Global Certified Forensic Analyst

Target

The GCFA certification is for professionals working in the information security, computer forensics, and incident response fields. The certification focuses on core skills required to collect and analyze data from Windows and Linux computer systems.

The GCFA certifies that candidates have the knowledge, skills, and ability to conduct formal incident investigations and handle advanced incident handling scenarios, including internal and external data breach intrusions, advanced persistent threats, anti-forensic techniques used by attackers, and complex digital forensic cases.

No Specific training is required for Global Certified Forensic Analyst (GCFA) certification. There are many sources of information available regarding the certification objectives' knowledge areas. Practical experience is an option; there are also numerous books on the market covering Computer Information Security. 

The topic areas for each exam part follow:

1. Identification of Malicious System and User Activity: The candidate will demonstrate an understanding of the techniques required to identify and document indicators of compromise on a system, detect malware and attacker tools, attribute activity to events and accounts, and identify and compensate for anti-forensic actions.
2. Incident Response in an Enterprise Environment: The candidate will demonstrate an understanding of how to rapidly assess and analyze systems in an enterprise environment and scale tools to meet the demands of large investigations.
3. Incident Response Process and Framework: The candidate will demonstrate an understanding of the steps of the incident response process, attack progression, cyber threat intelligence, malware and adversary fundamentals.
4. Timeline Artifact Analysis: The candidate will demonstrate an understanding of the Windows filesystem time structure and how these artifacts are modified by system and user activity.
5. Timeline Collection: The candidate will demonstrate an understanding of the process required to collect timeline data from a Windows system.
6. Timeline Processing: The candidate will demonstrate an understanding of the methodology required to process Windows timeline data from multiple system sources.
7. Volatile Artifact Analysis: The candidate will demonstrate an understanding of normal and abnormal activity within the structure of Windows volatile memory and be able to identify artifacts such as malicious processes, network connections, system data and memory resident files.
8. Volatile Data Collection: The candidate will demonstrate and understanding of how and when to collect volatile data from a system and how to document and preserve the integrity of volatile evidence.
9. Windows Filesystem Structure and Analysis: The candidate will demonstrate an understanding of core Windows filesystems, and the ability to identify, recover, and analyze evidence from any file system layer, including the data storage layer, metadata layer, and filename layer.
10. Windows System Artifact Analysis: The candidate will demonstrate an understanding of Windows system artifacts and how to collect and analyze data such as system back up and restore data and evidence of application execution.