In late January, I was offered a moderator position via SANS Work Study Program that allowed me to attend the FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics course taught live online by instructor Mat Fuchs. This is a 6 day intensive course that cumulates in a capstone challenge on day 6. Being a moderator meant that I had to assist the instructor with tasks such as time keeping, ensuring that students are all set before the class, being a liaison between the students and instructor / helpdesk where need be, distribute course materials etc. The first half day was a bit of a challenge as it was my first time moderating and I had not found a suitable rhythm to keep up with my duties and still pay attention in class. Once I managed to balance the duties and paying attention, it was all a breeze for me. The days flew by, the materials got tougher but I did not feel disadvantaged despite the additional duties.
On day 4/5 evening, SANS organised the SANS Amsterdam January 2021 Core NetWars CTF for the course attendees. I took part in it and to my surprise, won my very first SANS CTF coin.
Come day 6, we had the capstone challenge that caught me a little unprepared as I did not have enough space on my machine to run all the VMs (60gigs each) that were necessary. That meant I wasted about an hour or two moving VMs here and there before I could actually focus on the capstone with my team. Despite the setback, my team selected me to present our findings and we were awarded the winners. This meant that we all got the SANS Lethal forensicator coin. My second coin from SANS.
Once the course was over, I knew that I had to review the online materials again as Forensics was something new to me, not to mention that fact that the course is full of Windows Forensics! Luckily, as a moderator, I also got access to the ondemand training materials. SANS courses unlock the study materials for 4 months and normally include 2 practise exams and 1 certification attempt. Over the following 3.5 months, I went through the on demand training videos first then decided to read the books incase there was something I had missed. Once I finished reading the books, I scheduled my exam.
Two weeks before my scheduled exam, I took the first practice test and I failed miserably. There were 82 questions in total, of which 7 were hands on. My timing was all wrong. I made it to the hands-on questions 15 minutes to the end of the 3 hour exam and knew that it was an instant fail. I failed flat having not attempted even 1 of the 6 or 7 hands-on questions.
My decision was to redo all the labs that we had done in just 1 week. That took me about a week of 2-3 hour slots. Once I was done with redoing the labs, I felt that it was time to attempt my second practise test. Again, I made the same mistake. My time management skills were poor. I second guessed my answers and therefore checked more than I needed to. I made it to the start of the hands-on labs around 20 minutes before end of time. Even though I managed to answer 1 of the 6 or 7 hands-on questions, it was not enough to pass. Again, another fail! This was really demoralising.
With just a few days left to my exam ( 2-3 days), I figured that I should work on my weak spots which was mainly NTFS filesystem. I watched a couple of YouTube videos that helped explain NTFS. There was not much I could do about the labs since I did not have practice tests. I figured it was simply poor timing strategy that I would need to fix during the exam. I would reduce the number of times I referenced the books and simply go with my chosen answer so that I could make it to the hands-on exercises in good time.
A day before the exams, I made sure that my index was inorder.
Come the day for the actual exam, I was uncertain that I would pass the test. I knew all I needed was a pass score of 72% and that was what I hoped to get but I was scared that I would fail the exam based on my two failed practice tests. If you are new to SANS exams, the practise tests are meant to gauge your readiness. Having failed the exam twice was a red flag for me but since my 4 months were almost up, I had to either pay to extend access or take the exam. I opted to take the exam but with a modified strategy. My decision for the day was that I needed to quickly answer the theory questions and even though SANS is open book, I had to resist the temptation of verifying the answers to the questions I was doubtful about so as not to waste time. By quickly answering the theory questions, I hoped to have enough time ( at least an hour left) to get through and attempt the hands-on labs.
And thats exactly what I did! I tried not to “verify” my answers and simply move on with my instinctive answers. I managed to get through the theory questions quickly ( up to question 75) and left about 50 minutes for the hands-on questions. I did calculate that I needed about 6 minutes per question based on the time I had left. I found that I was able to get the answers to the lab questions fairly easily as I knew how to use the tools. I was left with 1 minute when I answered the final exam question ( question 82) :).
When I submitted the exam for assessment, I was confident that I had answered all the hands-on questions correctly. I also felt that the theory questions were a little easier than I anticipated but the score was a shock for me. I got 88% :). All I had hoped for was a 72% and here I was, 2 points away for a 90%. What a relief that was for me.
All in all, this was undoubtedly a really great course. Challenging for sure, but worth it.
Recommendations:
For those that plan on taking this exam, it’s not an easy one so do not rush.
- Be ready with external storage. The course provides 3 iso files which are about 60 gigs each. Make sure you have adequate space on your computer. I ended up getting the Samsung T7 Touch Portable SSD 2TB after the course for future courses.
- Review the course materials and attempt the labs again. Make sure you know how to use the tools.
- Be comfortable with NTFS timestamps
- Try not to rely heavily on your index. You are rushing against time. The more you check, the less time you have to attempt the labs.
- Plan to have at least 40 minutes left for the hands on part.
- Trust your instincts
CyberSecFaith 
Hi, Congrats on your certification!
I am planning to take the exam soon and will like to check with you the format of the 7 lab questions, are they multiple choice questions where I choose a correct answer, or are they opened ended answers where I have to type my answer in a textbook?
Thank!
LikeLike
Hi Yon,
Thank you.
It’s multiple choice questions. You get a question with access to the lab, search for the answer and based on that, choose the correct answer from the options.
All the best!
LikeLike
Hello, Thank you for sharing valuable information and congratulations on your success. Is the scoring of the 7 lab questions the same as the other 75 multiple choice questions? Best regard.
LikeLike
I believe the labs carry more weight based on my practice test fails but that is just an educated assumption.
LikeLike
Hi could you share your Index file with me please?
Thanks so much.
LikeLike
Congrats again on passing the test! I have a question: I struggled on the NTFS part of the test too. Can you point out to me which book helped you improve in that area?
LikeLike
I watched YouTube videos and found one that really explained it well.
LikeLike
Congratulations! You should be proud of yourself. My exam is coming up end of this month. I keep reading that exam questions are much harder than practice test questions. Is that true? Also how did you interpret which area you are weak in based on the stars after the practice test? I’m kind of confused after my first practice test. Thanks.
LikeLike
A 5 star means I understood the topic well, a 1 star would mean I need to go back to the drawing board because I have little understanding of the topic.
LikeLike