|
Test Overview
All test candidates will need to submit a Certification
Test Application and Agreement.
The CSFA certification test is the only test currently
available of its kind. It closely resembles a scenario
that a forensic analyst will encounter in the real
world, with a specific time frame to complete the
analysis, and the ability to request additional information
relevant to the case. This is an advanced test, designed
for professionals who already possess practical experience
in the field of digital forensics.
CSFA candidates will have three days to take the
test. There is a written component of 50 multiple
choice questions, with the majority of the test being
hands-on. Candidates will be given a scenario that
includes processing a hard drive and may include other
media such as a CD, DVD, or USB drive. Some scenarios
include a cellular phone or other handheld device.
The test candidate may be presented with a running
computer to analyze, or will have the media/devices
to be analyzed being delivered by courier. Hard drives
to be processed will be 10 Gigabytes or smaller, depending
on the scenario.
The written test will comprise 30% of the total
score, with the practical comprising 70% of the total
score. An overall score of 85% must be attained in
order to earn the designation of CyberSecurity Forensic
Analyst (CSFA).
Candidates will be allowed to request additional
information after reviewing their particular scenario,
such as proxy, IDS, and router logs, acceptable use
policies, interrogatories, etc. Depending on the scenario
that the candidate receives, he or she may have to
assist in creating the verbiage for:
- Motions
- Affidavits
- Subpoenas
The candidate will also be required to verify and
document that their forensic workstation is in proper
operating condition, as well as verify and document
the proper operation of any write blocking or imaging
hardware/software used. A chain of custody will also
need to be established for all evidence.
Forensic Processing Environment
Each CSFA candidate will be provided a computer running
Windows XP or Vista, with administrative access. Each
candidate is to bring their own forensic software
and imaging hardware. Cables will be made available
for any handheld device that is part of a candidate's
scenario.
Prerequisites
Before taking the CSFA test, test candidates
should have at least two years of experience with
both the technical and administrative aspects of conducting
forensic analysis, to include creating the verbiage
for subpoenas, motions, and affidavits, as well as
experience creating comprehensive forensic analysis
reports. In addition to these experience requirements,
it is highly recommended that candidates have obtained
one of the following certifications:
AccessData Certified Examiner (ACE)
Certified Forensic Computer Examiner (CFCE)
Certified Computer Examiner (CCE)
Computer Hacking Forensic Investigator (CHFI)
EnCase Certified Examiner (EnCE)
GIAC Certified Forensics Analyst (GCFA)
Practice cases will be provided to test candidates
after submission and acceptance of the CSFA Certification
Test Application and Agreement. Practice cases
will be graded and returned to the test candidate
within two weeks of submission.
It is up to each candidate to make sure they possess
the requisite skills and experience before taking
the CSFA test. It is recommended that each candidate
attend a free overview session.
Knowledge Areas
The CSFA certification process covers the following
knowledge areas, but not all scenarios will include
all areas:
Active, archival and latent data
Affidavits, motions, and subpoenas
Basic TCP/IP concepts
Hashes and Checksums
Conducting keyword searches
Creating understandable and accurate reports
Creating forensically sound working copies or images
of media
File Header formats
Documentation, chain of custody, and evidence handling
procedures
Questions to prepare for/advising your retaining counsel
FAT 12/16/32 file systems
File slack, ram slack, drive slack, and unallocated
space
NTFS File Systems
Compact Disc analysis
Interpretation of various log formats
Interpreting Internet History and HTTP concepts
Manual and automated data recovery
Metadata for Microsoft Office and PDF documents
Overcoming encryption mechanisms and password protection
PC hardware concepts
Privacy issues
Regulatory compliance - Gramm-Leach-Bliley, HIPPA,
Sarbanes-Oxley, SEC, NASD and ISO
Rules of evidence
Windows print spool files
Windows registry
Windows shortcuts
Windows swap file
Working as an expert technical witness
Insurance/liability issues
Viruses and malware
Taking The Test / What To Expect
Your test will be proctored while in the testing
center. Candidates can bring lunch and snacks for
all three days - a refrigerator and microwave will
be provided. Candidates are responsible for planning
and taking breaks as needed. Hard drive images cannot
be removed from the testing center. Candidates are
encouraged to bring any reference material that they
would normally use when conducting a forensic analysis.
Internet access will be available except for the written
test. Reference materials cannot be used for the written
test but may be used for the practical. You are expected
to conduct your analysis as you normally would, and
use any reference material you wish.
Additional questions about the test? See
the FAQ
Any candidate attempting to remove examination media
from the testing center will be disqualified, and
the candidate will not be allowed to retake the test.
Testing Schedule
| Day One - Friday |
6:00 - 8:00 AM |
Software loading and
testing. |
| |
8:00 - 8:30 AM |
Check in and testing process review |
| |
8:30 - 10:00 AM |
Written test |
| |
10:00 AM - Noon |
Hands-on practical |
| |
Noon - 1:00 PM |
Lunch |
| |
1:00 PM - 7:00 PM |
Hands-on practical |
 |
| Day Two - Saturday |
7:30 - 8:00 AM |
Check in |
| |
8:00 AM - Noon |
Hands-on practical |
| |
Noon - 1:00 PM |
Lunch |
| |
1:00 - 7:00 PM |
Hands-on practical |
|
| Day Three - Sunday |
7:30 - 8:00 AM |
Check in |
| |
8:00 AM - Noon |
Hands-on practical |
| |
Noon - 1:00 PM |
Lunch |
| |
1:00 - 7:00 PM |
Hands-on practical |
Study Materials
/ References
Computer Forensics Incident Response Essentials-
Warren Chores and Jay Heiser - Link
FAT Technical Reference - Link
File System Forensic Analysis - Brian Carrier - Link
Forensic ToolKit User Manual - Link
INDEX.DAT Whitepaper - Link
IsoBuster Help -
Link
Microsoft® Windows® Internals, Fourth Edition:
Microsoft Windows Server™ 2003, Windows XP, and
Windows 2000 - Link
Microsoft Windows XP Resource Kit - Link
Norton Utilities Documentation
NTFS Technical Reference - Link
Recycle Bin Whitepaper - Link
Searching and Seizing Computers and Obtaining Electronic
Evidence in Criminal Investigations - Link
The "Tools Proven in Court" Question - Link
Upgrading and Repairing PCs - Scott Mueller - Link
Windows 2000 Resource Kit - Link
Windows Forensics and Incident Recovery - Harlan Carvey
- Link
X-Ways Forensics User Manual - Link
Process For Scheduling Your
Test
1. Attend a CSFA
overview session (optional).
2. Submit the results
of your FBI Criminal Background
Check and a completed CSFA
Certification Test Application and Agreement along
with payment to:
CyberSecurity Institute
ATTN: CSFA Testing
19030 Lenton PL. SE #162
Monroe, WA. 98272-1353
Your submission must include the original FBI report(s)
and fingerprint cards. We will contact you after reviewing
your information. You will be assigned a candidate
number at this point.
Maintaining Your Certification
Once certified, you will be required to:
- Attend a minimum of 80 class hours of digital
forensics / information technology training every
two years.
- Re-certify every four years.
More Information
Please see the Frequently Asked
Questions (FAQ) document.
| CSFA
Testing Dates and Locations |
| Location |
Edmonds
Community College - Main Campus, Snohomish Hall
Room 110 |
| Address |
20000 68th Ave
W Lynnwood, WA 98036 |
| Directions |
To
Main Campus Campus
Map |
| Dates/Times |
March 27-29 2008
|
| Cost |
|
| To
Enroll |
Click
Here |
Additional
Information |
Must have approval
prior to enrolling for test.  |
| For in-house training,
please contact us for a quote by using sales@cybersecurityinstitute.biz |
|
