A small blogpost on my first ever experience taking a SANS course and my attempt at GCFA.
This was my first time taking a SANS course. I did hear about SANS courses and also many people in the DFIR industry attempt exams for GIAC certifications.
I was a little overwhelmed. I did have a lot of dilemmas in deciding which certification to pursue. The main ones were GCFE (FOR500) and GCFA (FOR508). So I reached out to a few folks in the industry to understand the difference and I concluded that GCFA would be the perfect fit as I thought it to be the more challenging of the two.
My Experience – SANS FOR508
I took the SANS FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics course. I took the on-demand version of the course as I felt it to be better suited to me. If you do ever wonder about the experience of the course in the On-Demand format, I have to say, it was smooth and comfortable. You do get the physical copies of the books and you can also request the lab file (USBs) delivered to you.
The course instructor was Chad Tilbury, one of the authors of the SANS FOR500 & 508 courses. The course was extremely well-arranged and I was initially worried about 2 things.
- Missing out on the Live Class experience
- The recorded videos are too long.
Let’s start with the first one. I am very sure everyone agrees that the joy of learning is best done in person or a classroom. The instructor gets to share various experiences/incidents around the subject which gives you a very good idea of how the information you learn in class might be applicable in the real world. To my surprise, Chad shared quite a lot of memories/situations from his vast experience in DFIR and that helped in understanding the practical application of the tools & artefacts I was learning about.
Coming to the second one, I am one of those people who cannot pay attention to really long videos. I was extremely pleased to see how carefully the content was divided to make the student have the best experience possible. Around 90% of the videos were not longer than 5-6 minutes.
The course was also quite beautifully laid out. I got to know a lot of new things about a few Windows Artefacts I thought I knew everything about. The exercises were also very engaging and greatly helped me for the final exam.
I do not want to speak more about the course as I may give out too many spoilers but from my experience, I can say that it is worth the time.
Preparation for GCFA
After finishing the course, I did take a decent amount of break from preparation for the exam. I also had 2 practice tests to help me get a good taste of what the final exam was going to be like.
After the break, I first started by reading the books one after the other. As I would go through the book, I would bookmark a few pages with post-it notes as I felt the content in that particular page might be important/may be asked in the exam etc… Once a book was complete, I would test my knowledge by attempting the free quiz which is available on on-demand courses. You can attempt the quiz multiple times and each time it asks you different questions (The question pool is not that big so after 2-3 times you will find the questions repeating). The awesome thing about this quiz was, once you answer the question, it tells you what the correct answer is and points to the exact paragraph & page no. in the book.
So after finishing each book, I would take this quiz several times till I felt confident enough. I didn’t go through the lab exercises during my preparation as I was already familiar with all the tools discussed in the course due to my CTF experience (~5 years).
When I first took this course, I got to know that indexing is a really major thing for these exams and everyone has their way of making an index. But I think the real hidden purpose behind making an index is that you need to go through the whole book page by page and understand the content. Once you do that, I think an index is not necessary. So I did not make an index. A few of my teammates who also cleared GCFA recently were of a similar opinion. I did have a chance to look at their index, just to double-check if I had missed anything while preparing. Once that was over, I was ready for my practice tests.
However, if you are into making a proper index I would suggest using the long-form method mentioned by Andrew.
1st Practice Test
Taking the first practice test was a bit overwhelming for me because it was my first time attempting a GIAC exam and didn’t know how it was gonna be. So I messed up the first few questions as I started to panic a little bit. Then, I took a few mins to re-gather myself and believe that this is just like any other exam I have taken, it was smooth. I finished the exam in about 1hr 30 mins and cleared the practice test with 85%. The practical/lab questions were quite easy and it didn’t take me a lot of time in solving them.
2nd Practice Test
The 2nd practice is always less about studying again and more about fixing your mistakes one made in the first one. So this time around, I utilized all the exam resources I had – Skipping questions, spending more time on questions I was confused about etc. The lab questions were near the same difficulty. I finished the exam in about 2hrs and scored 90%.
Fixing my mistakes and having more patience to go through the books helped me.
The Final Exam
The experience from both the practice tests gave me enough confidence to attempt the final exam straight away. I have to say the level of difficulty in the questions were increased up by a notch in the final exam compared to the practice tests. I had to spend more time on the questions as the options were confusing and if you don’t read them carefully, you could easily select the wrong answer. The practical/lab questions were quite easy and it didn’t take me a lot of time to finish those. I finished the exam in about 2hrs 15 mins and cleared it with 83%.
In the end, I enjoyed the whole process. I liked the SANS 508 course and it helped me gain a few new skills which I have been accommodating into my daily work which I think is the real goal of the course. The materials provided (books, labs) are also top-notch. The exam process via ProctorU was also really smooth and effortless.