SANS 408 - GCFE: A Post-mortem

testing010101testing010101 Member Posts: 22 ■□□□□□□□□□
Took SANS 408 with Heather Mahalik in March 2016 as my first SANS class.

Here are some photos on how I organized my textbooks and index:

https://imgur.com/a/wOWCG

As you can see, I labeled the major portions of the textbooks using color coded sticky notes. For me this was hands down the most effective way to easily search the textbooks. Using my index was far too time consuming and often didn't have the extremely specific information I was looking for. I think my index ended up being about 68 pages.

For example, in the fifth textbook (web browser forensics), Chrome forensics would be labeled using a blue sticky note on the top end of the textbook and all of the detailed information such as Chrome artifacts, cookies, Incognito Mode, etc would also be labeled using a blue sticky note except on the right hand side of the textbook. So my search would go:

1. need web browser forensics -> see book five
2. need Chrome forensics -> see all blue tabs
3. search blue tabs on right hand side for specific topics on Chrome forensics

Another thing that helped me was creating a small index for important file, folder, and registry paths.

I only just took the exam last Monday (Tuesday was the last possible day I could take it) and passed with an 85%.

I took both of my practice exams and scored a 78% on the first and an 87% on the second. The practice exams were very good indicators of how well you could expect to do on the actual exams.

Hope this helps.

Comments

  • testing010101testing010101 Member Posts: 22 ■□□□□□□□□□
    I don't know if this helps any Googlers who come by this on a search, but I've been working as an incident response analyst for about 1.5 years. Prior to that I was a monitoring analyst in a 24x7x365 SOC for one year. Prior to that I was in college.
  • clementineclementine Registered Users Posts: 2 ■□□□□□□□□□
    Hi,
    • How long would you say it took to study for this exam? 60 days? 90?
    • How much time per session would you say that you committed to studying?
    • Which other methods did you employ (if any) to study, beyond referencing the SANS course book and corresponding highlighting?
    • Do you have a home lab that you used to aid in studying?
    • Would you consider GCFE to be more of a repetition/memorization exam?
    • Did you use any unusual sources to help you study, like audiobooks, or podcasts?
  • testing010101testing010101 Member Posts: 22 ■□□□□□□□□□
    Hey Clementine.

    I used the maximum amount of time allowed to take the exam (three months). Looking back on it, I wish I would have taken it much sooner after taking the class. Next time I plan on working on my notes immediately after class and then taking the exam ASAP.

    I usually spent three to four hours per session (anywhere from 10-20 hours per week).

    I used a lot of highlighting. I would take a practice exams and go back over concepts for the questions that I missed on the practice exams and highlight key terms and whatnot.

    I don't have a homelab because GCFE covers the same tools I use at work.

    GCFE is definitely not a memorization exam. It's based on procedures used in forensics labs and how to analyze the data that's retrieved from devices.

    I didn't use any unusual sources. I listened to a few of the podcasts that SANS gives you for the certification but they were a little difficult to follow because the instructor seemed to keep going off on tangents. I didn't feel like listening to the podcasts were helping me study.

    Hope this helps.
  • clementineclementine Registered Users Posts: 2 ■□□□□□□□□□
    It does help. Thank you for your post. Good luck in your future endeavors and congratulations on passing.
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    Congrats and an excellent write up! Also, it sounds like we attend the same conference! Have to say Heather was one heck of a speaker (I watched her late talk about phones) would have loved to take her course.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • TechGromitTechGromit Member Posts: 2,156 ■■■■■■■■■□
    Congratulations on the pass. Looking at the photos your index looks like a nightmare, but hey what ever works for you. Why didn't you just make the tab numbers and reference the book / tab number in your index? This is the way I did it for all my SANS exams. From the looks of you index, it's at least two levels deep, using all three sides of the book, I tried to limit each book to one level.

    Still searching for the corner in a round room.
  • testing010101testing010101 Member Posts: 22 ■□□□□□□□□□
    TechGromit wrote: »
    Congratulations on the pass. Looking at the photos your index looks like a nightmare, but hey what ever works for you. Why didn't you just make the tab numbers and reference the book / tab number in your index? This is the way I did it for all my SANS exams. From the looks of you index, it's at least two levels deep, using all three sides of the book, I tried to limit each book to one level.

    Yeah, I don't know, haha. It was my first SANS cert so I was just trying to figure out the best way to do it for me. I like your idea better though and I think I would do something like that next time.
  • testing010101testing010101 Member Posts: 22 ■□□□□□□□□□
    the_Grinch wrote: »
    Congrats and an excellent write up! Also, it sounds like we attend the same conference! Have to say Heather was one heck of a speaker (I watched her late talk about phones) would have loved to take her course.

    Oh, cool. I saw another poster say that he was in the same class I was but didn't really get a lot of info from him on how he prepared, haha.
Sign In or Register to comment.