My Take on Preparing for GIAC Certification Exams

Introduction

SANS GIAC Certifications are highly sought after because of the technical expertise required for completing them successfully. They are not to be taken lightly and are held in high regard due to them not being a “gimme” for the test taker. If you do not prepare, your score will reflect that and you risk not passing. The stakes are high due to the cost of the certification ($789 per attempt as of this writing when booked with a class) as well as the value derived from studying the content enough to pass the exam. So far, I’ve taken two GIAC exams (FOR585/GASF, FOR500/GCFE) and passed both by a comfortable margin. It doesn’t mean I’m a genius, it just means I put in the effort to prepare for the day of the exam and, most importantly, found a method that works for me. Having read many of the longstanding GIAC Certification preparation blog posts out there, I haven’t found one that covered my specific method of preparation. Hence, the idea for this blog post was born! I’m guessing the reason why this particular method hasn’t been brought up is that it’s not the easiest, quickest, or least effort, but, in my opinion, it’s the one that pays off the most in the long term. 

Background

First, let’s briefly touch on why you should care about not just getting the minimum score on your GIAC Certification Exam. For those who score 85% or above on an exam, an automated email is sent to you shortly after you complete your exam regarding an invite to the SANS Instructor Development Program. For those who score 90% or above on an exam, you will receive an invite to the GIAC Advisory Board. Gaining access to this email list requires an NDA to be signed and approved by GIAC Staff. I won’t go into details about what goes on in this email list, for obvious reasons, but it’s just another email list resource similar to the likes of IACIS, SANS DFIR, and some of the Google Groups. Upon my joining, the GIAC Advisory Board had just above 4000 members so it’s definitely an exclusive group of security professionals. Additionally, if you’re a fan of those digital badges that you can place on your LinkedIn or your resume, you will get one for the GIAC Advisory Board similar to passing any other GIAC certification. 

My Experience

I used this method for both certification exams and passed comfortably (80%+) despite completely different circumstances in my life at the time. Like I touched on before, this method is probably a lot more work up front end but it paid it more than paid off on exam day and beyond. Effectively, I create a long-form summary of every page in the book for my index. The entire goal is to utilize the books as little as possible while I’m sitting in front of that Pearson VUE computer while the time is ticking away. Flipping through the books for every question is time-consuming and therefore stressful. However, diagrams and tables that are hard to summarize in a cell cannot be avoided and will require referencing that page in the book. One has to put in the work on the front end to ensure each cell most accurately describes the content on the page so you know if it’s applicable to the question sitting in front of you on exam day. 

Examples

Below is an example of what a long-form summary looks like with this method. Concepts I want to pop out when I’m scanning the printed out index are bolded. 

However, there are some instances where it doesn’t make sense to retype the information in a cell due to the sheer amount of content. 

  

Some pages may have a visual resource that cannot be transcribed into a cell. In that situation, I’ll make sure the page’s contents are adequately described in the cell for my reference when taking the exam.

A couple more examples for effect:

Once the index is printed out and in hand, I would highly advise writing a high-level keyword summary of what is on each page in the header so when you are flipping through your index, you can quickly see which pages of your index contain which information. 

Perceived Benefits

One of the main benefits of doing a long-form summary of page contents is that when all is said and done, you will have yourself a really useful manual that you can use for your reference without having to carry around multiple books totaling a thousand pages! Plus, you can use Ctrl + F if you’re just looking for a topic rather than having to flip through all the books to find the right section that has the exact tidbit you’re looking for. However, on the day of the exam, you will only be able to use the hard copy version of your index. All the more reason to know it inside and out come test day!

As you can see, this method differs from those who do something like Topic, Page #, and Keywords that are featured on each page. While that method is effective for many people, to me that meant way too much time flipping through multiple books while crammed in a small testing space which means wasting time on finding answers rather than answering the questions themselves. My favorite part about this method is it requires me to read, process, and determine the relevance of every word in the books provided. This holds me accountable to reading every word in the book and ensures none of the content is seen or read about for the first time while the clock is ticking. The entire point of this method is to do favors for your future self even if it’s at the expense of your present comfort. You’ll thank yourself when the clock is ticking on exam day.

Everyone should know their strengths and weaknesses going into an exam like this. For me personally, I know if I used the widely documented tabbing method (see links at bottom of the article) there very well maybe some material that I’m reading for the first time when I’m taking the certification attempt. That is not the time to be exposed to something for the first time because the clock is ticking and it’s not going to stop for you to hastily attempt to comprehend a new concept. You need to do that work ahead of time and this is my method for ensuring that’s done correctly.

SANS FOR585 – My Experience

I took SANS FOR585 in New York City, NY in August 2018 with Domenica Crognale (@domenicacrognale). I thoroughly enjoyed the class and highly recommend it! I appreciated the vendor agnostic nature of the class and learned about many tools and methods that don’t involve the big names in the field. For this class, my preparation method had different circumstances from my FOR500 experience which will be detailed later in this blog post. 

In my personal life, my wife and I were expecting our firstborn later that year so we had excess free time. For those with kids, you understand how much different life becomes once a child enters the equation. During the class itself, I was relentlessly indexing each page/slide as we were going through each slide. If I would fall slightly behind due to slides moving faster than I could type, I would spend the breaks to catch up then continue onward once class started again. Same for lunch; if I fell behind, I’d grab a quick bite and ensure I was caught up by the time class continued. I was able to leave each day of class with a mostly complete index for the book that day. Anything that was incomplete for that day’s book, I would devote my entire evening in the hotel room until it was complete. SANS courses are 6 days long which is a long time to keep up this pace of work. I tapered off by the end of day 4 and 5 due to becoming worn out but I did my best in the evenings to finish off what I couldn’t during the day. 

At the end of the first 5 days prior to the day 6 challenge, I had roughly 90% of my index complete. I finished the day 6 challenge, headed home, enjoyed the weekend and picked back up the next week finishing off my index, studying, and tackling the practice tests. For those unfamiliar, you cannot attempt the certification for your respective course until at least a week after the course ends. So, plan for a week to prepare for the certification while the material is fresh. My week looked like this:

Monday – Finish indexing

Tuesday – Finish indexing, practice exam #1 (70%)

Wednesday – Adjust index based on practice exam #1 performance and questions

Thursday – Practice exam #2 (86%), adjust index based on practice exam #2 performance and questions

Friday – Adjust index based on practice exam #2 performance and questions

Once I received the email that my GASF attempt was ready, I scheduled it for the earliest time on the nearest day so the material and the week of preparation and index adjustment were fresh in my mind. Ultimately, I passed the exam with 84%. I only missed the Instructor Development Program incentive by 1%! Another note, I did not listen to the Self Study MP3s provided with this course to which, if I had to do it all over again, I would’ve listened to at least a couple times prior to taking the exam. However, I probably wouldn’t have been able to take it as soon as I did in this scenario had I done that. Ultimately, I passed, and in the end, that’s all that matters.

One perspective I recall having during this period in my life is that I thought 4 months was WAY too large of a window to prepare for a certification exam. I would later come to fully appreciate, understand, and be thankful for that large window being offered when I took FOR500 the next year. 

SANS FOR500 – My Experience

I took SANS FOR500 in Clearwater Beach, FL in July 2019 with Rob Lee (@robtlee) and Mari DeGrazia (@maridegrazia). I thought the class was an incredible experience and I learned a ton about things I had only heard briefly mentioned in other training sessions I’ve attended. 

At this point in time, we had a young child which brought its own unique challenges that we were still in the process of adapting to. For those with infants and young babies less than a year old, you understand the inherent difficulties when you try to do much of anything with how needy they can be. This made the preparation process for this exam much lengthier than my GASF preparation. I highlight these details because our personal lives directly affect our professional lives. I’m also glad to know I could improvise, adapt, and overcome challenging circumstances with a fussy, colicky infant and actually do better than when I was childless. It just took a lot longer and for this, I became thankful for the 4-month preparation window. 

For this course, I brought my family with me so, needless to say, I didn’t spend the evening hours working on my index. I returned from this course with maybe 5% of my index complete. It took me approximately 2.5 months of chipping away at my index to feel comfortable enough to start the practice exams. I took the first practice exam (67%) and missed the mark by 5%. I regrouped and revised my index and took the second practice exam (74%) a couple of weeks later and passed by 2%. I wasn’t comfortable with this margin of error so my keys to success for passing the final exam with a 90% ended up being the following:

• Reading over my index multiple times
• Listening to the MP3s for the class 4+ times (some days/topics more than that)
• Watching 13Cubed’s YouTube playlist titled “Introduction to Windows Forensics”

Looking back, I would say 13Cubed’s videos and the MP3s really hammered home the material for me. I recall taking the exam and I was able to visualize what 13Cubed did in his videos or recall how Rob Lee talked about a concept that was very helpful as a reference for answering the questions correctly and, most importantly, understanding the concepts themselves. I recall being about 75% complete with my exam and I stopped and thought to myself “I think I’m getting a lot of these right. I feel really good about my answers so far!”. Believe me, that is not a feeling I’ve felt a lot when taking exams, even if I’ve done fine on them; but the preparation was certainly key to achieving that feeling when it mattered most. 

What Would I Do Differently Next Time?

I spent very minimal time reviewing the labs and even less doing them on my own time. However, to be fair, for FOR500 I emulated what 13Cubed did in his videos on my own system so in a way I did practical exercises, just not the ones in the book. For the next class I take in the future, I’m going to make sure to run through the labs at least twice when I’m back home before taking the class. 

I think I was fortunate to get a comfortable passing score on the GASF and with the GCFE, I definitely improved and refined my study habits in time for the certification attempt. I anticipate the next certification’s preparation will involve multiple listens to the MP3s as I did for FOR500, as well as multiple run-throughs of the labs as I mentioned in the previous paragraph. As long as I do that, I’m very confident I can achieve a score close to or in excess of my GCFE score. Preparation is everything! One of the most valuable phrases I learned from my time in the United States Marine Corps is the 7 P’s: Proper Prior Planning Prevents Piss Poor Performance. 

General Advice

Print Preview is your friend before printing this off prior to exam day. Adjust column widths according to make use of the most space possible. Given that so much data is placed in a cell, you want to ensure that the column is the largest it can possibly be to reduce the total page count of your printed index. Mine for FOR500 was 34 pages in portrait view. 

Use the practice exams. After all, you (or your employer) paid for them! If you need another practice exam, lurk on the various DFIR social media outlets and be quick to respond whenever someone is giving away an extra, unused practice exam attempt. If you fail a practice exam, don’t panic! Putting in the work will be the only way to pass, pass comfortably, or reach the 85% or 90% threshold. 

Download the MP3s within the allotted time period. If you forget to download, send a very polite email to selfstudy@sans.org and ask for extended access to them. I had to do this for FOR585 and they were gracious enough to grant me limited access to download them. Once you download them, back them up! Google Drive provides 15GB of free storage. Each of the MP3 sets is about 450-500MB in the cases of FOR585 and FOR500.

Use Google Sheets for your index. A local copy on Excel is fine and dandy, but having access to your index anywhere you go can’t be beaten. Not to mention the fact that if your local copy wasn’t backed up anywhere when your hard drive inevitably someday fails, you’re out of luck!

Familiarize yourself with the rules and regulations relating to GIAC Certifications. 

Use the SANS posters! Download digital copies of them and have them on your forensic workstations. Bring the relevant posters with you on the day of the exam. For FOR500, this was particularly helpful and saved time retrieving answers for a few of the questions. 

Use external resources such as 13Cubed’s videos to supplement your studying. The SANS books are awesome, but sometimes there’s nothing better than watching someone walk through a tool or forensic method in great detail. 

Search relevant subreddits for other people’s experiences on taking the exam you’re about to take. Pick up tips and tricks here and there from each person and develop your own study plan. It’s much easier and cheaper to learn from other people’s experiences than having to learn what they could’ve told you yourself!

SANS FOR508 – My Experience

I reviewed SANS FOR508 in a previous blog post that you can find here.

For background, I took the GCFA mid-November 2020 and I just started working in IR 8 months prior. Digital forensics overall wasn’t new to me at the time, but IR I still had a lot to learn despite having learned so much in the limited time I’ve been in the field. I also had never done memory forensics before so that was completely new to me.I had heard of Volatility but I couldn’t tell you the first thing about it.

I took my first practice exam around Halloween and I ended up with a 67%. I took this exam without a complete index and tried to not reference it at all outside of topics I had absolutely no idea about at the time. I tried to “wing it” and see where I stood. Given that, I was pretty happy with a 67% but obviously I was not going to settle for that score on the certification attempt. It should be noted the VM questions I completely tanked on because they mostly involved memory forensics and I had very little understanding and hands-on experience with that at the time of this exam.

I took the second practice exam early/mid-November and I ended up with a 77%. I had a more complete index at the time and I had done a lot more review on memory forensics. I got 100% of the VM questions correct which was a huge relief. I am glad I passed but I wanted a larger margin of error between the minimum passing score and what I had achieved.

I took the certification attempt the next week and I achieved the same score as I did on my second practice exam. In my experience, the practice exams were harder than the certification attempt but the opposite was the case this time around. I thought the certification attempt was much harder and there were a lot more questions that made me at a loss for how to answer the question. The way the questions were worded threw me for a loop a lot more than I expected them to, and a couple times I thought no answer was correct based on what I was finding within the course material. I also had issues with a couple of the VM questions in that the VM couldn’t handle opening a large file due to lack of system resources and Notepad++ kept crashing on me. I provided the feedback to SANS about this so hopefully this isn’t an issue in the future. For one of those questions, I spent 10 minutes trying to wrestle with the VM but I also had other skipped questions I needed to attend to in the remaining time. I ended up filling in a random answer after 10 minutes and just taking the hit on the question. I’d rather get that one wrong and still have a chance at the other few I had remaining than get all of them wrong due to not being able to answering them.

In studying for the GCFA, this was my playbook for passing:

• Reading over my index multiple times
• Listening to the MP3s for the class once (MP3’s didn’t cover much, if any, memory forensics so it wasn’t as helpful for me to listen repeatedly to the MP3’s)
• Watching 13Cubed’s YouTube playlist titled “Introduction to Memory Forensics”
• Reviewing the free resources on Steve Anson’s Applied Incident Response website, specifically:
  • Event Log Analyst Reference
  • Lateral Movement Analyst Reference
  • Memory Analysis with Volatility Analyst Reference
  • Default Windows Processes Quick Reference
• Reviewing the Volatility GitHub Wiki, specifically:
  • Windows Core
  • Windows Malware

Referring back to my blog post about SANS FOR508, it appears I completed my indexing much later than I originally intended to. This can be attributed to busy spikes in in my work and personal lives.

What Would I Do Differently Next Time?

I really don’t know what I would do differently. I have heard the GCFA is one of the hardest exams that SANS offers and my score definitely reflects that compared to how I’ve done in the past. I’m not ashamed of my score whatsoever. It was simply a very difficult exam that covered topics that were relatively new to me and some that I had limited experience or no experience prior to the class. That being said, I also experienced the opposite in that there were a couple sections where I personally felt like a Subject Matter Expert on the matter and didn’t need to spend really any time on those subjects in my studies given that I use those concepts on a daily basis in my professional life. That was something that was new to me but it was a welcome feeling to know that I know what I’m talking about with a few subjects covered. My experience with Timeline Explorer paid huge dividends throughout the practice exams and the certification attempt. I suppose I wish I had more hands-on experience with Super Timelines but I just simply don’t. That being said, interpreting them is easy enough, thankfully, and I was able to take the extra few seconds to answer those questions correctly most, if not, all of the time.

General Advice

I echo the same advice from FOR500 above. Additionally, if you are a visual learner like myself and are struggling with gaining hands-on experience with memory analysis, I cannot recommend 13Cubed’s videos enough. Those videos singlehandedly elevated my skills high enough to feel comfortable on all practical questions that were asked of me relating to memory. Given my learning style, that was more helpful to me than doing the exercises myself because of the walkthroughs, explanations, etc. Another thing that was very helpful after watching those videos was reviewing the Volatility precooked output that is provided in the course materials. Once I understood the concepts as they were explained in the 13Cubed videos, I was able to look at that precooked output and pick out the evil almost immediately. It also helped the function of the plugins to click in my mind so I knew instantly what malfind did, what pstree did versus pslist and psscan, to name a few.

ProctorU

Yes, I took the exam online from the comfort of my own home. I’ve heard all the horror stories as well from others who’ve come before me. I’ve also heard perfectly normal experiences with ProctorU. Thankfully, I had a normal experience, myself. I thought it was very convenient and I’d definitely do it again. If you’re like me and you’re taking the certification attempt on a laptop in your office where other computers and monitors reside, be sure your computer(s) is powered off and cover your monitors with blankets. I didn’t know that going into it so I had to scramble to find blankets around the house to cover the 4 monitors I have at my desk. Besides that, everything else was explained beforehand and it was a smooth process.

Other GIAC Certification Blog Posts

• Better GIAC Testing with Pancakes
• SANS GIAC Exam Study Tips
• How I prepared for my GIAC GPEN exam
• Passed the GSEC (my first SANS exam): My experience, tips & lessons learned
• 6 steps to prepare for your GIAC exam and (hopefully!) pass it within the deadline
• How to Pass SANS GIAC Certification Exams

Conclusion

This method has worked for me twice now with increasing levels of success while dealing with arguably busier personal circumstances. I plan on using this method for my future GIAC certifications as well. I plan on continuing this series of blog posts as I take each future certification. I’ll be sure they all link to each other for the sake of convenience and continuity. If there are any other well known GIAC certification blog posts floating about out there, please send them my way and I’ll add them to this post! Cheers and best of luck to you on your future GIAC certifications!