All test situations have been thoroughly tested by computer forensics experts and are based on actual cases that any competent forensic examiner with the prerequisite skills and knowledge should be able to process. It is up to each candidate to make sure they possess the prerequisite skills and experience before taking the CSFA test.

Test Overview
All test candidates will need to submit a Certification Test Application and Agreement.

The CSFA certification test is the only test currently available of its kind. It closely resembles a scenario that an actual forensic analyst will encounter in the real world, with a specific time frame to complete the analysis, and the ability to request additional information relevant to the case. This is an advanced test, designed for professionals who already possess practical experience in the field of digital forensics.

CSFA candidates will have three days to take the test. There is a written component of 50 multiple choice questions, with the majority of the test being hands-on. Candidates will be given a scenario that includes processing a hard drive and one floppy disk or CDROM, or a cellular phone or other handheld device. The test candidate may be presented with a running computer to analyze, or will have the media/devices to be analyzed being delivered by courier. Hard drives to be processed will be 10 Gigabytes or smaller, depending on the scenario.

The written test will comprise 20% of the total score, with the practical comprising 80% of the total score. An overall score of 85% must be attained in order to earn the designation of CyberSecurity Forensic Analyst (CSFA).

Candidates will be allowed to request additional information after reviewing their particular scenario, such as proxy, IDS, and router logs, acceptable use policies, interrogatories, etc. Depending on the scenario that the candidate receives, he or she may have to assist in creating the verbiage for:

• Motions
• Affidavits
• Subpoenas

The candidate will also be required to verify and document that their forensic workstation is in proper operating condition, as well as verify and document the proper operation of any write blocking or imaging hardware/software used.

Forensic Processing Environment
Each CSFA candidate will be provided a computer running Windows XP or Vista, with administrative access. Each candidate is to bring their own forensic software and imaging hardware. Cables will be made available for any handheld device that is part of a candidate's scenario.

Prerequisites
Before taking the CSFA test, test candidates should have at least 18 months of experience conducting forensic analysis, creating the verbiage for subpoenas, motions, and affidavits, as well as experience creating comprehensive forensic analysis reports. In addition to these experience requirements, it is highly recommended that candidates have:

Attended the Computer Forensics Core Competencies course;

OR

Successfully obtained one of the following certifications:

AccessData Certified Examiner (ACE)
Certified Forensic Computer Examiner (CFCE)
Certified Computer Examiner (CCE)
Computer Hacking Forensic Investigator (CHFI)
EnCase Certified Examiner (EnCE)
GIAC Certified Forensics Analyst (GCFA)

Practice cases will be provided to test candidates after submission and acceptance of the CSFA Certification Test Application and Agreement. Practice cases will be graded and returned to the test candidate within two weeks of submission.

It is up to each candidate to make sure they possess the requisite skills and experience before taking the CSFA test. It is recommended that each candidate attend a free overview session.

Knowledge Areas

The CSFA certification process covers the following knowledge areas, but not all scenarios will include all areas:

Active, archival and latent data
Affidavits, motions, and subpoenas
Basic TCP/IP concepts
Hashes and Checksums
Conducting keyword searches
Creating understandable and accurate reports
Creating forensically sound working copies or images of media
File Header formats
Documentation, chain of custody, and evidence handling procedures
Questions to prepare for/advising your retaining counsel
FAT 12/16/32 file systems
File slack, ram slack, drive slack, and unallocated space
NTFS File Systems
Compact Disc analysis
Interpretation of various log formats
Interpreting Internet History and HTTP concepts
Manual and automated data recovery
Metadata for Microsoft Office and PDF documents
Overcoming encryption mechanisms and password protection
PC hardware concepts
Privacy issues
Regulatory compliance - Gramm-Leach-Bliley, HIPPA, Sarbanes-Oxley, SEC, NASD and ISO
Rules of evidence
Windows print spool files
Windows registry
Windows shortcuts
Windows swap file
Working as an expert technical witness
Insurance/liability issues
Viruses and malware

Taking The Test / What To Expect
Your test will be proctored while in the testing center. Candidates are expected to bring lunch and snacks for all three days - a refrigerator and microwave will be provided. Candidates are responsible for planning and taking breaks as needed. Materials cannot be removed from the testing center, but candidates are encouraged to bring any reference material that they would normally use when conducting a forensic analysis. Internet access will be available except for the written test. Reference materials cannot be used for the written test but may be used for the practical. You are expected to conduct your analysis as you normally would.

Additional questions about the test? See the FAQ

Any candidate attempting to remove examination media or materials from the testing center will be disqualified, and the candidate will not be allowed to retake the test.

Testing Schedule

Day One - Friday	6:00 - 8:00 AM	Software loading and testing.
	8:00 - 8:30 AM	Check in and testing process review
	8:30 - 10:00 AM	Written test
	10:00 AM - Noon	Hands-on practical
	Noon - 1:00 PM	Lunch
	1:00 PM - 7:00 PM	Hands-on practical
Day Two - Saturday	7:30 - 8:00 AM	Check in
	8:00 AM - Noon	Hands-on practical
	Noon - 1:00 PM	Lunch
	1:00 - 7:00 PM	Hands-on practical
Day Three - Sunday	7:30 - 8:00 AM	Check in
	8:00 AM - Noon	Hands-on practical
	Noon - 1:00 PM	Lunch
	1:00 - 7:00 PM	Hands-on practical

Study Materials / References

Computer Forensics Incident Response Essentials- Warren Kruse and Jay Heiser - Link
FAT Technical Reference - Link
File System Forensic Analysis - Brian Carrier - Link
Forensic ToolKit User Manual - Link
INDEX.DAT Whitepaper - Link
IsoBuster Help - Link
Microsoft® Windows® Internals, Fourth Edition: Microsoft Windows Server™ 2003, Windows XP, and Windows 2000 - Link
Microsoft Windows XP Resource Kit - Link
Norton Utilities Documentation
NTFS Technical Reference - Link
Recycle Bin Whitepaper - Link
Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations - Link
The "Tools Proven in Court" Question - Link
Upgrading and Repairing PCs - Scott Mueller - Link
Windows 2000 Resource Kit - Link
Windows Forensics and Incident Recovery - Harlan Carvey - Link
X-Ways Forensics User Manual - Link

Process For Scheduling Your Test

1. Attend a CSFA overview session (optional).

2. Submit the results of your FBI Criminal Background Check and a completed CSFA Certification Test Application and Agreement along with payment to:

CyberSecurity Institute
ATTN: CSFA Testing
19030 Lenton PL. SE #162
Monroe, WA. 98272-1353

Your submission must include the original FBI report(s) and fingerprint cards. We will contact you after reviewing your information. You will be assigned a candidate number at this point.

Maintaining Your Certification
Once certified, you will be required to:

• Attend a minimum of 80 class hours of digital forensics / information technology training every two years.
• Re-certify every three years.

More Information
Please see the Frequently Asked Questions (FAQ) document.