GIAC Certified Forensic Analyst (GCFA)
The GCFA certification is for professionals working in the information security, computer forensics, and incident response fields. The certification focuses on core skills required to collect and analyze data from Windows and Linux computer systems.
The GCFA certifies that candidates have the knowledge, skills, and ability to conduct formal incident investigations and handle advanced incident handling scenarios, including internal and external data breach intrusions, advanced persistent threats, anti-forensic techniques used by attackers, and complex digital forensic cases.
Preparing for the GCFA Exam: Candidates may choose to prepare for the GCFA exam by taking the SANS Training Course: FOR508: Advanced Computer Forensic Analysis and Incident Response
*No Specific training is required for any GIAC certification. If candidates need help in mastering the objectives for this certification, there are many sources of information available. Practical experience is one option; there are also numerous books on the market covering Computer Information Security. Another option is SANS training, or any relevant courses from other training providers.*
- 1 proctored exam
- 115 questions
- Time limit of 3 hours
- Minimum Passing Score of 69%
GIAC reserves the right to change the specifications for each certification without notice. Based on a scientific passing point study, the passing point for the GCFA exam has been determined to be 69% for all candidates receiving access to their certification attempts on or after August 2nd, 2012. To verify the format of your current certification attempt, please read the Certification Information found in your portal account at https://exams.giac.org/pages/attempts.
Certifications must be renewed every 4 years. Click here for details.
NOTE: GIAC exams are NOT given the day after the conference ends.
Exams are delivered online through a standard web browser. For exams purchased with SANS training, access to the exam will be available 7-10 days following the end of the conference. Certification attempt exams are issued within 24 hours upon receipt of payment. You will receive an email from GIAC when your exam has been issued to your portal account. You have 120 days to complete the exam from the time we send notice that it is available. The exams are proctored and should be scheduled using our proctored exam procedure.
- Certified Professionals (GCFA)
- Exam Feedback Procedure
- Grievance Procedure
- Proctored exam procedure
- SANS Information Security Reading Room
Bulletin (Part 2 of Candidate Handbook)
Exam Certification Objectives & Outcome Statements
The topic areas for each exam part follow:
- Acquiring and Analyzing Volatile Data
- The candidate will demonstrate an understanding of how to acquire and analyze local and remote volatile evidence during an intrusion.
- Analyzing Timelines
- The candidate will demonstrate an understanding of creating and analyzing a timeline using file system, artifacts, and other available means and be able to use that timeline to analyze temporal events on the computer system around a specific time or artifact.
- Data Layer Examination
- The candidate will demonstrate an understanding of how to analyze and recover evidence from the file system and data layer on major file systems.
- Digital Forensic Investigation Methodology
- The candidate will demonstrate a fundamental understanding of the forensic process, methodology, common legal guidelines, documentation, and the common duties of a Digital Forensic Analyst and Incident Responder.
- Digital Forensics and Incident Response
- The candidate will demonstrate an understanding of how to properly acquire, validate and analyze evidence on systems across the enterprise during the incident response identification and containment phases.
- Forensic Intrusion Analysis
- The candidate will demonstrate the ability to apply methodology to perform forensic analysis during an intrusion investigation.
- Metadata and Filename Layers
- The candidate will demonstrate an understanding of how to analyze and recover evidence from the metadata and file name layers on major file systems.
- Operating Systems and Filesystems
- The candidate will demonstrate an understanding of the essential forensic concepts for identifying and examining file systems, including attributes, file system metadata, and data organization, with an emphasis on Windows file systems.
Where to Get Help
Training is available from a variety of resources including on line, course attendance at a live conference, and self study.
Practical experience is another way to ensure that you have mastered the skills necessary for certification. Many professionals have the experience to meet the certification objectives identified.
Finally, college level courses or study through another program may meet the needs for mastery.
The procedure to contest exam results can be found at http://www.giac.org/about/procedures/grievance.