The GIAC Certified Forensic Analyst (GCFA) certification is designed for professionals with expertise in collecting and analyzing data from computer systems. Key details include:
- Overview:
- The GCFA certification focuses on core skills for incident investigations, covering advanced scenarios like internal and external data breach intrusions, advanced persistent threats, and complex digital forensic cases.
- Exam Format:
- 1 proctored exam with 82 questions.
- Duration of 3 hours.
- Minimum passing score of 71%.
- The exam is web-based and must be proctored, with options for remote proctoring through ProctorU or onsite proctoring through PearsonVUE.
- Areas Covered:
- Advanced Incident Response and Digital Forensics.
- Memory Forensics, Timeline Analysis, and Anti-Forensics Detection.
- Threat Hunting and APT Intrusion Incident Response.
- Who is GCFA for:
- Incident Response Team Members.
- Threat Hunters.
- SOC Analysts.
- Experienced Digital Forensic Analysts.
- Information Security Professionals.
- Federal Agents and Law Enforcement Professionals.
- Red Team Members, Penetration Testers, and Exploit Developers.
- GCFA with CyberLive:
- Practical testing through CyberLive, providing a real-world lab environment for hands-on skills validation.
- Candidates use actual programs, code, and virtual machines to perform tasks mimicking specialized job roles.
- Delivery:
- Certification attempts are activated in the candidate’s GIAC account after approval, with a 120-day window for completion.
- Exam details and proctoring options (remote or onsite) are provided upon registration confirmation.
The certification aims to validate the practical skills and knowledge required for professionals engaged in incident response, threat hunting, and digital forensics, emphasizing real-world scenarios and hands-on expertise.
The exam certification objectives and outcome statements for this certification cover a range of topics related to digital forensics and incident response in Windows environments:
- Analyzing Volatile Malicious Event Artifacts:
- Identify abnormal activity in Windows memory.
- Recognize artifacts of malicious processes, suspicious drivers, and malware techniques like code injection and rootkits.
- Analyzing Volatile Windows Event Artifacts:
- Understand normal activity in Windows memory.
- Identify artifacts like network connections, memory-resident command line artifacts, processes, handles, and threads.
- Enterprise Environment Incident Response:
- Understand the incident response process, attack progression, and adversary fundamentals.
- Rapidly assess and analyze systems in an enterprise environment, scaling tools for large investigations.
- File System Timeline Artifact Analysis:
- Understand the Windows filesystem time structure.
- Analyze artifacts modified by system and user activity.
- Identification of Malicious System and User Activity:
- Identify and document indicators of compromise.
- Detect malware and attacker tools, attribute activity to events and accounts, and handle anti-forensic actions using memory and disk artifacts.
- Identification of Normal System and User Activity:
- Differentiate between normal and abnormal system and user activity.
- Use memory and disk artifacts for identification and documentation.
- Introduction to File System Timeline Forensics:
- Learn the methodology for collecting and processing timeline data from a Windows system.
- Introduction to Memory Forensics:
- Understand when and how to collect volatile data from a system.
- Document and preserve the integrity of volatile evidence.
- NTFS Artifact Analysis:
- Understand core structures of the Windows filesystems.
- Identify, recover, and analyze evidence from different file system layers.
- Windows Artifact Analysis:
- Understand Windows system artifacts.
- Collect and analyze data such as system backups, restore data, and evidence of application execution.
The certification aims to validate skills in analyzing various artifacts and responding to incidents in Windows environments through a comprehensive understanding of memory forensics, file system timeline forensics, and artifact analysis.
Difficulty: 5 out of 5.
This was the most difficult SANS exam I have taken out of the 4 and my favorite in terms of information and tools. Chad and team created a great course with GCFA. There is a lot of material in this course and the failure rate shows that. I work as an analyst and have put some of these tools to use in my daily job. The processes are a bit different out of a lab vs real world environments. That said this course is based\utilizes a real network intrusion case.
This exam is scenario based and is considered one of the most difficult exams that SANS offers. The questions are not simply found by looking in the book\memorization but requires actual understanding of NTFS, timestamps, , file path, etc.. Great course but is a few levels higher than most other courses offered.
Difficulty: 4 out of 5.
Great course, but given the abundance of free and cheap training available for this topic, I don't encourage my mentees to take it unless an employer wants to cover all or most of the cost. To be honest, I only hang onto the red and blue posters for this one.