GIAC Certified Forensic Examiner (GCFE)

Shift Key

Staff member
Sep 30, 2018
Interested in getting certified as a GIAC Certified Forensic Examiner (GCFE)? Already completed it?
Feel free to use this thread to:
  • ask questions
  • provide advice
  • share helpful learning / preparation resources
  • talk about your experiences
  • thoughts on whether it is helpful to your career
  • or anything else that will be helpful to the community


Experienced Member
Oct 23, 2018
Happy new year all, thought I'd start 2019 off by contributing my thoughts to the forum!

I obtained my GCFE in 2015 (I think it's due to expire this year :oops:) so my information may be a little outdated - as a TL;DR, it's a very useful cert for entering the world of Windows-based CF and covers a variety of important topics that can help in almost every investigation such as imaging, registry forensics, web browsing, shellbags, LNK file analysis and various MRUs.

The GCFE exam can be sat on its own - via Pearson Vue proctoring - however all the topics on it are covered in-depth with the SANS FOR500 (used to be the FOR408) Windows Forensic Analysis course and so most people opt for this. If you are new to the field, I would highly recommend the course however like all SANS courses it comes with a price tag - when I did it in 2015, it was about $4700 to do the course by distance (they mail you books, software, and provide audio files of the course being taught live. On top of that, the exam itself will set you back around $300-400 so you'll need to factor that in when making your business case to the boss, or if paying for it yourself.

From my recollection, the exam voucher is only good for 3-4 months before you need to renew - I ended up extending mine two (2) or three (3) times due to being under-prepared.

The SANS FOR500 (Windows Forensic Analysis) course is the first in SANS' forensic curriculum that then leads on to courses such as FOR508 (Advanced Windows Forensic Analysis, Digital Response, and Threat Hunting), FOR518 (Mac Forensics), FOR572 (Advanced Network Analysis), FOR610 (Reverse Engineering Malware), and FOR585 (Smartphone Forensics). 508, 572 and 610 all follow the same case study during the course of an APT (Advanced Persistent Threat) from different angles so if you have the interest (and the training budget) it could be interesting!

The content itself, as discussed above, covers areas you will deal with every day in Windows computer forensic investigations. Before diving into the modules, it's important to point out that if taking the course you are provided with the SANS workstation - an ISO that is provided filled with useful open-source (and some licensed) tools and the course takes you through how to use each one to perform the set piece of analysis.

The first module covers forensic imaging - predominantly teaching FTK Imager - and the various image types and scenarios. It also briefly touches on imaging over a network connection, the importance of chain of custody, what to do when you encounter bad sectors, logical vs physical, encrypted hard drives, etc. As indicated above, this is purely a Windows forensic analysis course so the focus will be on Windows 7, 8.1 and 10 predominantly. Different filesystems are also discussed such as FAT16, FAT32, exFAT, NTFS.

The second module covered e-mail forensics - mainly MS Outlook and Lotus Notes - and web browser forensics - covering Internet Explorer, Chrome, and Mozilla Firefox.

The third and final module covered registry forensics and was, due to its importance, the largest of the training modules. Registry forensics is an essential tool in the CF arsenal as it allows you to track a suspect's movements within the filesystem from folder traversal to last opened documents. Timestamp criticality is covered, MRUs, USB device log analysis (setupapi as well as associated registry artifacts for USB detection).

Part of the focus is to assist investigators to build a timeline - so take Shellbags to determine folder access (local and network), throw it in Excel. Add in LNK file creation / last written information. Add in Event Logs for logon date/times. Add in USB device insertion information and mapped drive lettering from Jumplist entries. Add in internet searches for wiping/anti-forensic software in the lead-up to the suspect handing over the laptop for imaging. Pull in email messages sent date / attachments. Everything is focused around building a picture regarding the suspect's life.

Overall I found this course to be quite thorough - the distance / self-study option shouldn't be priced at the same level as on-site, but that's a personal gripe. I learned more in the first few weeks of doing this course than I had in my previous year or so of self-study in the world of CF and I'd recommend it wholeheartedly.


About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu