| cert name | count |
|---|---|
| CREST | 0.5 |
| Network+ | 0.5 |
| GCIA | 1.5 |
| GCIH | 0.5 |
| GCFA | 1 |
| ACE | 1.5 |
| BSc | 1 |
| CCE | 1.5 |
| A+ | 1 |
| MCP | 1 |
| ACFS, BITS | 1 |
| MCFE | 0.5 |
| EnCE | 1.5 |
| PIP1 | 2 |
| GCFE | 0.5 |
| CISSP (0.5), SSCP or CCSP, CISM (0.5), CISA (0.5) | 1 |
| SANS GCIA, GCIH | 1 |
| CCNA, CCIE, NGFW | 1 |
| GREM, GCFE, OSCP | 1 |
- Booz Allen Hamilton Incident Response Analyst
- Box Security Analyst
- Grey Heron IT Solutions Forensic Analyst
- Triumph Consultants Ltd Temp Investigating Officer x2 – Digital Forensics & Cybercrime
- HM Revenue and Customs Senior/Higher Digital Forensic Practitioner
https://www.giac.org/certification/certified-forensic-examiner-gcfe?msc=giac-focus-area
https://www.giac.org/certification/certified-incident-handler-gcih?msc=giac-focus-area
https://www.giac.org/certification/certified-forensic-analyst-gcfa?msc=giac-focus-area
Plan
GCFE
The topic areas for each exam part follow:
-
Analysis and Profiling of Systems and Devices
The candidate will demonstrate an understanding of the artifacts created by the Windows operating system during the execution of programs, system start up and use of removable devices.
-
Analysis of File and Program Activity
The candidate will demonstrate an understanding of file access artifacts created by the Windows operating system.
-
Analysis of User Communications
The candidate will demonstrate an understanding of the forensic examination of user communication applications and methods, including host-based and mobile email applications, instant messaging, and other software and Internet-based user communication applications.
-
Analysis of Windows System User Artifacts
The candidate will demonstrate an understanding of the artifacts created by user activity on current Windows operating systems.
-
Cloud Storage Fundamentals
The candidate will demonstrate an understanding of the artifacts created by the installation and use of cloud storage solutions and how they can be used during forensic examinations.
-
Foundations of Digital Forensics Acquisition
The candidate will demonstrate an understanding of the methodologies and tools used to collect and process digital forensic evidence.
-
Fundamental Digital Forensics
The candidate will demonstrate an understanding of forensic methodology, key forensic concepts, identifying types of evidence on current Windows operating systems and be familiar with the structure and composition of modern Windows file systems.
-
Host and Application Event Log Analysis
The candidate will demonstrate an understanding of the purpose of the various types of Windows event, service and application logs, and the forensic value that they can provide.
-
Microsoft Browser Forensics
The candidate will demonstrate an understanding of the artifacts created by Microsoft browsers during user activity.
-
Third Party Browser Forensics and Browser Artifact Analysis
The candidate will demonstrate an understanding of the artifacts created by third party browsers and when privacy settings are applied during user activity.
-
Windows Registry Artifact Analysis
The candidate will demonstrate an understanding of the registry artifacts created by system and user activity.
-
Windows Registry Fundamentals
The candidate will demonstrate an understanding of the structure and purpose of the Windows registry and the types of tools used to analyze and parse the data.
GCIH
Covering Tracks on Hosts
The candidate will demonstrate an understanding of how to identify, defend against, and mitigate against methods attackers use to remove evidence of compromise on hosts.
Covering Tracks on the Network
The candidate will demonstrate an understanding of how to identify, defend against, and mitigate against methods attackers use to remove evidence of compromise on the network.
Domain Attacks
The candidate will demonstrate an understanding of how to identify, defend against, and mitigate against Domain attacks in Windows environments.
Drive-By Attacks
The candidate will demonstrate an understanding of how to identify, defend against, and mitigate against drive-by attacks in modern environments.
Endpoint Attacks and Pivoting
The candidate will demonstrate an understanding of how to identify, defend against, and mitigate against attacks against endpoints and attack pivoting.
Incident Handling and Digital Investigations
The candidate will demonstrate an understanding of what Incident Handling is, why it is important, an understanding of the PICERL incident handling process, and industry best practices in Incident Handling and Digital Investigations.
Memory and Malware Investigations
The candidate will demonstrate an understanding of the steps necessary to perform basic memory forensics, including collection and analysis of processes and network connections and basic malware analysis.
Metasploit
The candidate will demonstrate an understanding of how to identify, defend against, and mitigate against the use of Metasploit.
Netcat
The candidate will demonstrate an understanding of how to identify, defend against, and mitigate against the use of covert tools such as netcat.
Network Investigations
The candidate will demonstrate an understanding of the steps necessary to perform effective digital investigations of network data.
Password Attacks
The candidate will demonstrate a detailed understanding of the three methods of password cracking.
Physical Access Attacks
The candidate will demonstrate an understanding of how to identify, defend against, and mitigate against physical access attacks.
Reconnaissance and Open-Source Intelligence
The candidate will demonstrate an understanding of how to identify, defend against, and mitigate public and open source reconnaissance techniques.
Scanning and Mapping
The candidate will demonstrate an understanding the fundamentals of how to identify, defend against, and mitigate against scanning; to discover and map networks and hosts, and reveal services and vulnerabilities.
SMB Scanning
The candidate will demonstrate an understanding of how to identify, defend against, and mitigate reconnaissance and scanning of SMB services.
Web App Attacks
The candidate will demonstrate an understanding of how to identify, defend against, and mitigate against Web Application Attacks.
GCFA
Enterprise Environment Incident Response
The candidate will demonstrate an understanding of the steps of the incident response process, attack progression, and adversary fundamentals and how to rapidly assess and analyze systems in an enterprise environment scaling tools to meet the demands of large investigations.
File System Timeline Artifact Analysis
The candidate will demonstrate an understanding of the Windows filesystem time structure and how these artifacts are modified by system and user activity.
Identification of Malicious System and User Activity
The candidate will demonstrate an understanding of the techniques required to identify and document indicators of compromise on a system, detect malware and attacker tools, attribute activity to events and accounts, and identify and compensate for anti-forensic actions using memory and disk resident artifacts.
Identification of Normal System and User Activity
The candidate will demonstrate an understanding of the techniques required to identify, document, and differentiate normal and abnormal system and user activity using memory and disk resident artifacts.
Introduction to File System Timeline Forensics
The candidate will demonstrate an understanding of the methodology required to collect and process timeline data from a Windows system.
Introduction to Volatile Data Forensics
The candidate will demonstrate an understanding of how and when to collect volatile data from a system and how to document and preserve the integrity of volatile evidence.
NTFS Artifact Analysis
The candidate will demonstrate an understanding of core structures of the Windows filesystems, and the ability to identify, recover, and analyze evidence from any file system layer, including the data storage layer, metadata layer, and filename layer.
Volatile Data Artifact Analysis of Malicious Events
The candidate will demonstrate an understanding of abnormal activity within the structure of Windows memory and be able to identify artifacts such as malicious processes, suspicious drivers and malware techniques such as code injection and rootkits.
Volatile Data Artifact Analysis of Windows Events
The candidate will demonstrate an understanding of abnormal activity within the structure of Windows memory and be able to identify artifacts such as malicious processes, suspicious drivers and malware techniques such as code injection and rootkits.
Windows Artifact Analysis
The candidate will demonstrate an understanding of Windows system artifacts and how to collect and analyze data such as system back up and restore data and evidence of application execution.
Prep
https://www.examtopics.com/exams/giac/gcfa/view/
https://www.edusum.com/giac/giac-gcfa-certification-sample-questions
https://issuu.com/katymorgan9/docs/gcfa__forensic_analyst__2_
https://www.edusum.com/node/50681/myresults
https://community.infosecinstitute.com/discussion/124800/anyone-have-the-gcfa