Areas Covered
- Efficient data acquisition from a wide range of devices
- Rapidly producing actionable intelligence
- Manually identifying and acquiring data
Who is GBFA for?
- Federal agents and law enforcement personnel
- Digital forensic analysts
- Information security professionals
- Incident response team members
- Media exploitation analysts
- DoD and intelligence community professionals
- Anyone who has a background in information security and is interested in an understanding of the proper preservation of systems
Exam Format
- 1 proctored exam
- 75 questions
- 2 hours
- Minimum passing score of 69%
Delivery
NOTE: All GIAC Certification exams are web-based and required to be proctored. There are two proctoring options: remote proctoring through ProctorU, and onsite proctoring through PearsonVUE. Click here for more information.
GIAC certification attempts will be activated in your GIAC account after your application has been approved and according to the terms of your purchase. Details on delivery will be provided along with your registration confirmation upon payment. You will receive an email notification when your certification attempt has been activated in your account. You will have 120 days from the date of activation to complete your certification attempt.
Exam Certification Objectives & Outcome Statements
- Acquiring RAM and OS Artifacts The candidate will be able to describe the different methods for performing acquisition of RAM, macOS and Shadow copies. This includes using disk copy utilities and target disk mode.
- Acquisition Preparation The candidate will be able to summarize the goals of scene management, how to assess evidence, recognize tampering, and verify acquisitions.
- Computer Fundamentals The candidate will be familiar with basic computer concepts, such as machine configuration, boot processes, BIOS, UEFI, IP addressing, and domain registrars, in preparation for acquisition.
- Data on Drives The candidate will be able to summarize different ways data on drives can be stored and accessed, including encryption and handling deleted files.
- Data on the Network The candidate will be able to describe different ways that data can exist in motion, such as IoT network traffic and PCAP files. They will also be able to discuss how different network tools can be used to discover networked devices.
- Dead Box Acquisition The candidate will be able to describe the different methods for performing dead box acquisition, including write blocking and media removal.
- Filesystem Fundamentals The candidate will be able to describe basic concepts of common filesystems, like NTFS, EXT, and FAT. They will also be able to describe the functionality of major components that comprise these file systems, such as Master File Tables and File Allocation Tables.
- Host Based Live Acquisition The candidate will be able to describe the different methods for performing host based live acquisition, including the use of software and hardware write blocking and accessing physical drives and volumes.
- Manual Triage The candidate will be familiar with manual techniques and tools used to select and triage data.
- Manually Finding Data The candidate will be able to outline the different ways in which data can be manually found. This includes: where data can be found, carving metadata, and file recovery.
- Mobile Device Acquisition The candidate will be able to describe, at a high level, the different methods used to perform mobile device acquisition. This includes isolating portable devices from radio signals, tools for mobile device acquisition, and identifying specific mobile devices.
- Mobile Device Triage The candidate will be able to outline the ways in which data can be triaged from mobile devices. This includes Android and Apple specific scenarios and how to triage data found in mobile apps, as well as calendars and emails.
- Physical Storage Devices The candidate will be able to compare and contrast the different forms of physical storage devices. This includes device interfaces, spinning disk layout, solid state drive fundamentals, and common HDD problems.
- Remote Acquisition The candidate will be able to describe the different methods for performing remote acquisitions, including acquisitions over the network as well as leveraging common cloud provider products.
- Specialty Device Fundamentals The candidate will be able to describe basic concepts of common specialty devices, like MacOS, including System Profiler and Device Information Collection.
- Storage Technologies The candidate will be able to summarize, compare, and contrast common storage technologies, such as the different levels of RAID configurations.
- Using Forensic Tools for Triage The candidate will be able to compare and contrast the ways in which popular forensic tools can be effectively used in data triage.
- Windows Filesystems The candidate will be able to compare and contrast major Windows filesystems including FAT, exFAT, and NTFS.
- Working With Evidence Files The candidate will be able to compare and contrast common evidence file formats, how they can be accessed, and how they can be used in an investigation.
Other Resources
- Training is available in a variety of modalities including live training and OnDemand
- Practical work experience can help ensure that you have mastered the skills necessary for certification.
- College level courses or self paced study through another program or materials may meet the needs for mastery.
- Get information about the procedure to contest exam results.
Practice Tests
- These tests are a simulation of the real exam allowing you to become familiar with the test engine and style of questions.
- Practice exams are a gauge to determine if your preparation methods are sufficient.
- The practice bank questions are limited so you may encounter the same question on practice tests when multiple practice tests are purchased.
- Practice exams never include actual exam questions.
- Purchase a GBFA practice test here.
- GIAC recommends leveraging additional study methods for test preparation.