Cyber Security Certification: GBFA
GIAC Battlefield Forensics and Acquisition (GBFA)
"The GIAC Battlefield Forensics and Acquisition (GBFA) certification demonstrates that an individual is trained and qualified in the proper collection, acquisition, and rapid triage analysis of many forms of data storage. Certified GBFA professionals can traverse each point from arriving at a scene, through determining and establishing the "quick wins" necessary to rapidly move an investigation forward. They have shown skill and excellence in the use of a wide variety of tools and techniques across a vast spectrum of media storage repositories from portable devices, servers, and endpoints, through to IoT and Cloud data. This industry certification will convey that the holder is prepared to handle every facet of the collection and rapid triage process." - Kevin J Ripa, SANS FOR498 Course Co-Author
Areas Covered
- Efficient data acquisition from a wide range of devices
- Rapidly producing actionable intelligence
- Manually identifying and acquiring data
Who is GBFA for?
- Federal agents and law enforcement personnel
- Digital forensic analysts
- Information security professionals
- Incident response team members
- Media exploitation analysts
- DoD and intelligence community professionals
- Anyone who has a background in information security and is interested in an understanding of the proper preservation of systems
Requirements
- 1 proctored exam
- 75 questions
- Time limit of 2 hours
- Minimum Passing Score of 69%
Delivery
NOTE: All GIAC Certification exams are web-based and required to be proctored. There are two proctoring options: remote proctoring through ProctorU, and onsite proctoring through PearsonVUE. Click here for more information.
GIAC certification attempts will be activated in your GIAC account after your application has been approved and according to the terms of your purchase. Details on delivery will be provided along with your registration confirmation upon payment. You will receive an email notification when your certification attempt has been activated in your account. You will have 120 days from the date of activation to complete your certification attempt.
Exam Certification Objectives & Outcome Statements
The topic areas for each exam part follow:
- Acquiring RAM and OS Artifacts
- The candidate will be able to describe the different methods for performing acquisition of RAM, macOS and Shadow copies. This includes using disk copy utilities and target disk mode.
- Acquisition Preparation
- The candidate will be able to summarize the goals of scene management, how to assess evidence, recognize tampering, and verify acquisitions.
- Computer Fundamentals
- The candidate will be familiar with basic computer concepts, such as machine configuration, boot processes, BIOS, UEFI, IP addressing, and domain registrars, in preparation for acquisition.
- Data on Drives
- The candidate will be able to summarize different ways data on drives can be stored and accessed, including encryption and handling deleted files.
- Data on the Network
- The candidate will be able to describe different ways that data can exist in motion, such as IoT network traffic and PCAP files. They will also be able to discuss how different network tools can be used to discover networked devices.
- Data Recovery
- The candidate will be able to, at a high level, describe the processes and tools used in professional data recovery.
- Dead Box Acquisition
- The candidate will be able to describe the different methods for performing dead box acquisition, including write blocking and media removal.
- Filesystem Fundamentals
- The candidate will be able to describe basic concepts of common filesystems, like NTFS, EXT, and FAT. They will also be able to describe the functionality of major components that comprise these file systems, such as Master File Tables and File Allocation Tables.
- Host Based Live Acquisition
- The candidate will be able to describe the different methods for performing host based live acquisition, including the use of software and hardware write blocking and accessing physical drives and volumes.
- Manual Triage
- The candidate will be familiar with manual techniques and tools used to select and triage data.
- Manually Finding Data
- The candidate will be able to outline the different ways in which data can be manually found. This includes: where data can be found, carving metadata, and file recovery.
- Mobile Device Acquisition
- The candidate will be able to describe, at a high level, the different methods used to perform mobile device acquisition. This includes isolating portable devices from radio signals, tools for mobile device acquisition, and identifying specific mobile devices.
- Mobile Device Triage
- The candidate will be able to outline the ways in which data can be triaged from mobile devices. This includes Android and Apple specific scenarios and how to triage data found in mobile apps, as well as calendars and emails.
- Physical Storage Devices
- The candidate will be able to compare and contrast the different forms of physical storage devices. This includes device interfaces, spinning disk layout, solid state drive fundamentals, and common HDD problems.
- Remote Acquisition
- The candidate will be able to describe the different methods for performing remote acquisitions, including acquisitions over the network as well as leveraging common cloud provider products.
- Specialty Device Fundamentals
- The candidate will be able to describe basic concepts of common specialty devices, like MacOS, including System Profiler and Device Information Collection.
- Storage Technologies
- The candidate will be able to summarize, compare, and contrast common storage technologies, such as the different levels of RAID configurations.
- Using Forensic Tools for Triage
- The candidate will be able to compare and contrast the ways in which popular forensic tools can be effectively used in data triage.
- Windows Filesystems
- The candidate will be able to compare and contrast major Windows filesystems including FAT, exFAT, and NTFS.
- Working With Evidence Files
- The candidate will be able to compare and contrast common evidence file formats, how they can be accessed, and how they can be used in an investigation.
*No Specific training is required for any GIAC certification. There are many sources of information available regarding the certification objectives' knowledge areas. Practical experience is an option; there are also numerous books on the market covering Computer Information Security. Another option is any relevant courses from training providers, including SANS.*
Other Resources
- Training is available in a variety of modalities including live conference training, online, and self study.
- Practical work experience can help ensure that you have mastered the skills necessary for certification.
- College level courses or study through another program may meet the needs for mastery.
- The procedure to contest exam results can be found at https://www.giac.org/about/procedures/grievance.
