CSFA Exam Information
Digital Forensic Examiners that possess the CyberSecurity Forensic Analyst certification have proven that they are capable of conducting a thorough forensic analysis using sound examination and handling procedures, and are able to communicate the results of their analysis effectively.
All exam scenarios have been thoroughly tested by digital forensics experts and are based on actual cases that any competent forensic examiner with the prerequisite skills and knowledge should be able to process.
Exam Overview
The CSFA certification exam resembles a scenario that a forensic analyst will encounter in the real world, with a specific time frame to complete the analysis, and the ability to request additional information relevant to the case. This is an advanced test, designed for professionals who already possess practical experience in the field of digital forensics.
CSFA candidates will have three days to take the test. There is a written component of 50 multiple choice questions, with the majority of the test being hands-on. Candidates will be given a scenario that includes processing a computer hard drive with a Windows operating system and may include other media such as a CD, DVD, or USB drive. Some scenarios include a cellular phone or other handheld device. The candidate may be presented with a running computer to analyze, or will have the media/devices to be analyzed being delivered by courier.
The written test will comprise 30% of the total score, with the practical comprising 70% of the total score. An overall score of 85% must be attained in order to earn the designation of CyberSecurity Forensic Analyst (CSFA).
Candidates will be allowed to request additional information after reviewing their particular scenario, such as logs, acceptable use policies, interrogatories, etc. Depending on the scenario that the candidate receives, he or she may need to creat an affidavit, declaration, and/or assist in creating the verbiage for subpoenas and motions.
Candidates will also be required to verify and document that their forensic workstation is in proper operating condition, as well as verify and document the proper operation of any write blocking or imaging hardware/software used. A chain of custody will also need to be established for all evidence.
Prerequisites
Before taking the CSFA exam, candidates should have a minimum of two years experience conducting forensic analysis on devices running a Windows operating system. Candidates should be versed in the administrative aspects of conducting digital forensic analysis, to include creating affidavits and declarations, as well as assisting in the creation of verbiage for subpoenas and motions. Experience creating comprehensive forensic analysis reports is a must. In addition to these experience requirements, it is highly recommended that candidates have obtained one of the following certifications at the very least:
AccessData Certified Examiner (ACE)
Certified Forensic Computer Examiner (CFCE)
Certified Computer Examiner (CCE)
Computer Hacking Forensic Investigator (CHFI)
EnCase Certified Examiner (EnCE)
GIAC Certified Forensics Analyst (GCFA)
Taking The Exam / What To Expect
Your exam will be proctored while in the testing center. Candidates can bring lunch and snacks for all three days - a refrigerator and microwave will be provided. Candidates are responsible for planning and taking breaks as needed. Hard drive images cannot be removed from the testing center. Candidates are encouraged to bring any reference material that they would normally use when conducting a forensic analysis. Internet access will be available except for the written test. Reference materials cannot be used for the written test but may be used for the practical. You are expected to conduct your analysis as you normally would, and use any software, hardware, and reference material you wish.
Knowledge Areas
Knowledge Areas The CSFA certification process covers the following knowledge areas, but not all scenarios will include all areas:- Active, archival and latent data
- Affidavits, motions, and subpoenas
- Compact Disc analysis
- Conducting keyword boolean searches
- Creating understandable and accurate reports
- Creating forensically sound working copies or images of media
- Documentation, chain of custody, and evidence handling procedures
- FAT 16/32 file systems
- File Headers and Footers
- File slack, ram slack, drive slack, and unallocated space
- Hashes and Checksums
- Imaging handheld devices
- Insurance/liability issues
- Interpretation of various log formats
- Interpreting Internet History and HTTP concepts
- Manual and automated data recovery
- Metadata for Microsoft Office and PDF documents
- NTFS
- Overcoming encryption mechanisms and password protection
- PC hardware concepts
- Privacy issues
- Rules of evidence
- TCP/IP concepts
- Windows print spool files
- Windows Prefetch
- Windows registry
- Windows shortcuts
- Windows swap file
- Windows Volume Shadow Copy
- Working as an expert technical witness
Exam Environment / Schedule
Each CSFA candidate will be provided a computer running Windows 7, with administrative access. Each candidate is to bring their own forensic software and imaging hardware. Cables will be made available for any handheld device that is part of a candidate's scenario.
| Day One - Friday | 8:00 - 8:30 AM | Check in and testing process review |
| 8:30 - 10:00 AM | Written test | |
| 10:00 AM - Noon | Hands-on practical | |
| Noon - 1:00 PM | Lunch | |
| 1:00 PM - 7:00 PM | Hands-on practical | |
 |
||
| Day Two - Saturday | 7:30 - 8:00 AM | Check in |
| 8:00 AM - Noon | Hands-on practical | |
| Noon - 1:00 PM | Lunch | |
| 1:00 - 7:00 PM | Hands-on practical | |
|
||
| Day Three - Sunday | 7:30 - 8:00 AM | Check in |
| 8:00 AM - Noon | Hands-on practical | |
| Noon - 1:00 PM | Lunch | |
| 1:00 - 7:00 PM | Hands-on practical | |
Exam Location
The August 2017 exam will be held at:Edmonds Community College
Snohomish Hall, Room 123
20000 68th Ave. W
Lynnwood, WA 98036
Process For Scheduling Your Exam
1. Submit the results of your FBI Criminal Background Check and a completed CSFA Certification Exam Application and Agreement along with the $750.00 exam fee to:
CyberSecurity Institute
ATTN: CSFA Exam
14751 N. Kelsey St. Suite 105
PMB 162
Monroe, WA. 98272-1353
Your submission must include the original FBI report(s) and fingerprint cards. We will contact you after reviewing your information. You will be assigned a candidate number at this point.
