🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
GCFA
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
GCFA GIAC Certifications Coming Soon

GCFA

Students master advanced incident response, threat hunting, memory forensics, timeline analysis, and enterprise‑scale Windows forensics, enabling precise artifact correlation and rapid EDR investigation across large environments.

180
Minutes
82
Questions
72/100
Passing Score
$979
Exam Cost

Who Should Take This

The certification targets seasoned DFIR professionals who have three or more years of experience in incident handling and forensic analysis. They seek to deepen expertise in Windows internals, memory imaging, and enterprise‑wide threat hunting to lead complex investigations and validate advanced EDR alerts.

What's Covered

1 Advanced Incident Response and Threat Hunting
2 Memory Forensics
3 Timeline Analysis and Artifact Correlation
4 Advanced Windows Forensics
5 Enterprise-Scale Forensics and EDR Analysis
6 Malware and Adversary Detection
7 Intrusion Reconstruction and Reporting

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

71 learning goals
1 Advanced Incident Response and Threat Hunting
3 topics

Incident response methodology and frameworks

  • Describe the six phases of the PICERL incident response lifecycle (Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned) and explain how each phase applies to enterprise-scale compromise investigations.
  • Identify common adversary objectives mapped to the MITRE ATT&CK framework including initial access, execution, persistence, privilege escalation, defense evasion, credential access, lateral movement, collection, and exfiltration tactics.
  • Implement an incident response triage workflow that prioritizes evidence collection, establishes containment boundaries, and coordinates remediation across multiple compromised endpoints using structured decision trees.
  • Analyze the scope and severity of an active intrusion by correlating indicators across network, endpoint, and log telemetry to determine adversary dwell time, lateral movement extent, and data exfiltration impact.

Threat hunting techniques and tradecraft

  • Describe hypothesis-driven threat hunting methodology including the formulation of hunt hypotheses from threat intelligence, identification of relevant data sources, and definition of expected evidence patterns for each hypothesis.
  • Implement IOC-based threat hunts using YARA rules, Sigma rules, and STIX/TAXII threat intelligence feeds to search for known adversary indicators across enterprise endpoint and log data.
  • Implement anomaly-based threat hunts using baseline profiling of normal process execution, network connections, and user behavior to detect deviations indicative of unauthorized activity or compromised accounts.
  • Evaluate threat hunt effectiveness by assessing hypothesis coverage against MITRE ATT&CK techniques, measuring detection gap closure rates, and recommending improvements to hunting playbooks based on findings.

Evidence acquisition and preservation

  • Identify forensic evidence acquisition methods including live response collection, forensic disk imaging, memory capture, and targeted triage collection and explain the tradeoffs between each approach for volatile and non-volatile evidence.
  • Implement KAPE-based triage collection with targeted artifact groups (registry hives, event logs, prefetch, browser data, MFT) and configure output formats for integration with forensic analysis tools including Timeline Explorer and EZTools.
  • Implement Velociraptor deployment for enterprise-wide artifact collection, live response queries using VQL (Velociraptor Query Language), and scheduled hunts across thousands of endpoints for scalable evidence gathering.
  • Assess evidence integrity and admissibility by verifying cryptographic hash chains, documenting chain-of-custody procedures, and evaluating whether collection methods preserved evidentiary value for legal proceedings.
2 Memory Forensics
3 topics

Memory acquisition and analysis fundamentals

  • Describe Windows memory architecture including virtual address spaces, kernel and user mode separation, page tables, and the role of the Hardware Abstraction Layer (HAL) in memory management relevant to forensic acquisition.
  • Identify memory acquisition tools and techniques including WinPmem, DumpIt, Magnet RAM Capture, and hypervisor-based acquisition, and explain how each handles active memory, pagefile, and hibernation file collection.
  • Implement Volatility 3 framework analysis with profile identification, plugin selection (pslist, pstree, netscan, filescan, handles, cmdline), and output parsing to extract forensically relevant artifacts from Windows memory images.

Process and code injection analysis

  • Identify common code injection techniques including DLL injection, process hollowing, reflective DLL loading, APC injection, and thread hijacking by examining memory artifacts such as VAD entries, suspicious memory protections, and orphan threads.
  • Implement process memory analysis using Volatility malfind, vadinfo, and dlllist plugins to detect injected code regions, identify suspicious memory page protections (RWX), and extract injected payloads for further analysis.
  • Analyze process trees and parent-child relationships to detect process spoofing, unusual process lineage (e.g., cmd.exe spawned by Word), and orphaned processes indicative of adversary process manipulation techniques.

Advanced memory analysis techniques

  • Implement rootkit detection in memory by scanning for SSDT hooks, IDT modifications, inline kernel patches, DKOM (Direct Kernel Object Manipulation), and hidden processes using Volatility ssdt, callbacks, and modscan plugins.
  • Implement credential extraction from memory using Volatility hashdump, lsadump, and mimikatz-style analysis to recover NTLM hashes, Kerberos tickets, and cached domain credentials from LSASS process memory.
  • Implement network connection analysis from memory using Volatility netscan and connlist plugins to reconstruct active and recently closed TCP/UDP connections, identify C2 callback addresses, and correlate with process ownership.
  • Evaluate memory forensic findings holistically to reconstruct adversary actions, determine malware capabilities from extracted code, and correlate memory-resident indicators with disk-based and network-based evidence.
3 Timeline Analysis and Artifact Correlation
3 topics

Super timeline creation and analysis

  • Describe the purpose and architecture of super timelines including how plaso/log2timeline aggregates timestamps from file system metadata, event logs, registry, browser history, and application artifacts into a unified chronological view.
  • Implement super timeline creation using log2timeline/plaso with appropriate parsers, output to Elasticsearch or CSV via psort, and configure Timeline Explorer for interactive timeline analysis and filtering.
  • Analyze a super timeline to identify pivot points in an intrusion including initial compromise, lateral movement events, persistence installation, data staging, and exfiltration by correlating timestamps across artifact types.

NTFS timestamp analysis

  • Describe NTFS timestamp sets including $STANDARD_INFORMATION and $FILE_NAME attributes in the MFT, explain MACB (Modified, Accessed, Changed, Born) semantics, and identify how different operations affect each timestamp.
  • Implement MFT parsing using tools such as MFTECmd, analyzeMFT, or istat to extract $SI and $FN timestamps, file sizes, parent directory references, and identify deleted file entries for recovery analysis.
  • Analyze NTFS timestamps to detect timestomping by comparing $STANDARD_INFORMATION and $FILE_NAME timestamps, identifying nanosecond precision anomalies, and correlating with USN Journal entries to reveal manipulation attempts.

USN Journal and $LogFile analysis

  • Describe the structure and forensic value of the NTFS USN Journal ($UsnJrnl:$J) and $LogFile including how file create, delete, rename, and attribute change operations are recorded for forensic reconstruction.
  • Implement USN Journal parsing using MFTECmd or usn.py to extract file operation records, correlate with MFT entries, and reconstruct file system activity timelines for deleted or renamed files.
  • Evaluate file system journal artifacts to reconstruct anti-forensic activity including file deletion patterns, secure wiping tool usage, and timestamp manipulation by cross-referencing USN Journal, $LogFile, and MFT residual data.
4 Advanced Windows Forensics
4 topics

Windows registry forensics

  • Identify key forensic artifacts within Windows registry hives (SYSTEM, SOFTWARE, SAM, NTUSER.DAT, UsrClass.dat) including autorun entries, MRU lists, network connections, USB device history, and user activity indicators.
  • Implement registry analysis using RegRipper, Registry Explorer, and RECmd to extract ShellBags (folder access history), UserAssist (program execution counts and timestamps), and BAM/DAM (Background Activity Moderator execution records).
  • Implement registry-based persistence detection by analyzing Run/RunOnce keys, services, scheduled tasks, Winlogon, AppInit_DLLs, COM object hijacking, and Image File Execution Options across all user and system hives.
  • Analyze registry artifacts to reconstruct user and adversary activity timelines, correlate registry timestamps with file system and event log evidence, and differentiate between legitimate system changes and malicious modifications.

Windows event log forensics

  • Identify forensically significant Windows event log channels and event IDs including Security (4624/4625 logons, 4688 process creation, 4720 account creation), System, PowerShell (4103/4104), Sysmon, and Task Scheduler logs.
  • Implement event log analysis using EvtxECmd, Hayabusa, or Chainsaw to parse EVTX files, apply detection rules, generate timeline entries, and identify high-fidelity indicators of compromise across multiple log channels.
  • Implement Sysmon log analysis to trace process creation chains, network connections, file modifications, registry changes, and WMI events providing enriched endpoint telemetry beyond native Windows event logging.
  • Analyze event log evidence to reconstruct lateral movement activity including RDP sessions (Event IDs 4778/4779), PsExec execution, WMI remote execution, SMB share access, and Pass-the-Hash/Pass-the-Ticket authentication patterns.

Program execution and application artifacts

  • Describe Windows program execution artifacts including Prefetch files, ShimCache (AppCompatCache), AmCache.hve, SRUM (System Resource Usage Monitor), and Jump Lists, and explain the forensic information each provides about program execution history.
  • Implement Prefetch analysis using PECmd to extract execution timestamps, run counts, referenced files and directories, and volume information to establish program execution timelines on investigated systems.
  • Implement ShimCache and AmCache analysis using AppCompatCacheParser and AmcacheParser to extract application execution evidence including full file paths, SHA1 hashes, compilation timestamps, and first execution dates.
  • Analyze SRUM database records to determine application resource usage patterns including network bytes sent/received per application, execution duration, and energy usage to identify data exfiltration or unauthorized application activity.
  • Evaluate program execution evidence across multiple artifacts (Prefetch, ShimCache, AmCache, UserAssist, BAM) to corroborate or refute adversary tool execution and establish definitive execution timelines with high confidence.

PowerShell and scripting forensics

  • Identify PowerShell forensic artifacts including script block logging (Event ID 4104), module logging (4103), transcription logs, console history files (ConsoleHost_history.txt), and AMSI (Antimalware Scan Interface) telemetry.
  • Implement PowerShell log analysis to reconstruct obfuscated command execution, decode Base64-encoded payloads, trace script block deobfuscation chains, and identify fileless attack patterns using in-memory .NET assembly loading.
  • Analyze PowerShell-based attack chains to determine adversary capabilities, identify Invoke-Expression cradle downloads, PowerShell remoting (Enter-PSSession, Invoke-Command) lateral movement, and AMSI bypass techniques.
5 Enterprise-Scale Forensics and EDR Analysis
2 topics

Enterprise forensic collection at scale

  • Describe enterprise forensic architecture patterns including centralized collection servers, distributed agent-based collection, cloud-based analysis platforms, and the tradeoffs between bandwidth, storage, and investigation speed at scale.
  • Configure Velociraptor server infrastructure with multi-frontend deployment, client enrollment, labeling, and artifact monitoring for continuous enterprise-wide forensic visibility across Windows, Linux, and macOS endpoints.
  • Implement KAPE batch processing across multiple collected triage images with automated artifact parsing, output normalization, and integration with analysis platforms such as SIEM or Elastic for scaled forensic workflows.
  • Evaluate enterprise collection strategies to optimize evidence acquisition coverage, minimize network impact during active investigations, and prioritize high-value endpoints based on threat intelligence and lateral movement indicators.

EDR telemetry and threat detection

  • Describe EDR telemetry data types including process creation events, file write events, registry modifications, network connections, DNS queries, and loaded modules, and explain how this data supports real-time threat detection and retrospective investigation.
  • Implement EDR query-based investigation using structured searches across process execution, file modifications, network connections, and registry changes to hunt for specific adversary techniques across the enterprise endpoint fleet.
  • Analyze EDR detection alert chains to distinguish true positive compromise indicators from false positives, correlate detections with forensic artifacts, and assess the completeness of EDR visibility for the observed attack techniques.
6 Malware and Adversary Detection
4 topics

Persistence mechanism analysis

  • Identify common Windows persistence mechanisms including registry autorun keys, scheduled tasks, services, WMI event subscriptions, DLL search order hijacking, startup folder shortcuts, and Group Policy-based persistence.
  • Implement Autoruns analysis using Sysinternals Autoruns and autorunsc to enumerate all persistence locations on a system, compare against known-good baselines, and identify unauthorized or suspicious persistence entries.
  • Implement WMI persistence detection by analyzing WMI repository files (OBJECTS.DATA, INDEX.BTR), extracting event subscriptions, filters, and consumers, and identifying malicious permanent event subscriptions used for fileless persistence.
  • Evaluate persistence mechanisms across multiple endpoints to determine adversary re-entry capabilities, assess eradication completeness, and recommend hardening measures to prevent re-establishment of persistence after remediation.

Living-off-the-land and fileless attack detection

  • Identify living-off-the-land binaries (LOLBins) commonly abused by adversaries including certutil, mshta, regsvr32, rundll32, wmic, bitsadmin, and msiexec, and describe the legitimate versus malicious usage patterns for each.
  • Implement LOLBin detection rules using Sigma/YARA signatures and event log analysis to detect suspicious usage of legitimate system binaries for download, execution, and defense evasion across endpoint telemetry sources.
  • Analyze fileless attack chains that combine PowerShell, WMI, .NET reflection, and in-memory execution to reconstruct the full attack sequence, identify payload delivery mechanisms, and determine the scope of code execution without disk artifacts.

Lateral movement detection and analysis

  • Describe lateral movement techniques including Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash, RDP hijacking, PsExec/SMB execution, WMI remoting, WinRM, and DCOM-based execution, and identify the artifacts each technique leaves on source and destination hosts.
  • Implement lateral movement artifact collection by correlating Security event logs, SMB session logs, RDP bitmap cache, scheduled task creation events, and service installation records across source and destination endpoints.
  • Analyze lateral movement paths across an enterprise network to map adversary traversal, identify compromised credentials, determine the full scope of accessed systems, and prioritize containment actions based on criticality of affected assets.

Anti-forensics detection

  • Identify anti-forensic techniques including log clearing (wevtutil, Event ID 1102), timestomping, secure deletion, alternate data stream abuse, and evidence destruction tools and describe their forensic indicators.
  • Implement anti-forensic detection workflows by examining log gap analysis, recovering cleared event logs from volume shadow copies, detecting alternate data stream usage, and identifying evidence of secure deletion tool execution.
  • Assess the impact of anti-forensic activity on investigation completeness, determine which evidence gaps can be filled through alternative artifact sources, and evaluate the reliability of remaining evidence for attribution conclusions.
7 Intrusion Reconstruction and Reporting
2 topics

Attack reconstruction and attribution

  • Implement full intrusion timeline reconstruction by merging super timeline data, memory forensic findings, event log analysis, and registry artifacts into a comprehensive narrative of adversary actions from initial access through objective completion.
  • Analyze adversary tradecraft patterns using Diamond Model and MITRE ATT&CK Navigator to characterize threat actor capabilities, infrastructure, and victimology and assess attribution confidence levels based on available forensic evidence.

Forensic reporting and remediation

  • Implement structured forensic reporting that documents findings with evidence citations, timeline visualizations, IOC lists, affected asset inventories, and clear conclusions supported by corroborating artifact analysis.
  • Evaluate remediation effectiveness by verifying eradication of all identified persistence mechanisms, confirming adversary access has been terminated, and recommending detection improvements to prevent recurrence of the observed attack techniques.

Scope

Included Topics

  • All domains covered by the GIAC Certified Forensic Analyst (GCFA) certification aligned with SANS FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics.
  • Advanced incident response and threat hunting techniques including hypothesis-driven hunting, IOC-based hunting, anomaly detection, and tactical threat intelligence integration.
  • Memory forensics using Volatility framework: process analysis, DLL injection detection, rootkit identification, memory-resident malware extraction, and credential harvesting from memory dumps.
  • Timeline analysis using plaso/log2timeline: super timeline creation, artifact correlation across NTFS timestamps, event logs, prefetch, shimcache, amcache, and browser artifacts.
  • Advanced Windows forensics: NTFS artifact analysis (MFT, USN journal, $LogFile), registry forensics (ShellBags, UserAssist, BAM/DAM), event log analysis (Security, System, PowerShell, Sysmon), and lateral movement artifact detection.
  • Enterprise-scale forensics: KAPE-based triage collection, Velociraptor deployment for endpoint-wide hunting, EDR telemetry analysis, and large-scale evidence correlation.
  • Malware and adversary detection: living-off-the-land binary (LOLBin) identification, fileless malware detection, persistence mechanism analysis, and MITRE ATT&CK framework mapping of adversary techniques.

Not Covered

  • Basic digital forensics concepts covered by entry-level certifications such as file system fundamentals or introductory evidence handling procedures.
  • Mobile device forensics, cloud-native forensics, and network forensics that fall under separate GIAC certifications (GASF, GCLD, GNFA).
  • Malware reverse engineering at the assembly/disassembly level covered by GREM certification.
  • Legal procedures specific to individual jurisdictions beyond general chain-of-custody and evidence admissibility principles.
  • Vendor-specific EDR product administration not directly related to forensic artifact analysis.

Official Exam Page

Learn more at GIAC Certifications

Visit

GCFA is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

GIAC® is a registered trademark of Global Information Assurance Certification (a subsidiary of the SANS Institute). GIAC does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.