My #GCFA Training and Exam Experience

Training Journey

What a long journey It was preparing to take the GIAC Certified Forensic Analyst (GCFA) exam. I purchased this training while still pursing my masters’ degree at East Carolina University this year. This was a mistake because you only have 4 months to complete OnDemand training and take the test. After graduating I was able to start training for the GCFA exam. I was very surprised how advanced the course material was which blew my mind. I took the first practice exam in October 2019 and scored 45%, second practice was taken November 2019 and I scored 42% on that. Before the first practice test, I purchased two extensions ($389 apiece) and was granted a third due to hurricane here in NC over the summer. Three extensions (adding 45 days each time) gave me plenty of time to study and go through the material multiple times and I did. I purchased a third practice exam and took it and scored 52% on 12/15/2019. Exam day was set for 12/28/2019. I continued to study for the next two weeks

I would make sure that you tab your book heavily and put every single term, tool and artifact in your index. You will need to watch the training videos at least two times. I think that the instructor could have been a little clearer in his explanations. The video delivery software could be a little bit better. Do not be afraid to look outside the course for extra resources. In my opinion, doing the labs and tabbing your books would be more beneficial above anything. Know your tool output! Overall the information is packed into this course tightly.

Please make sure you study with all your ability because SANS training, exams (GIAC) and even practice exams are extremely pricey to purchase. It will not serve you well to rush through the material. My advice is to take your time and really learn the material. I encourage you to use all the study time you have to properly prepare for this exam. It doesn’t matter that the test is open book because between reading a question, looking at your index and possibly the book, you simply will not have a lot of time to do that on every question. The questions are not tricky. It’s either you know it or don’t. You need to know a great deal of the material in order to pass. You need to understand the windows OS well and you need to understand NTFS timestamps without looking this information up too much.

Exam Day Experience

I was feeling very confident even with the poor practice exam scores. I have built a pretty good index as I was instructed to do so by multiple people. I carried all of the SANS books along with the index and posters into the testing center. I was told that the posters were too big and couldn’t go into the room. I made the mistake of having the posters laminated. Some Advice here, wait to laminate the posters after testing with them. The exam was multiple choice and that do not make it any easier. Some of the questions presented on screen to me were jumbled up.

It’s very important to understand that the questions are not tricky, but some are not clear in what they are asking. Time was my enemy. I had to rush a lot of my answers therefore you must know your material with confidence. After months of studying, I still came up with a 61% (71% was the passing mark). I guess I did a lot better on the actual exam compared to the practice exams. The actual exam started off so well and because of that I’m not 100% sure what went wrong. I really feel the failure was due to rushing and trying to over verify a lot of the answers I chose. I took this exam and completed the training with no prior experience in digital forensics. With that being said, I still feel anyone can succeed at passing the exam and I’m sure the next time I will be successful in my endeavor!

Good luck to all!

Find more posts tagged with

GIAC Exam

GCFA

Comments

LonerVamp

Nice write-up! I just want to say, that's some balls going into that exam confident after ~50% practice exam showings! I wish you luck in further attempts!

First off, I loved FOR508. It was my first SANS experience, and I picked it because it seemed challenging. I didn't know if I'd ever get the chance again, so I aimed pretty high. No regrets there!

Second, do you have an idea on where you were weak, at least as far as the materials go? My second time going through the labs is really where things started to click for me.

Third, SANS definitely tests you on your time management and even indirectly on how well your index is prepared and if you know the materials. (Not necessarily understand it, but know where it is in the books!) Part of the test, as you mentioned, is reducing your seek time to find and/or verify answers. Every second you flip through your index, flip through the books, and then read the books increases your seek time. The more you waste there, the more you end up rushing other questions. If you can skip the index and go to that tab in the book, solid! If you can read a brief definition in the index rather than go also to the book, yes! If you have multiple entries for "volatility," can you quickly get to the one that goes over what formats it supports? Score!

As you mentioned, definitely index every tool, name, concept, term, and topic. I'd even include screenshots and the posters as well. And this includes text in the slides as well as the descriptive text. When I took that exam in 2018, all of that content was fair game!

Fourth, make sure for everything you perform, especially in the labs, you understand why you're doing it. Why do you run this Volatility command? Well, it's to find malware. Ok, why do you want to do that? To get a file name (IOC #1 to search for in your logs) and maybe even get a process name/PID (IOC #2!), and so on. Every action performed is there to gather clues to fill in the puzzle and see what the whole attack was. It helps to think about an attack on a system and what those parts are. There's the initial infection (something had to be run at some time through some one/program), the establishment of persistence, the attempts to hide/evade, the communicating out to an attacker, the attempt to gather data, the attempt to laterally discover and infect other systems on the network, the attempt to actually execute that movement, and repeat. (And I'm sure I've missed plenty in this simplistic example!)

That sucks not being allowed the posters. I remember using them. Probablyhave Fedex/Kinkos print them from PDF for you in a readable size. Bonus if in color, though obviously that's a bit of a luxury.

ldavisdts

Thank you for your response! It was challenging exam for sure! My weak areas were in the volatile Artifact analysis, Volatile data collection and Windows Filesystem structure and analysis sections. Incident response in an enterprise environment was also low for some reason (two stars). I think that had something to do with the kansa questions. I need to do the labs. I did not attempt the labs the first time around. I will start there and gather more knowledge. I think the labs would help me with understanding the images on the exam. Reading the timeline of artifacts are also challenging questions for me.

ldavisdts

I need to go by fedex and see if I can have the pdf printed in a readable size.

Cuse0311

Keep your head up! You are not too far off from a passing mark. Do you plan on retaking the exam?

ldavisdts

Yes I'm going to take it one more time.

Cuse0311

ldavisdts said:

Yes I'm going to retake it one more time.

Good deal. Yeah if you do the labs a couple of times, I'm sure you will pass. Keep us posted. Great write up by the way!

ldavisdts

I really appreciate your responses!

TechGromit

I would have to concur with the Confident level on the exam with the practice exam showings. My own experience with a the GREM, a level 600 exam, was 60% for 1st practice test, 69.33% on 2nd practice test, 45 day extension, 73.3% on exam (70.7% passing). It was the hardest exam I even studied for, I studied every night for months before the exam, I had a knot in the pit of my stomach why I pressed the submit button on the last question on the exam. GIAC's are not to be taking lightly, even for an open book exam, they are very costly in time and currency.

As for future attempts, it's going to be even harder. When you signed up for your exam, you were guaranteed a test based on the materials you possessed. I do not believe that is true for a retest, there are going to be questions on the exam that will not be in your books because it will be based on a newer version of course material. Also if you purchase additional practice exams, they will be less useful than before, chances are questions you already answered will be on your new practice exams, which could lure you into a false sense of security if you do well on them. While passing isn't impossible, you are going to have to study a LOT HARDER than before and take the exam sooner than later, because the longer you wait the more outdated your course material will become.

As for posters, I don't recall any posters in my SANS 610 course materials.

LonerVamp

ldavisdts said:

Thank you for your response! It was challenging exam for sure! My weak areas were in the volatile Artifact analysis, Volatile data collection and Windows Filesystem structure and analysis sections. Incident response in an enterprise environment was also low for some reason (two stars). I think that had something to do with the kansa questions. I need to do the labs. I did not attempt the labs the first time around. I will start there and gather more knowledge. I think the labs would help me with understanding the images on the exam. Reading the timeline of artifacts are also challenging questions for me.

With the time you've spent so far, I bet going through the labs is going to be eye-opening for you. The labs are excellent and give you some real-world, guidance hands-on experience doing what you need to do.

Also, incorporate that lab book into your index, including the screenshots, especially anything with commands or command output. Again, it's about context and recognizing the output of a tool and why'd be looking at it.

ldavisdts

Your responses are very helpful and I appreciate them. I will take your advice on doing the labs.