CSFA Exam Information
Digital Forensic Examiners that possess the CyberSecurity Forensic Analyst certification have proven that they are capable of conducting a thorough forensic analysis using sound examination and handling procedures, and are able to communicate the results of their analysis effectively.
All exam scenarios have been thoroughly tested by digital forensics experts and are based on actual cases that any competent forensic examiner with the prerequisite skills and knowledge should be able to process.
Exam Overview
The CSFA certification exam resembles a scenario that a forensic analyst will encounter in the real world, with a specific time frame to complete the analysis, and the ability to request additional information relevant to the case. This is an advanced test, designed for professionals who already possess practical experience in the field of digital forensics, or have completed the Edmonds College Cyber Defense and Digital Forensics Degree Program.
CSFA candidates will have three days to take the test. There is a written component of 50 multiple choice questions, with the majority of the test being hands-on. Candidates will be given a scenario that includes processing a computer hard drive with a Windows operating system and may include other media such as a CD, DVD, or USB drive. Some scenarios include a cellular phone or other handheld device. The candidate may be presented with a running computer to analyze, or will have the media/devices to be analyzed being delivered by courier.
The written test will comprise 30% of the total score, with the practical comprising 70% of the total score. An overall score of 85% must be attained in order to earn the designation of CyberSecurity Forensic Analyst (CSFA).
Candidates will be allowed to request additional information after reviewing their particular scenario, such as logs, acceptable use policies, interrogatories, etc. Depending on the scenario that the candidate receives, he or she may need to creat an affidavit, declaration, and/or assist in creating the verbiage for subpoenas and motions.
Candidates will also be required to verify and document that their forensic workstation is in proper operating condition, as well as verify and document the proper operation of any write blocking or imaging hardware/software used. A chain of custody will also need to be established for all evidence.
Prerequisites
Candidates should be versed in the administrative aspects of conducting digital forensic analysis, to include creating affidavits and declarations, as well as assisting in the creation of verbiage for subpoenas and motions. Experience creating comprehensive forensic analysis reports is a must.
Taking The Exam / What To Expect
Your exam will be proctored while in the testing center. Candidates can bring lunch and snacks for all three days - a refrigerator and microwave will be provided. Candidates are responsible for planning and taking breaks as needed. Hard drive images cannot be removed from the testing center. Candidates are encouraged to bring any reference material that they would normally use when conducting forensic analysis. Internet access will be available except for the written test. Reference materials cannot be used for the written test but may be used for the practical. You are expected to conduct your analysis as you normally would, and use any software, hardware, and reference material you wish.
Knowledge Areas
The CSFA certification process covers the following knowledge areas, but not all scenarios will include all areas:- Active, archival and latent data
- Affidavits, motions, and subpoenas
- Compact Disc analysis
- Conducting keyword boolean searches
- Creating understandable and accurate reports
- Creating forensically sound working copies or images of media
- Documentation, chain of custody, and evidence handling procedures
- FAT 16/32 file systems
- File Headers and Footers
- File slack, ram slack, drive slack, and unallocated space
- Hashes and Checksums
- Imaging handheld devices
- Insurance/liability issues
- Interpretation of various log formats
- Interpreting Internet History and HTTP concepts
- Manual and automated data recovery
- Metadata for Microsoft Office and PDF documents
- NTFS
- Overcoming encryption mechanisms and password protection
- PC hardware concepts
- Privacy issues
- Rules of evidence
- TCP/IP concepts
- Windows print spool files
- Windows Prefetch
- Windows registry
- Windows shortcuts
- Windows swap file
- Windows Volume Shadow Copy
- Working as an expert technical witness
Exam Environment / Schedule
Each CSFA candidate will be provided a computer running Windows 11, with administrative access. Current versions of Axiom, Cellebrite, EnCase, FTK, and Oxygen Forensics will be available. Cables for handheld devices will be available, as will an assortment of imaging devices and write blockers.
Day One - Friday | 8:00 - 8:30 AM | Check in and testing process review |
8:30 - 10:00 AM | Written test | |
10:00 AM - Noon | Hands-on practical | |
Noon - 1:00 PM | Lunch | |
1:00 PM - 7:00 PM | Hands-on practical | |
Day Two - Saturday | 7:30 - 8:00 AM | Check in |
8:00 AM - Noon | Hands-on practical | |
Noon - 1:00 PM | Lunch | |
1:00 - 7:00 PM | Hands-on practical | |
Day Three - Sunday | 7:30 - 8:00 AM | Check in |
8:00 AM - Noon | Hands-on practical | |
Noon - 1:00 PM | Lunch | |
1:00 - 7:00 PM | Hands-on practical |