Cyber Security Certification: GBFA

Cyber Security Certification: GBFA


"The GIAC Battlefield Forensics and Acquisition (GBFA) certification demonstrates that an individual is trained and qualified in the proper collection, acquisition, and rapid triage analysis of many forms of data storage. Certified GBFA professionals can traverse each point from arriving at a scene, through determining and establishing the "quick wins" necessary to rapidly move an investigation forward. They have shown skill and excellence in the use of a wide variety of tools and techniques across a vast spectrum of media storage repositories from portable devices, servers, and endpoints, through to IoT and Cloud data. This industry certification will convey that the holder is prepared to handle every facet of the collection and rapid triage process." - Kevin J Ripa, SANS FOR498 Course Co-Author

Areas Covered

Who is GBFA for?

Requirements

Delivery

NOTE: All GIAC Certification exams are web-based and required to be proctored. There are two proctoring options: remote proctoring through ProctorU, and onsite proctoring through PearsonVUE. Click here for more information.

GIAC certification attempts will be activated in your GIAC account after your application has been approved and according to the terms of your purchase. Details on delivery will be provided along with your registration confirmation upon payment. You will receive an email notification when your certification attempt has been activated in your account. You will have 120 days from the date of activation to complete your certification attempt.


Exam Certification Objectives & Outcome Statements

The topic areas for each exam part follow:

Acquiring RAM and OS Artifacts
The candidate will be able to describe the different methods for performing acquisition of RAM, macOS and Shadow copies. This includes using disk copy utilities and target disk mode.
Acquisition Preparation
The candidate will be able to summarize the goals of scene management, how to assess evidence, recognize tampering, and verify acquisitions.
Computer Fundamentals
The candidate will be familiar with basic computer concepts, such as machine configuration, boot processes, BIOS, UEFI, IP addressing, and domain registrars, in preparation for acquisition.
Data on Drives
The candidate will be able to summarize different ways data on drives can be stored and accessed, including encryption and handling deleted files.
Data on the Network
The candidate will be able to describe different ways that data can exist in motion, such as IoT network traffic and PCAP files. They will also be able to discuss how different network tools can be used to discover networked devices.
Data Recovery
The candidate will be able to, at a high level, describe the processes and tools used in professional data recovery.
Dead Box Acquisition
The candidate will be able to describe the different methods for performing dead box acquisition, including write blocking and media removal.
Filesystem Fundamentals
The candidate will be able to describe basic concepts of common filesystems, like NTFS, EXT, and FAT. They will also be able to describe the functionality of major components that comprise these file systems, such as Master File Tables and File Allocation Tables.
Host Based Live Acquisition
The candidate will be able to describe the different methods for performing host based live acquisition, including the use of software and hardware write blocking and accessing physical drives and volumes.
Manual Triage
The candidate will be familiar with manual techniques and tools used to select and triage data.
Manually Finding Data
The candidate will be able to outline the different ways in which data can be manually found. This includes: where data can be found, carving metadata, and file recovery.
Mobile Device Acquisition
The candidate will be able to describe, at a high level, the different methods used to perform mobile device acquisition. This includes isolating portable devices from radio signals, tools for mobile device acquisition, and identifying specific mobile devices.
Mobile Device Triage
The candidate will be able to outline the ways in which data can be triaged from mobile devices. This includes Android and Apple specific scenarios and how to triage data found in mobile apps, as well as calendars and emails.
Physical Storage Devices
The candidate will be able to compare and contrast the different forms of physical storage devices. This includes device interfaces, spinning disk layout, solid state drive fundamentals, and common HDD problems.
Remote Acquisition
The candidate will be able to describe the different methods for performing remote acquisitions, including acquisitions over the network as well as leveraging common cloud provider products.
Specialty Device Fundamentals
The candidate will be able to describe basic concepts of common specialty devices, like MacOS, including System Profiler and Device Information Collection.
Storage Technologies
The candidate will be able to summarize, compare, and contrast common storage technologies, such as the different levels of RAID configurations.
Using Forensic Tools for Triage
The candidate will be able to compare and contrast the ways in which popular forensic tools can be effectively used in data triage.
Windows Filesystems
The candidate will be able to compare and contrast major Windows filesystems including FAT, exFAT, and NTFS.
Working With Evidence Files
The candidate will be able to compare and contrast common evidence file formats, how they can be accessed, and how they can be used in an investigation.

*No Specific training is required for any GIAC certification. There are many sources of information available regarding the certification objectives' knowledge areas. Practical experience is an option; there are also numerous books on the market covering Computer Information Security. Another option is any relevant courses from training providers, including SANS.*

Other Resources