GCFE passed

I took the OnDemand FOR-408 (Computer Forensic Investigations - Windows In-Depth) course. I've spent about a week at the beginning of May to watch all the videos and do all the assessment quizzes. I did not have the time to do any practice labs for the course. I was busy at work.

My OnDemand course and certification attempt will expire at the end of this month. So I took a practice test on Monday and passed without any preparation. I took another practice test on Thursday and passed again. 90% of the questions are the same as the first attempt.

I sat for the real test today and passed. First time to sit on a GIAC cert. and with open books test. Most of the answers for the exam are found textually on the SANS course books. If you did a good index of the books, you can pass the exam with little preparation.

SANS is preparing a new version of the OnDemand FOR-408 course. When I bought the course, the description said it will show FTK and EnCase. But the course video showed only FTK, even if there are slides about EnCase in the book. You got a Windows 7 Home Premium VMware virtual machine with the course but the Windows license is not included. You need to buy yourself a retail Windows 7 Home Premium license (not volume license) to activate Windows on the VM.

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

docrice

Interesting that you need to purchase a separate license for Windows, but I guess you could work on a non-activated Win7 install? Was this the 75-question exam format? It's interesting that both of your practice tests had mostly overlapping questions. I figured the question pool would be large enough to avoid that level of collision.

Good job on the pass, by the way. Did you feel 408 was worth the money?

paul78

@AlexNguyen - congrats on the pass.

AlexNguyen

docrice wrote: »

Interesting that you need to purchase a separate license for Windows, but I guess you could work on a non-activated Win7 install? Was this the 75-question exam format?
Did you feel 408 was worth the money?

You could work on a non-activated Windows 7. It will have the "This version of Windows is not genuine" message at the bottom of your desktop. But I hope that it will come at least with an activated Windows 7 license, since I paid over 4K dollars for the course.

The practice and real tests are 4-hour format, 150 short questions with multiple choice answers. There's only one answer per question to choose. There's no drag-and-drop question à la Microsoft exam. They show your score on screen for every 15 questions.

I feel the FOR-408 course did not worth 4K dollars. I was aiming at the advanced FOR-508 course but I failed the assessment test for it. Because I did not know about some e-Discovery terminology and methodology, and about Firefox artifacts (I mainly use Internet Explorer). If I've read a book about digital forensic or e-Discovery before taking the assignment test, I would pass.

I took the FOR-408 anyway hoping to learn about EnCase and then challenging the EnCE cert. But they removed the EnCase portion of the course. If you're an experienced Windows desktop admin or a MCTS 70-680, you won't learn much from this course. The instructor talked a lot about anecdotes and jokes. The slides and videos are not in HD. When you view it in full screen, the image is blurred. With the OnDemand version, you don't get the image file for the last day e-Discory challenge of the course. The slides and text notes are "protected" inside the browser. You can't copy and paste it to a text editor. They also disabled the mouse right click button.

docrice

I've always been a bit weary of the requirements for 508 (regarding the assessment test). I took a CHFI course some years back (without realizing there was a certification program around it) and I'm hesitant to consider another "entry level" forensics course, especially one that's specifically aimed just at Windows.

The OnDemand materials is done in the Java window and as such they've disabled copy / paste functions, presumably to protect their intellectual property. I think the objective is to have students rely on the written paper-based materials. I understand that point of view, but there's actually a discussion right now on the SANS Advisory Board list discussing electronic formats for the textbooks. Offensive Security provides all their materials in e-format, but they watermark your personal information on there for attribution.

If anything, at least let SANS know about your feelings. Hopefully it'll improve things.

AlexNguyen

I've just received my mounted GCFE certification plaque. It looks very nice and expensive. But it shows the expiration date. With my CISSP plaque, it shows only the date of obtention and no expiration date.

4_lom

Congrats on passing!

tpatt100

Congrats on the pass, I was thinking about taking a different GIAC cert at the beginning of next year but the cost is kind of prohibitive for me. I am not big on the idea of challenging a GIAC cert for the cost alone also.

AlexNguyen

After my first SANS course, IMHO, if you're challenging the GIAC cert without taking their class, it's not worth it. The plus value is in the course, not the cert.

There's often a special deal for their courses if you're on their mailing list. When I bought mine, there was a 15% off from the regular price. Right now, I think there's a $1500 rebate if you take some SANS community course before August 15th, 2012. For the qualifying online course, you can get a $850 discount if registered before July 25th, 2012. And if you pre-purchase an upcoming OnDemand course, you can get a 25% off.

docrice

SANS is always running specials for OnDemand courses:

http://www.sans.org/ondemand/specials

They change it from time to time. Sometimes it's like a free Mac mini, other times it's a 25% discount.

Jinverar

Congrats! I use Helix and encase at work. Never got to try FTK yet but I heard it was excelent. The mile2 cert also covered a lot of FTK.

AlexNguyen

For the GCFE exam, there was no questions about how to use the tools. The questions are about the concepts and you need to understand them. It's not like the CEH exam where you need to know the switches for the command-line tools.

Santhosh2kece

Hello All,

Yesterday, I took my GCFE exam and passed the exam. It took roughly 14 days to prepare for the exam with 3 to 4 hrs a day. I went through the ondemand videos and Indexed my SANS course book. I did not read the book which was not a good idea as you will miss certain key points which were not covered in the on demand video. The questions were more on concepts and how it been applied. I had a very few direct questions which I can answer without referring the book.

This is my first GIAC exam and open book was really a challenge for me.

I suggest you all to go through the book atleast once and highlight the important words as you will be left with very little time to search for keywords during the exam.

Also, have a constant watch on the "Time" as it flies away very easily and you have on average 90 to 95 seconds to answer one question.

I did not look at the online scores (Which is populated on your screen for every 15 questions) as it makes me feel more nervous. This sometimes boosts your confidence when you are scoring high but most of the time it will test your emotions and concentration. Especially if your scores are dropping.

Finally I managed to finish my exam with three seconds left and the best of all I PASSED. All the very best for everybody who is preparing for this exam.

Regards,
Santhosh

GCFE, CISA, CISSP, CCSA

chanakyajupudi

Congratulations ! Should be writing the exam real soon.

stephens316

Are you able to flag questions then go back to them ? I want to use an approach answer all the ones i know and flag the ones i need to look I am going to do that this week with a practice test I have left. Just wondered if i need to change my strategy ? I sit for my test Jan 20

docrice

You can flag up to five, but if you take your allotted 15-minute break during the exam, you have the answer those five before the break.

stephens316

I passed

TBRAYS

Congrats!