Introduction

I recently attended the 2023 SANS DFIR Summit in Austin, TX when I saw an advertisement for the brand new GIAC Experienced Forensic Analyst (GX-FA) certification. SANS offered a discount for attendees that were interested in taking this exam and so I decided why not? The last GIAC exam I had taken was the GIAC Certified Forensic Analyst (GCFA) exam in December 2022 and so I found it to be very appropriate to follow that up with the GX-FA exam. 

GX-FA Overview

First and foremost, let’s discuss the new GIAC Applied Knowledge Certifications that GIAC introduced this year in 2023. At the time of this writing, GIAC has introduced four brand new Applied Knowledge Certifications:

• GIAC Experienced Cybersecurity Specialist (GX-CS)
• GIAC Experienced Incident Handler (GX-IH)
• GIAC Experienced Intrusion Analyst (GX-IA)
• GIAC Experienced Forensic Analyst (GX-FA)

These certifications were designed for folks looking for a new challenge and taking their skills to the next level. Each of these certifications have a previous counterpart that are now called GIAC Practitioner Certifications listed below:

• GIAC Security Essentials (GSEC)
• GIAC Certified Incident Handler (GCIH)
• GIAC Certified Intrusion Analyst (GCIA)
• GIAC Certified Forensic Analyst (GCFA)

These are the certifications that folks are most familiar with and are highly recommended to take before considering taking any of the previously listed GIAC Applied Knowledge Certifications.

As for the GX-FA exam itself, the exam is structured as 25 CyberLive Questions (Lab Hands-On) and you have 4 hours to complete these questions. As listed on the GIAC GX-FA page, the areas covered for the exam are your traditional Windows host file system artifacts, Windows system triage analysis, Windows volatile evidence, Windows system and activity event analysis, Enterprise threat hunting identification and detection, and Malicious threat actor activity in an enterprise environment. As any GIAC exam that you have taken before, this exam is no different in that you are allowed to bring SANS books, posters, indexes, notes, etc. to the exam. You are also provided with a VM that has all of the tools you will need to successfully answer each question.

GX-FA Recommended Prerequisites

Now this is probably the biggest change from the traditional GIAC Practitioner Certification exams that folks are accustomed to. Unlike the GIAC Practitioner Certification exams that have a corresponding SANS course directly tied to them, the GIAC Applied Knowledge Certification exams have what GIAC considers a “Primary fit course”. For example, FOR508 is considered to be the “Primary fit course” for the GX-FA exam according to GIAC, but other SANS course material can be beneficial such as FOR500, FOR509, FOR498, FOR572, FOR608, FOR610, SEC503, SEC504, and SEC501. Just realize that although FOR508 is considered to be the “Primary fit course” for the GX-FA exam, this is not the exam that is offered as a certification attempt when purchasing the SANS FOR508 course; that still remains the GCFA exam.

So what does this all mean? This means that a big part of your preparation for this exam will be for you to mainly rely on your own work experience to successfully pass one of these exams. This is what sets these exams apart from the GIAC Practitioner Certification exams. GIAC also recommends that you purchase Demo Questions to help you prepare for the GX-FA exam. These are somewhat similar to the Practice Questions that GIAC offers for the Practitioner Certification exams albeit a lot more affordable and a lot less questions. Keep in mind, these Demo Questions are not included with a purchase of the GX-FA exam so this is another key difference from the GIAC Practitioner Certification exams in which the purchase of a corresponding SANS course would include two free practice exams. For the GX-FA Demo Questions, they consist of 3 CyberLive questions at a price of $39 USD.

GX-FA Preparation

Now let’s get into the weeds on how I prepared for the GX-FA exam. For starters, I did take GIAC’s recommend exam preparation tips and decided to purchase one set of Demo Questions. I purchased one set of Demo Questions first to gauge the difficulty level of the questions. Leading up to my first set of Demo Questions, I decided to revisit the workbooks for FOR508 and review the labs and answers I had since this was the primary fit course for the GX-FA exam. In addition, I practiced using Volatility on my PC against a few memory images that I had found online. You want to practice using both Volatilty2 and Volatility3, as they will both come in handy on the GX-FA exam, along with familiarizing yourself with the more popular plugins such as pslist, pstree, psscan, netscan, dlllist, and malfind. Note, this is not an exhaustive list of plugins to focus on as you should practice using the majority of plugins that are included in both Volatiltiy2 and Volatility3.

The memory images that I mainly practiced on were 13Cubed’s Pulling Threads and The Case of the Stolen Szechuan Sauce CTF. For the host based forensics, I performed analysis using KAPE and Zimmerman Tools on both disk images that are also included with The Case of the Stolen Szechuan Sauce CTF. Finally, for the timeline analysis I used the Super Timeline Analysis CTF. It is strongly recommended to have familiarity with KAPE, Zimmerman Tools, Arsenal Image Mounter, WSL, and Volatility before taking this exam.

After about a week of practicing with the aforementioned tools, I took the first set of 3 Demo Questions on August 23, 2023. For that sitting, I had brought with me my FOR508 index, my FOR508 books (Books 1-5 and 2 workbooks), both the SANS Windows Forensic Analysis and Hunt Evil posters, the SANS Memory Forensics Cheat Sheet v2.0, the 13Cubed Windows Event Log Cheat Sheet, and the 13Cubed Registry Cheat Sheet. Once the demo assessment started, I realized very quickly that these questions were far more difficult than the CyberLive questions on the GCFA exam. I came out with a star rating of just 1 on this attempt and realized I needed to prepare a lot more than I had. Also note that the demo assessments do not provide a score and instead just provide the star rating whereas the practice exams for the GIAC Practitioner Certifications do provide you with a score and star rating.

After the demo assessment concluded, I decided to purchase another set of Demo Questions and used another full week of practicing with all of the tools and images at my disposal. The only difference this time around, was the amount of additional hours I put into this week of preparation as opposed to the initial week of preparation heading into the first demo assessment. For context, I had put in about 14 hours of preparation (2 hours a day average over 7 days) heading into the first demo assessment as opposed to about 28 hours of preparation (4 hours a day average over 7 days) heading into the second demo assessment; thus doubling the amount of preparation this time around. When the week concluded, I decided to take a mental day for myself before starting the second demo assessment on September 1, 2023. On the second demo assessment, I felt more much confident as I went into it knowing what to expect after taking the first demo assessment. This time around I produced a star rating of 3 despite not having enough time to answer the last question. 

Despite this, I felt very confident going into day of the exam which I had scheduled for September 3, 2023. The day of the exam, I had brought the same materials with me that I brought to both demo assessments. For context, I scheduled the exam with ProctorU to take it online as this has been the only method I have used to take GIAC exams in the past as opposed to taking it in person at a testing center. During the exam, I knew that time would be the biggest obstacle as opposed to the questions themselves and so any question I did not have an immediate solution for, I decided to skip so that I could answer them at the end of the exam and only focus on the questions I was able to spend the least amount of time on. Because the exam consists of 25 CyberLive questions for 4 hours, you have an average of about 9.5 minutes to spend on each question. For this exam, I only skipped two questions towards the beginning and did not take a break as I hit a very solid groove after skipping the two questions. By the time I had reached the skipped questions, I had about 30 minutes left to answer them, leaving me with more than enough time to spend on each question. I strongly recommend folks skip any question you can’t answer within 9.5 minutes to save more time at the end of the exam for the more difficult questions. 

When the exam was over I was delighted to see that I had passed but was hoping I’d be able to see the score I generated. I had also been invited to the GIAC Advisory Board moments after the exam was finished. Unbeknownst to me at the time, unlike the traditional method of getting invited to the GIAC Advisory Board by scoring a 90% or above on a GIAC Practitioner exam, those who simply pass any of the new GIAC Applied Knowledge exams are also invited to the GIAC Advisory Board!

Additional Preparation

Now I did not want to finish this blog post without mentioning the additional preparation folks can use to help pass the GX-FA exam. There is an additional course that I strongly recommend folks take before taking the GX-FA exam and that is 13Cubed’s Investigating Windows Memory. This course was not yet available when I took the GX-FA exam and I honestly wish I had taken it prior to taking the GX-FA exam. Although it is mainly focused on Windows Memory Forensics, it covers Volatility in depth which is a huge part of the GX-FA exam and will better prepare you for these questions on the exam. In conjunction with this course, I also strongly encourage folks to take 13Cubed’s first course Investigating Windows Endpoints before taking the GX-FA exam. The combination of these courses, along with the material from FOR500 and especially FOR508, will put you in the best position to succeed on the GX-FA exam along with any relevant DFIR work experience.

Conclusion

By taking the courses I have mentioned, purchasing the Demo Questions, practicing with the tools stated, and with relevant DFIR work experience, folks will be able to pass this exam without issue. It only takes time and dedication to put yourself in the best position to succeed. Best of luck to anyone who is looking to take the GX-FA exam and if anyone has any additional questions on how to prepare for this exam please do not hesitate to reach out to me on LinkedIn or Twitter!

Cheers!

Fabian (DFIRDominican)