GIAC Battlefield Forensics and Acquisition (GBFA)

• Efficient data acquisition from a wide range of devices
• Rapidly producing actionable intelligence
• Manually identifying and acquiring data

• Federal agents and law enforcement personnel
• Digital forensic analysts
• Information security professionals
• Incident response team members
• Media exploitation analysts
• DoD and intelligence community professionals
• Anyone who has a background in information security and is interested in an understanding of the proper preservation of systems

• 1 proctored exam
• 75 questions
• 2 hours
• Minimum passing score of 69%

NOTE: All GIAC Certification exams are web-based and required to be proctored. There are two proctoring options: remote proctoring through ProctorU, and onsite proctoring through PearsonVUE. Click here for more information.

GIAC certification attempts will be activated in your GIAC account after your application has been approved and according to the terms of your purchase. Details on delivery will be provided along with your registration confirmation upon payment. You will receive an email notification when your certification attempt has been activated in your account. You will have 120 days from the date of activation to complete your certification attempt.

• Acquiring RAM and OS Artifacts
  The candidate will be able to describe the different methods for performing acquisition of RAM, macOS and Shadow copies. This includes using disk copy utilities and target disk mode.
• Acquisition Preparation
  The candidate will be able to summarize the goals of scene management, how to assess evidence, recognize tampering, and verify acquisitions.
• Computer Fundamentals
  The candidate will be familiar with basic computer concepts, such as machine configuration, boot processes, BIOS, UEFI, IP addressing, and domain registrars, in preparation for acquisition.
• Data on Drives
  The candidate will be able to summarize different ways data on drives can be stored and accessed, including encryption and handling deleted files.
• Data on the Network
  The candidate will be able to describe different ways that data can exist in motion, such as IoT network traffic and PCAP files. They will also be able to discuss how different network tools can be used to discover networked devices.
• Dead Box Acquisition
  The candidate will be able to describe the different methods for performing dead box acquisition, including write blocking and media removal.
• Filesystem Fundamentals
  The candidate will be able to describe basic concepts of common filesystems, like NTFS, EXT, and FAT. They will also be able to describe the functionality of major components that comprise these file systems, such as Master File Tables and File Allocation Tables.
• Host Based Live Acquisition
  The candidate will be able to describe the different methods for performing host based live acquisition, including the use of software and hardware write blocking and accessing physical drives and volumes.
• Manual Triage
  The candidate will be familiar with manual techniques and tools used to select and triage data.
• Manually Finding Data
  The candidate will be able to outline the different ways in which data can be manually found. This includes: where data can be found, carving metadata, and file recovery.
• Mobile Device Acquisition
  The candidate will be able to describe, at a high level, the different methods used to perform mobile device acquisition. This includes isolating portable devices from radio signals, tools for mobile device acquisition, and identifying specific mobile devices.
• Mobile Device Triage
  The candidate will be able to outline the ways in which data can be triaged from mobile devices. This includes Android and Apple specific scenarios and how to triage data found in mobile apps, as well as calendars and emails.
• Physical Storage Devices
  The candidate will be able to compare and contrast the different forms of physical storage devices. This includes device interfaces, spinning disk layout, solid state drive fundamentals, and common HDD problems.
• Remote Acquisition
  The candidate will be able to describe the different methods for performing remote acquisitions, including acquisitions over the network as well as leveraging common cloud provider products.
• Specialty Device Fundamentals
  The candidate will be able to describe basic concepts of common specialty devices, like MacOS, including System Profiler and Device Information Collection.
• Storage Technologies
  The candidate will be able to summarize, compare, and contrast common storage technologies, such as the different levels of RAID configurations.
• Using Forensic Tools for Triage
  The candidate will be able to compare and contrast the ways in which popular forensic tools can be effectively used in data triage.
• Windows Filesystems
  The candidate will be able to compare and contrast major Windows filesystems including FAT, exFAT, and NTFS.
• Working With Evidence Files
  The candidate will be able to compare and contrast common evidence file formats, how they can be accessed, and how they can be used in an investigation.

• Training is available in a variety of modalities including live training and OnDemand
• Practical work experience can help ensure that you have mastered the skills necessary for certification.
• College level courses or self paced study through another program or materials may meet the needs for mastery.
• Get information about the procedure to contest exam results.

Practice Tests

• These tests are a simulation of the real exam allowing you to become familiar with the test engine and style of questions.
• Practice exams are a gauge to determine if your preparation methods are sufficient.
• The practice bank questions are limited so you may encounter the same question on practice tests when multiple practice tests are purchased.
• Practice exams never include actual exam questions.
• Purchase a GBFA practice test here.
• GIAC recommends leveraging additional study methods for test preparation.