GIAC Certified Forensics Analyst (GCFA) Certification

  1. GCFA Information

5 Myths of Cloud Computing - HP

7 Deadly Network Security Sins: A Guide for Protection

Best Practices for Making BYOD Simple and Secure




What is the GCFA certification?
The GIAC Certified Forensic Analyst (GCFA) certification is an intermediate-level computer forensics credential that signifies the holder’s aptitude, skillset and ability to carry out official forensic incident investigations. Holders of the credential are able to handle significant incident scenarios such as internal and external data breaches, have an understanding of persistent threats as well as anti-forensic techniques used to evade detection and be able to competently handle complex digital forensic cases. GIAC (Global Information Assurance Certification) is a private U.S. organization that was founded by the SANS Institute in the late 1990’s and today offers over 60 information security certifications across a broad range of niche subjects. The GCFA certification focuses on computer forensics in relation to both incident investigation and incident response and the skills required to collect and analyze the appropriate data.
Who is the GCFA certification for?
The GCFA certification is aimed at I.T. professionals who wish to demonstrate front-line proficiency and understanding of state-of-the-art computer forensics tools and techniques, information security and incident response. This vendor-neutral certification tests the candidate’s knowledge and skills pertaining to both Windows and Linux operating systems.

Typical job titles for GCFA-qualified professionals include:
  • Computer Security Specialist / Manager
  • Intrusion Detection Analyst / Manager
  • Computer Forensics Analyst / Manager
  • Information Security Analyst / Manager
  • IT Security Manager
  • Law Enforcement Forensics Analyst
Are there any prerequisites to the GCFA certification?
There are no special prerequisites for candidates wishing to take the GCFA exam.
What does the GCFA exam cover?
There are a number of skills tested in the GCFA exam, including topics such as:
  • Acquiring Data and Evidence
  • Computer Forensics Primer
  • Critical Analysis Tools
  • Data Preservation
  • File System and Data Layer Tools
  • Forensic Investigation Process
  • Linux File System Basics
  • Windows FAT File System Basics
  • Windows File System Basics
  • Windows NTFS File System Basics
  • File System Timeline Analysis
  • Live Incident Response and Volatile Evidence Collection
  • Advanced Windows Registry Analysis
  • Discovering Malware on a Host
  • Recovering Key Windows Files, etc.
For a full list of topics potentially covered in the exam, click here.
How do I earn the GCFA certification?
Candidates wanting to earn the GCFA certification need to pass one computer-based exam consisting of 115 multiple-choice questions with a time allocation of 180 minutes (3 hours). A minimum passing score of 69% is required to pass the exam.

The exam is in an ‘open book’ format meaning that candidates may bring into the testing facility with them any text books*, courseware manuals, printed guides, printed notes and other similar material that they wish (keep in mind though that there might be limited desk or working space in the testing area). Candidates may not bring into the exam area any electronic devices such as smart phones, tablets, USB drives or similar devices. Any device or file that has a search facility such as Kindles, word documents, PDF’s or similar are also not permitted. Candidates will not have access to the Internet.

*This is something to keep in mind when purchasing study books. If you opt for a Kindle (or similar) version of a study book you will not be allowed to take it into the exam room with you. If you purchase a physical text book, you will be allowed to take it into the exam with you if you wish.
How much does the GCFA exam cost?
The GIAC Certified Forensics Analyst (GCFA) exam costs US$1049. The fees must be paid up front and the candidate has 120 days from the approval of their application to take the exam.
Where can I take the GCFA exam?
GCFA exams are proctored through Pearson VUE testing facilities worldwide. Before paying the GCFA exam fee make sure to check ahead with your nearest testing facility to ascertain their location, current exam costs and availability of the GCFA exam.

Before scheduling an exam date, candidates will need to register an account with SANS/GIAC.
GCFA recertification requirements
The GCFA credential is valid for a period of 4 years. Beginning from two years out from their GCFA certification expiry, candidates may start the process of revalidating their credential. The GCFA is considered renewed once a candidate has amassed a total of 36 CPE (Continued Professional Education) points and paid the applicable recertification fee. The CPE points can be earned in full by retaking the current version of the GCFA exam (worth 36 CPE’s), or by earning the points through a series of career and knowledge enhancing activities. Taking this latter option, CPE points can be earned, over the course of two years, in a variety of ways including (but not limited to):
  • Work Experience
  • Official Training Courses
  • Seminars
  • Teaching or Mentoring
  • Writing Papers
  • Self-Study Courses
The certification renewal fee is US$399 - payable every 4 years. Full information about the GCFA renewal process can be found here.