GCFA Odyssey
Hi everyone, I just want to share my personal experience regarding the GIAC GCFA preparation and exam, I hope anyone reading this will end up with some insights which might guide them through this challenging adventure. I want to emphasize that everyone has a unique background, skills and way of learning topics, please do not rely on my words to serve as the ultimate guide, trust me, you will be able to come up with something great suiting your style. :)
Intro
I took the FOR508 class in person at Security West San Diego 2023, and I really enjoyed the training set up by SANS and led by Carlos Cajigas. As soon as the training was over, I was totally into it and made up my mind to go for the GCFA exam on September 27, a four-month gap. The exam comprises 82 questions, with 75 multiple-choice questions and the remaining 7 being hands-on exercises on a virtual machine. To pass the exam, you must score above 71%. (This is the pass condition at the time this blog post was written.)
I had my two practice tests, course books, recordings, and VMs all set. Just like anyone new to the GIAC exam, I started digging around to see how other people got ready for this big test.
I stumbled upon various posts on Reddit detailing how others plotted their exam prep, and one common thread was the emphasis on creating an INDEX. Make one of your own! You're allowed to bring books and any other hard-copy materials to the exam. I used the method from @hacks4pancakes to construct my index.
Summer
During the summer I was quite busy, going on 2 vacations, participating in DefCon in Las Vegas, and a friend from Romania visited me, so during this period, I only had time to read the course books. I DO NOT RECOMMEND ANYONE TO ALLOCATE JUST A MONTH FOR THE EXAM, if I could turn back time I would start studying at least 6-8 weeks before the deadline.
Make it or Break it...
Before September rolled in, I'd made up my mind to be completely zoned in and committed to my studies, leaving no room for compromises. Every free second I got from my job was spent hitting the books; my weekends turned into all-day study marathons. My eagerness to ace this exam stemmed from the intriguing and helpful information it presented and my personal goal to prove to myself that with the right attitude, there's no limit to what we can learn.
I would like to emphasize that the GCFA is a challenging exam, and gearing up for it is no easy task. Therefore, I suggest embarking on this exam only when you are mentally sound. Maintaining good mental health is paramount when preparing to tackle tough challenges. My girlfriend offered immense support, standing by me daily, providing food, offering encouragement, and just being present, despite the study phase not being the most enjoyable time for a young couple.
September
Grasping the material fully is crucial, rather than just having an index. Hence, my September was spent as follows:
the first 10 days I managed to go through all the video recordings (1-10 September)
the next week I read the books and created the first version of the index (10-17 September). My index consisted of only 2 columns, the first column was formed by the book number and page, and the second represented a title that represented the information from that location. Highlight everything important in the books while you are creating the index
On September 17 I had the first practice test in which I scored 92%
the week from 17-24 September I used to delve into what I got wrong in the first practice test and I reread the books. Besides this, I watched 13cubed videos on YTB on the topics I wanted to understand better.
The second practice ended with me scoring over 93%
For the last 2 days, I have been going through all the labs
Again, it’s very important to understand the material, not just to have an index
Exam day
Exam Location:
- Home, Proctored
Exam Resources used:
course books
index
labs commands cheat sheet
Volatility cheat sheet
Hunt for Evil Poster
Windows Forensic Analysis Poster
Even though I passed the first 2 simulations with scores over 90% (finishing an hour and a half before the time), the exam was NOT EASY. I can say that the areas tested in the practice exams are the same, but the way the questions are formulated is intended to test your critical thinking. I scarcely used the index during the exam. It does not assist if the material is not thoroughly understood. Without a solid grasp of what was taught in FOR508, depending on the index to pass is futile. I completed the exam 20 minutes before the deadline, achieving a score of 93%. Once again, comprehending the material is crucial, and one should not depend solely on the index while taking the exam.
I am convinced that viewing all the video materials once and revisiting the books multiple times for a comprehensive understanding of the content (I personally read them three times), is sufficient for passing the exam. The practical exercises mirror the complexity of those in the labs. Proficiency in handling lab exercises assures a similar competency during the exam.
I recommend the FOR508 course and the GCFA exam to anyone with an interest in DFIR. Despite the course's complexity and the exam's difficulty, the fulfilment derived is immense. Even though it's possible to pass with just a month of study (as was my experience), I advise beginning the preparation two months ahead.
I wish good luck to those who will take the exam, and I just want to tell them to have confidence in themselves, and that with the right amount of work, nothing is impossible.
All the best!