Evergreen Alliance Training Program for GIAC Battlefield Forensics and Acquisition (GBFA)

Acquiring RAM and OS Artifacts
The candidate will be able to explain various methods for acquiring RAM, macOS, and Shadow copies, including the use of disk copy utilities and target disk mode.

Acquisition Preparation
The candidate will be able to summarize the objectives of scene management, assess evidence, detect tampering, and validate acquisitions.

Computer Fundamentals
The candidate will be familiar with essential computer concepts such as machine configuration, boot processes, BIOS, UEFI, IP addressing, and domain registrars, in preparation for the acquisition process.

Data on Drives
The candidate will be able to explain how data is stored and accessed on drives, including encryption and the handling of deleted files.

Data on the Network
The candidate will be able to describe how data is transmitted over networks, including IoT network traffic and PCAP files, and explain how network tools can be utilized to discover devices on the network.

Dead Box Acquisition
The candidate will be able to outline methods for performing dead box acquisitions, such as write-blocking and media removal.

Filesystem Fundamentals
The candidate will be able to describe the basic principles of common filesystems like NTFS, EXT, and FAT, as well as explain the roles of key components, including Master File Tables and File Allocation Tables.

Host-Based Live Acquisition
The candidate will be able to describe methods for host-based live acquisition, including software and hardware write-blocking techniques, as well as accessing physical drives and volumes.

Manual Triage
The candidate will be familiar with the tools and techniques used for manual data selection and triage.

Manually Finding Data
The candidate will be able to identify various methods for manually locating data, including techniques for carving metadata and recovering deleted files.

Mobile Device Acquisition
The candidate will be able to outline the methods for mobile device acquisition, including isolating devices from radio signals, using mobile device acquisition tools, and identifying specific mobile devices.

Mobile Device Triage
The candidate will be able to explain how data is triaged from mobile devices, including platform-specific approaches for Android and Apple devices, as well as triaging data from mobile apps, calendars, and emails.

Physical Storage Devices
The candidate will be able to compare and contrast different types of physical storage devices, including device interfaces, spinning disk layout, solid-state drive fundamentals, and common issues with HDDs.

Remote Acquisition
The candidate will be able to describe various methods for conducting remote acquisitions, including network-based acquisitions and leveraging common cloud provider services.

Specialty Device Fundamentals
The candidate will be able to explain the basic principles of specialty devices such as macOS, including system profiling and device information collection.

Storage Technologies
The candidate will be able to summarize and compare common storage technologies, including various RAID configurations.

Using Forensic Tools for Triage
The candidate will be able to compare and contrast popular forensic tools and how they can be used effectively in the data triage process.

Windows Filesystems
The candidate will be able to compare major Windows filesystems, including FAT, exFAT, and NTFS.

Working with Evidence Files
The candidate will be able to compare and contrast common evidence file formats, understand how to access them, and utilize them in forensic investigations.