Back in December I took my first forensics course: SANS FOR508. Low and behold the following week I would use those skills to perform forensics analysis on an old Solarwinds server not in use (but still impacted by the infected update). Fast forward to now and I passed the certification that accompanies the course, the GIAC Certified Forensics Analyst (GCFA)! It was the hardest SANS course I’ve taken (probably due to my newness to the area) and the hardest GIAC test I’ve taken due to the volume and detail it covered. I took 2 months (minus Christmas break) to prepare and it was just the right amount of time. Below are some of my test preparation process and tips…
The Course (The First Week)
As with any SANS course, read the books as the instructor goes through them and write down or highlight any areas they note or focus on. I’ll admit as we went through the class my brain quickly became overwhelmed by the volume of new information. My background has been in network engineering, network monitoring and security architecture and I knew very little about Windows forensics (I skipped FOR500, but will probably go back and take it since it focuses more deeply on that area). But taking notes and highlighting important parts of each page helped me afterwards when I could better digest the material at a slower pace. GIAC tests are open book, so these extra notes and highlights can save you on the exam. Most of all in the class, have fun — especially on the Day 6 competition! That competition puts you on an IR team trying to determine how an APT group compromised a company, moved laterally, persisted, exfiltrated data, etc. My team got our butts kicked, but we had a blast in the process.
Study (The Following Months)
A few weeks after the class (I took a break due to a real incident thanks to Solarwinds and then off for Christmas), I re-opened the books. I used to only use pancakes on GIAC exams and am so glad I built an index for the GCFA. Pancakes are sticky notes or bookmarks on each section of your books that describe what that section is about:
You can imagine how hard it can be skimming through pancakes when you’re looking for a specific keyword or topic. But they do help as generalizations of an area of the book to start at if you’re really stuck on a question. I like the pancakes, but what makes them better is an Index.
An Index is similar to what SANS provides in the back of the last book, but the difference is you make this one for you and it can be as detailed as you want. I know how I think and what keyword will mean more to me (for example “Master File Table” or “$MFT” or both). As I re-read each of the books, I had a spreadsheet up and wrote down every important keyword for each book and page. It was formatted like this and there were duplicates (i.e. same keyword on multiple pages), but we’ll sort and dedup later:
As I went through the book, I did the labs in sequence. I later realized that I wasn’t as strong on the tools in the labs as I needed to be (thanks to a practice test), so after I re-read all books and finished my index I went back through the Lab book and did them all again. If you do IR and forensics work often, this might not be necessary. The test expects you to memorize the output of those tools, so know them down cold.
After almost a month of re-reading the books (your time may be shorter or longer due to work and life demands), I had a finished Index! I used Lesley’s guide on how to sort my Index:
- Combine columns Keyword 1, 2, 3 and 4 into one column (I just copied and pasted) in the format Book, Page, Keyword.
- Sort first by the Keyword column alphabetically, then by book and finally by page.
- Go through the Index row by row and dedup by combining rows with the same (or similar) keywords.
- Lesley was smart and color-coded her pancakes and Index. I didn’t because I only had one color of Post-It notes for my pancakes.
After this, your Index will look something like this:
I wish I could provide my Index but mine is only good at a point in time (SANS refreshes the content) and the act of building the Index is really what solidifies the content of the books to help you on the exam. Sorry!
Specifically for the GCFA, there are a lot of questions on the following:
- Windows Event IDs (i.e. 4624 is a successful logon)
- Volatility Plugins
- Logon Types in Windows Event IDs (i.e. Type 3 is network-based)
- Know Normal to Spot Evil (i.e. wrong parent process)
If you have these in your index, you’ll save yourself a lot of time not going through your textbook. I added a section for each of the aforementioned in my Index and printed off the SANS Red “Windows Forensics Analysis” and Blue “Hunt Evil” posters and included them as well.
At this point, I copied my Index spreadsheet, miscellaneous tables (WinEvent IDs, Volatility Plugins, etc.) and SANS posters into a Word document and tweaked formatting. The main Index section I put into two columns to save room on the page. It was pushing 15 pages, so I went the professional route and had FedEx bind it for me. $13 and change and it was worth it to be able to flip through faster than if I just stapled it.
Test Prep (One to Two Weeks Before Exam)
Now that you’ve got your cool Index and some confidence under your belt, it’s time to take your first practice test! My GCFA purchase included two practice tests and I took the first about two weeks before my exam and the second about a week before the exam. You need a 73% on the GCFA to pass and I squeaked by with a 77% my first attempt. It was rough — the test is so detailed that I realized I was weak on tool output. So I went back to the labs again. I made flash cards of the terms. I spent a lot of time trying to understand why I got some questions wrong. Unfortunately I ran out of time for all the Cyber-Live lab questions at the end…
I need to
warn tell you about the Cyber-Live lab questions in the exam! In the 82 questions on the exam, the last 7 will (as of this writing) be Cyber-Live lab questions. You’re given a problem, a VM, maybe a hint and then the multiple choice answers. You have to use the tools on the VM to find the answer. What’s funny is I was scared to death of these, but found I preferred them because they weren’t as mean picky as the other book-based multiple choice questions. They are definitely in line with the labs, which is why I’m glad I went through the labs twice (on top of the one time during the class).
For the second practice test, I didn’t give myself access to Google and relied only on my Index and books. Strengthening my weak areas from the first practice test, I came away with a 88% on my second attempt. At this point, I scheduled my exam.
Test Day (It’s Go Time Baby!)
We’re still living in the COVID-19 pandemic and I could’ve opted for an at-home proctored exam. But I like familiarity and last year during COVID-19 I took my GDSA at my favorite testing center. So I stuck with what I knew and drove the hour to the testing center. Actually my wife drove me, which helped give me a last little bit of time to go through my flash cards. I forgot to talk much about my flash cards… Basically I wrote a term that I wasn’t familiar with on the front and the definition on the back. Pretty basic. But what I did differently the last time I read the cards on the ride to the testing center was explaining them to my wife in simple terms. She still didn’t know what I was talking about, but it helped ensure I understood them instead of just regurgitating words on a flash card.
At the testing center, I took my course materials and my Index, plus 2 IDs. The test took all of 3 hours and I finished with 5 minutes to spare. You get one scheduled 15 minute break in there and I used that to get up and reset my brain before the last 7 lab questions. But I passed with an 86% and dammit I earned it! The test is tricky and there were very few giveaway questions (the kind so easy you feel guilty) — most were in-depth and really require you to understand the material. You won’t pass with the books and an Index if you don’t understand it. But I like that — it makes my cert that much more rewarding. As you near wrapping up the test and answer that last question, you’ll get your score immediately. And by the time I got out and turned my phone back on from my locker, GIAC had already emailed me to confirm my address to mail me my cert.
That was a lot, so here’s the condensed TL;DR version:
- Take the class and write down notes/highlight the pages.
- A week or so later, start re-reading the books and building your Index.
- Re-do the labs.
- A couple months have passed as you worked on the previous two items…
- Take the practice test and see where you need improvement. Focus on the areas to make sure you understand them and improve your Index.
- Print your Index
- Take the second practice test. How do you feel? Schedule your exam!
- Take the exam: take it someplace familiar, wear comfy clothes, get a good night’s sleep before, eat a good breakfast, think about how you’re gonna celebrate when you pass.
- Celebrate because you passed!