points, and volume shadow copy. |
Linux File System Basics | The candidate will demonstrate an understanding of the basics of Linux file systems. |
Metadata Layer Examination | The candidate will demonstrate an understanding of how to analyze and recover evidence via metadata on major file systems. |
Presenting Data | The candidate will demonstrate an understanding of the guidelines associated with presenting acquired evidence and analysis in court. |
U.S. Laws Investigators Should Know | The candidate will demonstrate an understanding of U.S. civil and criminal laws related to forensic investigations. |
Volatile Evidence Gathering and Analysis | The candidate will demonstrate an understanding of the methods used to collect volatile evidence and system memory from a computer system. |
Who Can Investigate and Investigative Process Laws | The candidate will demonstrate an understanding of the key parties involved in an investigation and the investigative process. |
Windows FAT File System Basics | The candidate will demonstrate an understanding of the basics of Windows DOS file systems. |
Windows Internal File Metadata | The candidate will demonstrate an understanding of how to collect evidence and analyze Windows files that contain key metadata or contain evidence for a forensic investigation. |
Windows NTFS File System Basics | The candidate will demonstrate an understanding of the basics of Windows NTFS file systems. |
Windows Registry Analysis | The candidate will demonstrate an understanding of how to collect evidence and analyze Windows registry for a forensic investigation. |
Windows Response and Volatile Evidence Collection | The candidate will demonstrate an understanding of some of the tools available for Windows systems used to respond to an incident. |
Where to Get Help
Training is available from a variety of resources including on line, course attendance at a live conference, and self study.
Practical experience is another way to ensure that you have mastered the skills necessary for certification. Many professionals have the experience to meet the certification objectives identified.
Finally, college level courses or study through another program may meet the needs for mastery.
The procedure to contest exam results can be found at http://www.giac.org/grievance.php.
