🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
GCFE
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
GCFE GIAC Certifications Coming Soon

GCFE

The GCFE training teaches analysts how to conduct Windows forensic examinations, covering file systems, artifacts, browsers, email, and USB devices, enabling accurate evidence collection and incident response.

180
Minutes
82
Questions
71/100
Passing Score
$979
Exam Cost

Who Should Take This

It is designed for forensic analysts, incident responders, or security engineers with one to two years of experience in Windows environments who need to deepen their skills in evidence acquisition, artifact analysis, and reporting for legal and operational purposes and compliance.

What's Covered

1 Domain 1: Windows Forensic Analysis
2 Domain 2: Browser Forensics
3 Domain 3: Email Forensics
4 Domain 4: USB and External Device Forensics
5 Domain 5: Windows Artifact Analysis
6 Domain 6: File System Timeline Analysis
7 Domain 7: Evidence Acquisition and Handling

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

60 learning goals
1 Domain 1: Windows Forensic Analysis
3 topics

NTFS file system forensics

  • Describe NTFS file system architecture including Master File Table structure, $MFT record layout, $STANDARD_INFORMATION and $FILE_NAME attributes, alternate data streams, and resident vs non-resident data
  • Identify NTFS metadata artifacts including $LogFile transaction journal, $UsnJrnl change journal, $I30 index entries, and $Bitmap allocation records with their forensic significance
  • Describe NTFS timestamp types including $STANDARD_INFORMATION MACB timestamps, $FILE_NAME timestamps, and the forensic significance of discrepancies between these two attribute sets
  • Implement NTFS forensic analysis using FTK Imager, Autopsy, and MFTECmd to parse $MFT records, extract file metadata, recover deleted entries, and identify timestomping artifacts
  • Execute NTFS journal analysis using MFTECmd and USN Journal tools to reconstruct file creation, modification, renaming, and deletion events for incident timeline construction

Windows Registry forensics

  • Describe Windows Registry hive structure including SYSTEM, SOFTWARE, SAM, SECURITY, NTUSER.DAT, and UsrClass.dat hives with their artifact categories and forensic examination value
  • Identify registry-based forensic artifacts including MRU lists, UserAssist ROT13 entries, TypedPaths, WordWheelQuery, RecentDocs, and RunMRU keys for user activity reconstruction
  • Describe registry-based system configuration artifacts including installed software, network interfaces, timezone settings, USB device history, and service configurations in SYSTEM and SOFTWARE hives
  • Implement registry forensic analysis using RegRipper, Registry Explorer, and RECmd to extract user activity, application execution evidence, and system configuration change history
  • Execute registry transaction log analysis using Registry Explorer to recover deleted keys and values, identify recent modifications, and detect registry-based malware persistence mechanisms
  • Analyze registry artifacts to correlate user activity patterns, determine application usage frequency, and reconstruct system configuration changes for forensic case narrative development

Windows Event Log forensics

  • Describe Windows Event Log architecture including EVTX format structure, channel hierarchy, provider registration, and key security, system, and application log entries for forensic investigations
  • Identify critical security event IDs for forensic analysis including logon events (4624/4625), process creation (4688), PowerShell execution (4103/4104), and scheduled task events (4698/4702)
  • List Windows event log sources for lateral movement detection including remote service events, RDP connection events (1149), WinRM events (91/168), and network share access events (5140/5145)
  • Implement event log forensic analysis using EvtxECmd, Hayabusa, and Timeline Explorer to parse EVTX files, apply detection rules, and correlate logon sessions with user activity patterns
  • Analyze Windows event logs to reconstruct attack sequences including initial access, privilege escalation, lateral movement, and data exfiltration using correlated multi-source event evidence
2 Domain 2: Browser Forensics
1 topic

Browser data extraction and analysis

  • Describe browser data storage formats including Chrome SQLite databases, Firefox places.sqlite and logins.json, Edge Chromium profile structure, and Safari binary plist storage on Windows
  • Identify browser forensic artifact categories including browsing history, download records, cached content, cookies, autofill data, saved passwords, session restore, and browser extension data
  • Implement browser history forensic extraction using Hindsight, BrowsingHistoryView, and DB Browser for SQLite to recover browsing sessions, download records, and autofill entries
  • Execute browser cache and cookie analysis to recover cached web content, extract session tokens, identify accessed cloud services, and reconstruct web-based communication activity patterns
  • Implement browser password and credential recovery to extract saved login credentials, analyze password store encryption, and identify credential reuse across websites in forensic investigations
  • Analyze private browsing and anti-forensic browser artifacts to assess residual evidence from incognito sessions, browser history deletion, and cache clearing activities on Windows systems
  • Evaluate browser artifact completeness and reliability by comparing multiple browser data sources, assessing timestamp consistency, and identifying gaps caused by browser updates or data migration
3 Domain 3: Email Forensics
1 topic

Email storage and header analysis

  • Describe email storage formats including PST/OST (Outlook), MBOX, EML, and cloud-based email storage with their forensic acquisition methods and artifact preservation characteristics
  • Identify email header forensic artifacts including Received headers, Message-ID, SPF/DKIM/DMARC results, X-Originating-IP, and Return-Path for tracing message origin and routing
  • Implement email forensic analysis using Kernel PST Viewer, Aid4Mail, and pffexport to extract emails, attachments, calendar entries, and contacts from Outlook PST/OST archive files
  • Execute email header analysis and phishing investigation by tracing delivery paths, identifying spoofed sender addresses, and extracting malicious attachment and URL indicators of compromise
  • Implement web-based email forensic recovery by analyzing browser artifacts, cached email content, and local storage data for Gmail, Outlook.com, and Yahoo Mail access evidence
  • Analyze email evidence to reconstruct communication patterns, identify data exfiltration via attachments, and correlate email artifacts with registry, browser, and file system evidence sources
4 Domain 4: USB and External Device Forensics
1 topic

Removable storage device tracking and analysis

  • Describe Windows USB device tracking mechanisms including USBSTOR registry keys, setupapi.dev.log entries, Plug and Play event logs, and volume serial number artifacts for device identification
  • Identify USB forensic artifact locations including MountPoints2 registry keys, volume GUID mappings, drive letter assignments, and first/last connection timestamps across multiple registry hives
  • Implement USB device forensic analysis using USBDeview, Registry Explorer, and USB Detective to reconstruct device connection history, identify serial numbers, and determine usage patterns
  • Execute removable storage data transfer investigation by correlating USB timestamps with file access events, LNK file references, and Jump List entries to trace data movement
  • Implement mobile device and cloud storage connection forensics by analyzing MTP device artifacts, iTunes backup evidence, and cloud sync client artifacts on Windows examination targets
  • Analyze USB and external device artifacts to construct comprehensive device connection timelines, identify unauthorized device usage, and evaluate data transfer evidence for insider threat cases
5 Domain 5: Windows Artifact Analysis
1 topic

Program execution and user activity artifacts

  • Describe Windows Prefetch file structure including header format, execution count, last eight run timestamps, referenced files and directories, and compressed format changes in Windows 10/11
  • Identify Shimcache (AppCompatCache) artifact structure in the SYSTEM registry hive including entry format, timestamp fields, and execution flag interpretation across Windows version variants
  • Describe Amcache.hve contents including InventoryApplicationFile entries, driver records, ProgramDataUpdater entries, and SHA1 hash values for application execution evidence correlation
  • Identify Shellbags artifact structure in NTUSER.DAT and UsrClass.dat including BagMRU/Bags keys, folder access timestamps, network path navigation evidence, and ZIP archive browsing records
  • Implement Prefetch forensic analysis using PECmd to extract application execution evidence including run counts, timestamps, referenced DLLs, and accessed directories for execution profiling
  • Execute Shimcache and Amcache analysis using AppCompatCacheParser and AmcacheParser to identify executed programs, first execution timestamps, and correlate with known malware indicators
  • Implement Shellbags analysis using ShellBags Explorer to reconstruct folder navigation patterns, identify accessed network shares, and recover evidence of deleted folder structures
  • Execute LNK file and Jump List forensic analysis using LECmd and JLECmd to extract file access timestamps, original file paths, volume information, and target MAC address data
  • Implement SRUM (System Resource Usage Monitor) database analysis to extract application execution records, network usage data, and energy consumption patterns for user activity correlation
  • Analyze program execution artifacts by cross-referencing Prefetch, Shimcache, Amcache, and UserAssist data to establish comprehensive execution timelines and corroborate investigative findings
  • Evaluate the evidentiary value of Windows execution artifacts by assessing timestamp reliability, artifact persistence across system updates, and the impact of anti-forensic techniques on each source
6 Domain 6: File System Timeline Analysis
1 topic

Timeline creation and temporal analysis

  • Describe file system timeline analysis methodology including MACB timestamp types, timeline generation approaches, pivot point identification, and temporal correlation techniques for evidence correlation
  • Identify timestamp manipulation indicators including $STANDARD_INFORMATION vs $FILE_NAME discrepancies, nanosecond precision anomalies, and known timestomping tool artifact signatures
  • Describe Volume Shadow Copy forensic analysis including snapshot enumeration, previous version recovery, deleted file extraction, and registry hive recovery from VSS snapshots
  • Implement super timeline generation using Plaso (log2timeline) to aggregate file system, registry, event log, browser, and application timestamps into a unified forensic timeline
  • Execute timeline analysis using Timeline Explorer to filter, sort, and navigate large timelines for identifying suspicious activity windows and correlating evidence across multiple sources
  • Implement Volume Shadow Copy analysis using vshadowmount and Arsenal Image Mounter to access historical file versions and recover deleted evidence from previous system restore points
  • Analyze forensic timelines to reconstruct incident sequences, identify anti-forensic timestamp manipulation, and produce comprehensive activity narratives suitable for legal proceedings
7 Domain 7: Evidence Acquisition and Handling
1 topic

Forensic imaging and evidence integrity

  • Describe digital evidence acquisition methods including physical imaging, logical acquisition, targeted collection, live system triage, and remote acquisition with chain of custody requirements
  • Identify forensic image formats including E01/Ex01 (EnCase), AFF4, raw/dd, and VHDX with their integrity verification mechanisms, compression support, and tool compatibility characteristics
  • Implement forensic disk imaging using FTK Imager, dc3dd, and KAPE to create verified forensic images with cryptographic hash verification, write blocking, and chain of custody documentation
  • Execute targeted evidence collection using KAPE to efficiently acquire registry hives, event logs, prefetch files, browser data, and user profile contents from live and mounted systems
  • Implement evidence integrity verification using MD5, SHA1, and SHA256 hash algorithms to validate forensic image authenticity and demonstrate evidence integrity throughout examination
  • Execute virtual machine forensic analysis by converting forensic images to VMDK/VHD format for live boot examination, application testing, and interactive artifact analysis in isolated environments
  • Analyze evidence acquisition methodology to evaluate collection completeness, assess potential spoliation risks, and determine admissibility considerations for forensic examination findings

Scope

Included Topics

  • All domains covered by the GIAC GCFE certification aligned with SANS FOR500: Windows Forensic Analysis, including NTFS forensics, Windows Registry analysis, event log examination, browser forensics, email forensics, USB device tracking, Windows execution artifacts, timeline analysis, and evidence handling.
  • Windows forensic tools including Eric Zimmerman tools (MFTECmd, RECmd, PECmd, ShellBags Explorer, Timeline Explorer, LECmd, JLECmd, AmcacheParser, AppCompatCacheParser, EvtxECmd), KAPE, FTK Imager, Autopsy, RegRipper, Plaso, Hindsight, and Hayabusa.
  • Digital evidence handling procedures including forensic imaging, write blocking, hash verification, chain of custody documentation, and evidence integrity maintenance throughout the examination lifecycle.
  • Windows artifact correlation techniques for reconstructing user activity, identifying program execution, tracking file access patterns, and building comprehensive forensic timelines from multiple artifact sources.
  • Anti-forensic detection including timestamp manipulation identification, evidence destruction analysis, and artifact recovery techniques for compromised Windows systems.

Not Covered

  • Advanced malware reverse engineering and memory forensics covered by GIAC GREM at the binary analysis depth level.
  • Network forensics and packet capture analysis covered by GIAC GNFA beyond Windows host-level artifact examination.
  • Linux and macOS forensic analysis techniques not included in the Windows-focused FOR500 curriculum.
  • Mobile device forensics covered by GIAC GMOB including iOS and Android artifact analysis methodologies.
  • Cloud forensics and incident response in cloud environments covered by GIAC GCFR beyond local Windows examination.
  • Advanced threat hunting and enterprise-scale detection engineering covered by GIAC GCTI beyond individual host examination.

Official Exam Page

Learn more at GIAC Certifications

Visit

GCFE is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

GIAC® is a registered trademark of Global Information Assurance Certification (a subsidiary of the SANS Institute). GIAC does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.