GCFA passed
Allow me to introduce myself. My name is Hurts... Brain Hurts.
So I just got back from the exam and after 2.5 hours in the chamber I managed to squeak by with an 89% which is much better than my rushed-through practice run a couple of nights ago. I made generous use of the courseware and for those preparing for this exam, I would say that everything in the books is up for questioning. Don't assume that just because it's a small section that it's not fair game. And in many cases, you won't find the answers on a single page, which means you need to understand the forensic methodology and analysis processes well enough so you can make sense of where the questions are leading you towards. If you haven't worked with the tools much, put some time into the labs again.
Overall a very fair test and for me a brutal one. I don't do this sort of work in my day-to-day but I went through FOR408 and 508 to better understand how this level of investigation fits into the whole IR process. When you're working at the network level, I think it's still very pertinent to know what could potentially be going on at the host level when scoping/guiding an incident investigation. You need to be cognitive as to what constitutes good procedures, what tools are capable of what, the relevance of various bits of data, and where tools may fall short.
After going through the practice exam (which disappointingly had questions very similar, although I don't think exact, to the real exam), I felt very apprehensive about going for the real deal. I tend to rush through the practice versions just to quickly see where my weak areas are if I were in a serious time crunch. My practice score left little margin against the passing baseline so I was justifiably worried. That said, I felt the quality of the questions for this exam was generally very good and required a lot of thought and careful examination to answer. The exam certainly tests your ability to look at output and discern nuances and they all felt like they had real-world relevancy.
On the real exam, I was doing noticeably better as I was pretty much in the solid 90+ percent range (with a high of 96%) until three-fourths of the way through where I dropped down into the 80s. At one point I had a built-in urgency (in respect to a certain kind of bio-break) and I had previously skipped a couple of questions ... and the "Take a Break" button wasn't visible until I clicked through the skipped questions. I dare say that if I had taken my time a little more, I might've hit the 90% mark on my final score. But hey, when nature calls you have to start choosing priorities.
One thing I didn't like about some of the questions were where they showed a screenshot of a tool output but it was wide enough that it didn't fit the exam-screen layout. I had to scroll horizontally within the embedded frame to see everything, making it a bit difficult to analyze while looking back at the question and answer choices. Sometimes it was a raw text output with fixed-width font, but some lines were so long that they wrapped to the next which made it difficult to focus. I'm being a bit nit-picky here, of course. The display resolution at testing center screens tend to be on the low side.
But I'm finally done. No more SANS or GIAC for me until next year where I'll consider FOR572. GIAC cert #9 is complete and I need to get back to work.
So I just got back from the exam and after 2.5 hours in the chamber I managed to squeak by with an 89% which is much better than my rushed-through practice run a couple of nights ago. I made generous use of the courseware and for those preparing for this exam, I would say that everything in the books is up for questioning. Don't assume that just because it's a small section that it's not fair game. And in many cases, you won't find the answers on a single page, which means you need to understand the forensic methodology and analysis processes well enough so you can make sense of where the questions are leading you towards. If you haven't worked with the tools much, put some time into the labs again.
Overall a very fair test and for me a brutal one. I don't do this sort of work in my day-to-day but I went through FOR408 and 508 to better understand how this level of investigation fits into the whole IR process. When you're working at the network level, I think it's still very pertinent to know what could potentially be going on at the host level when scoping/guiding an incident investigation. You need to be cognitive as to what constitutes good procedures, what tools are capable of what, the relevance of various bits of data, and where tools may fall short.
After going through the practice exam (which disappointingly had questions very similar, although I don't think exact, to the real exam), I felt very apprehensive about going for the real deal. I tend to rush through the practice versions just to quickly see where my weak areas are if I were in a serious time crunch. My practice score left little margin against the passing baseline so I was justifiably worried. That said, I felt the quality of the questions for this exam was generally very good and required a lot of thought and careful examination to answer. The exam certainly tests your ability to look at output and discern nuances and they all felt like they had real-world relevancy.
On the real exam, I was doing noticeably better as I was pretty much in the solid 90+ percent range (with a high of 96%) until three-fourths of the way through where I dropped down into the 80s. At one point I had a built-in urgency (in respect to a certain kind of bio-break) and I had previously skipped a couple of questions ... and the "Take a Break" button wasn't visible until I clicked through the skipped questions. I dare say that if I had taken my time a little more, I might've hit the 90% mark on my final score. But hey, when nature calls you have to start choosing priorities.
One thing I didn't like about some of the questions were where they showed a screenshot of a tool output but it was wide enough that it didn't fit the exam-screen layout. I had to scroll horizontally within the embedded frame to see everything, making it a bit difficult to analyze while looking back at the question and answer choices. Sometimes it was a raw text output with fixed-width font, but some lines were so long that they wrapped to the next which made it difficult to focus. I'm being a bit nit-picky here, of course. The display resolution at testing center screens tend to be on the low side.
But I'm finally done. No more SANS or GIAC for me until next year where I'll consider FOR572. GIAC cert #9 is complete and I need to get back to work.
Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
Comments
http://adarsh.amazonwebservices.ninja
Something that's not well-advertised is that if you do OnDemand training, SANS has a rewards program which will add up after a while to cover a short or long course with enough points.
Still, the Work Study seems to be the best value in cost and personal immersion into the training experience.
I don't work in the field of DF either and it was extremely difficult for me as well. I didn't do nearly as well as you did, score wise, but you're pretty spot on with the way they framed many of the questions and how the tester really needed to know the entire course-ware and putting it all together.
I hope you provided them comments about the scrolling. It was SUPER annoying. The same kind of thing happens with the vertical output. I don't understand why it's so hard to have video/monitor resolution of today and not from 2004.
I'm so happy for you, man!
How present would you say that content from the numerous Appendixes was present in the exam questions?
I remember that on my GCFE exam there not a single question on content from the appendixes, but I noticed that in FOR508 there are more appendixes than in FOR408
cheers,
Joao
http://www.sans.org/course/advanced-computer-forensic-analysis-incident-response
Can anyone share the e-book for GCFA.
Buy the courseware like everyone else.