Convey proficiency in Windows forensic investigations, signaling readiness to deliver defensible, expert-level analysis.
The GIAC Certified Forensic Examiner (GCFE) certification validates a practitioner’s ability to collect and analyze data from Windows computer systems, implementing core computer forensic analysis skills and knowledge. GCFE certification holders are qualified to conduct typical incident investigations including e-Discovery, forensic analysis and reporting, evidence acquisition, browser forensics, and user and application activity tracing on Windows systems.
Areas Covered
- Windows forensics and data triage
- Windows Registry forensics, USB devices, shell items, email forensics, and log analysis
- Advanced web browser forensics (Chrome, Edge, Firefox)
Who is GCFE for?
- Anyone with a background in information systems, information security, and computers, interested in a deep understanding of Windows forensics
- Information security professionals
- Incident response team members
- Law enforcement officers, federal agents, and detectives
- Media exploitation analysts
CyberLive: Real labs. Real tools. Real skills.
CyberLive is a hands-on exam format that replaces traditional multiple-choice testing with performance-based challenges in realistic lab environments to validate real-world capability.
Virtual Machines:
Full-scale lab systems that behave like physical computers: install, attack, defend, and run services.
Real Security Tools:
Exact tools used by professionals every day including all the quirks and challenges
Authentic Code:
Real code, real exploits, real impacts
Exam Format
- 1 proctored exam
- 3 hours
- 82 questions
- Minimum passing score: 70%
Note: GIAC periodically reviews and may update certification specifications to ensure fairness, validity, and reliability. Using a psychometric standard-setting study, GIAC has set the passing score for the GCFE exam at 70% for all candidates who receive the exam version released on or after December 17, 2022.
To confirm the exam format and passing score that apply to your specific attempt, please refer to the Certification Information section of your GIAC account: https://exams.giac.org/pages/attempts.
Certification Delivery
GIAC certification attempts will be activated in your GIAC account after your application has been approved and according to the terms of your purchase. Details on delivery will be provided along with your registration confirmation upon payment. You will receive an email notification when your certification attempt has been activated in your account. You will have 120 days from the date of activation to complete your certification attempt.
NOTE: All GIAC Certification exams are web-based and required to be proctored. There are two proctoring options: remote proctoring through ProctorU, and onsite proctoring through PearsonVUE. Click here for more information.
Exam Certification Objectives & Outcome Statements
- Browser Forensic ArtifactsThe candidate will demonstrate understanding of the forensic value of browser artifacts.
- Browser Structure and AnalysisThe candidate will demonstrate understanding of common browser structure and analysis techniques.
- Cloud Storage AnalysisThe candidate will demonstrate an understanding of the artifacts created by the installation and use of cloud storage solutions and how they can be used during forensic examinations.
- Digital Forensic FundamentalsThe candidate will demonstrate an understanding of forensic methodology and key concepts, and be familiar with Windows filesystems and registry structure.
- Email AnalysisThe candidate will demonstrate an understanding of the forensic examination of email communications, including client, web-based, mobile, and M365.
- Event Log AnalysisThe candidate will demonstrate an understanding of the purpose of the various types of Windows event, service and application logs, and the forensic value that they can provide.
- File and Program AnalysisThe candidate will demonstrate an understanding of the artifacts created by the Windows operating system during the execution of programs, or activity specific to folders and files.
- Forensic Artifact TechniquesThe candidate will demonstrate an understanding of the approach and tools used to collect forensic evidence required for triage analysis.
- System and Device AnalysisThe candidate will demonstrate an understanding of file access artifacts created by the Windows operating system and USB devices.
- User Artifact AnalysisThe candidate will demonstrate an understanding of the artifacts created by user account(s) and activity on current Windows operating systems.
Practice Tests
- Practice exams are a simulation of the real exam, allowing you to become familiar with the test engine and style of questions
- Practice exams can serve as a gauge to determine if your preparation methods are sufficient
- The bank of practice questions is limited, so you may encounter the same question on multiple practice tests
- Practice exams never include actual exam questions
- Purchase a GCFE practice test here
Other Resources
- Training is available in a variety of modalities including live training and OnDemand
- Practical work experience can help ensure that you have mastered the skills necessary for certification
- College level courses or self-paced study through other programs or materials may meet the needs for mastery
- Understand the procedure to contest exam results
- Use this justification letter to share key details of this certification opportunity with your boss