GCFA preparations

Hi Guys,

I passed the GCFE back in November and will be taking the GCFA this Saturday after months of prior study. I have indexed the course books for FOR508 and did the workbook exercises a few times. Is this enough to be prepared for the exam? I keep hearing different things, some say it is easier than the GCFE, some say the course books dont really help. Any recommendations would be much appreciated.

Find more posts tagged with

Comments

ChooseLife

Can't help with your question, but got a question of my own - how much of this course covers Linux? FOR 408 has "Windows" in the title so I assume 99% of the focus is on Windows - what about FOR 508?

forensicsman

Its still Windows analysis but you use mostly linux based tools to analyze the Windows systems.

ChooseLife

Thanks for your response. So there is no analysis of Linux systems, such as this one? That's too bad, I'd be game otherwise....

azmatt

No way no how is the GCFA easier than the GCFE but it is very passable. If you have a large, well organized index and you understand the material than I'm sure you'll do great.

azmatt

ChooseLife, I've written a few posts on my blog where I break down the 408 content compared to the 508 content.

The 408 is what people people think about when they hear "computer forensics". It's web browsing history, file execution, usb drive usage etc. etc. on Windows machines. It's a great class because they lay out a step by step system for what to look for where and how to document those artifacts in a timeline.

The 508 has changed radically not only from 2008 to 2012 but from late 2012 to early 2013. The latest iteration of the 508 isn't about examining a users behavior but far more of an incident response type class.

For 408 think "What did Bob do on his machine last Thursday"

For 508 think "I just got a call from an Agency that said my network has been compromised. I have 80 machines. What are some good indicators of compromise to look for and what's the best way to search for them on my network"

ChooseLife

azmatt wrote: »

ChooseLife, I've written a few posts on my blog where I break down the 408 content compared to the 508 content.

Cool, I actually read it, but didn't know it was you

That article helped a lot and clarified a lot of questions - only leaving me with a question of platform coverage.

azmatt wrote: »

For 508 think "I just got a call from an Agency that said my network has been compromised. I have 80 machines. What are some good indicators of compromise to look for and what's the best way to search for them on my network"

That sounds really great. I'd imagine the course then covers both general principles of IR/Forensics and technical specifics. It's the latter that I have doubts about. Suppose I get the aforementioned call from an agency and I have 80 Linux/Unix servers and no Windows. How useful will this course be to me?

azmatt

That is a really good question

I just took a two minute flip through what I believe is the latest version of the course (March 2013) before I answered.

The con side would say that while the course has you working in Linux, the in class examples and content coverage are largely Windows specific topics such as registry, windows memory processes etc.

The pro side would say that the underlying concepts (kill chains, remote acquisition etc.) are fairly universal and that while the examples are Windows specific in a lot of cases you get hands on experience using the same tools and techniques you'll be using for other systems (Volatility, Linux image mounting etc.).

It's not totally Windows focused like the 408 and 526 are and I have no doubt you would get a lot out of it but if you would be annoyed at spending time going through Windows specific examples than yeah, be careful. Maybe give the 504 a look.

ChooseLife

Thanks Matt, I appreciate you taking time to check the material and respond!
I would not get annoyed by Windows, it's just not too useful for me. And SEC504 is definitely on my radar.

OP, sorry for hijacking your thread! How did your exam go?

azmatt

No problem bud, anytime.

n8236

I took my 508 course in q4 of 2013 and failed in March 2014 by a few percent. Yes, I know I should have taken it sooner...The exam is definitely not easy if you don't have the academic or job experience. Not taking 408 probably hurt my chances too, as that lays out a lot of the basic foundational Windows mechanics and whatnot. Sometimes I wonder if I made a mistake taking the course w/o the necessary background.

I have to say, 508 was every bit as enjoyable as I expected it to be. It is hard stuff, but very rewarding. I am slated for a retake in the end of August and to fully honest, I'm a little nervous.

Would anyone want to give away their practice exam to me? I could surely use it.