My GIAC Certified Forensic Analyst (GCFA) Experience

In late January, I was offered a moderator position via SANS Work Study Program that allowed me to attend the FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics course taught live online by instructor Mat Fuchs. This is a 6 day intensive course that cumulates in a capstone challenge on day 6. Being a moderator meant that I had to assist the instructor with tasks such as time keeping, ensuring that students are all set before the class, being a liaison between the students and instructor / helpdesk where need be, distribute course materials etc. The first half day was a bit of a challenge as it was my first time moderating and I had not found a suitable rhythm to keep up with my duties and still pay attention in class. Once I managed to balance the duties and paying attention, it was all a breeze for me. The days flew by, the materials got tougher but I did not feel disadvantaged despite the additional duties.

On day 4/5 evening, SANS organised the SANS Amsterdam January 2021 Core NetWars CTF for the course attendees. I took part in it  and to my surprise, won my very first SANS CTF coin.

Come day 6, we had the capstone challenge that caught me a little unprepared as I did not have enough space on my machine to run all the VMs (60gigs each) that were necessary. That meant I wasted about an hour or two moving VMs here and there before I could actually focus on the capstone with my team. Despite the setback, my team selected me to present our findings and we were awarded the winners. This meant that we all got the SANS Lethal forensicator coin. My second coin from SANS.

Once the course was over, I knew that I had to review the online materials again as Forensics was something new to me, not to mention that fact that the course is full of Windows Forensics! Luckily, as a moderator, I also got access to the ondemand training materials. SANS courses unlock the study materials for 4 months and normally include 2 practise exams and 1 certification attempt. Over the following 3.5 months, I went through the on demand training videos first then decided to read the books incase there was something I had missed. Once I finished reading the books, I scheduled my exam.

Two weeks before my scheduled exam, I took the first practice test and I failed miserably. There were 82 questions in total, of which 7 were hands on. My timing was all wrong. I made it to the hands-on questions 15 minutes to the end of the 3 hour exam and knew that it was an instant fail. I failed flat having not attempted even 1 of the 6 or 7 hands-on questions.

My decision was to redo all the labs that we had done in just 1 week. That took me about a week of 2-3 hour slots. Once I was done with redoing the labs, I felt that it was time to attempt my second practise test. Again, I made the same mistake. My time management skills were poor. I second guessed my answers and therefore checked more than I needed to. I made it to the start of the hands-on labs around 20 minutes before end of time. Even though I managed to answer 1 of the 6 or 7 hands-on questions, it was not enough to pass. Again, another fail! This was really demoralising.

With just a few days left to my exam ( 2-3 days), I figured that I should work on my weak spots which was mainly NTFS filesystem. I watched a couple of YouTube videos that helped explain NTFS. There was not much I could do about the labs since I did not have practice tests. I figured it was simply poor timing strategy that I would need to fix during the exam. I would reduce the number of times I referenced the books and simply go with my chosen answer so that I could make it to the hands-on exercises in good time.

A day before the exams, I made sure that my index was inorder.

Come the day for the actual exam, I was uncertain that I would pass the test. I knew all I needed was a pass score of 72% and that was what I hoped to get but I was scared that I would fail the exam based on my two failed practice tests. If you are new to SANS exams, the practise tests are meant to gauge your readiness. Having failed the exam twice was a red flag for me but since my 4 months were almost up, I had to either pay to extend access or take the exam. I opted to take the exam but with a modified strategy. My decision for the day was that I needed to quickly answer the theory questions and even though SANS is open book, I had to resist the temptation of verifying the answers to the questions I was doubtful about so as not to waste time. By quickly answering the theory questions, I hoped to have enough time ( at least an hour left) to get through and attempt the hands-on labs.

And thats exactly what I did! I tried not to “verify” my answers and simply move on with my instinctive answers. I managed to get through the theory questions quickly ( up to question 75) and left about 50 minutes for the hands-on questions. I did calculate that I needed about 6 minutes per question based on the time I had left. I found that I was able to get the answers to the lab questions fairly easily as I knew how to use the tools. I was left with 1 minute when I answered the final exam question ( question 82) :).

When I submitted the exam for assessment, I was confident that I had answered all the hands-on questions correctly. I also felt that the theory questions were a little easier than I anticipated but the score was a shock for me. I got 88% :). All I had hoped for was a 72% and here I was, 2 points away for a 90%. What a relief that was for me.

All in all, this was undoubtedly a really great course. Challenging for sure, but worth it.

Recommendations:

For those that plan on taking this exam, it’s not an easy one so do not rush.

  1. Be ready with external storage. The course provides 3 iso files which are about 60 gigs each. Make sure you have adequate space on your computer. I ended up getting the Samsung T7 Touch Portable SSD 2TB after the course for future courses.
  2. Review the course materials and attempt the labs again. Make sure you know how to use the tools.
  3. Be comfortable with NTFS timestamps
  4. Try not to rely heavily on your index. You are rushing against time. The more you check, the less time you have to attempt the labs.
  5. Plan to have at least 40 minutes left for the hands on part.
  6. Trust your instincts

3 thoughts on “My GIAC Certified Forensic Analyst (GCFA) Experience

  1. Hi, Congrats on your certification!

    I am planning to take the exam soon and will like to check with you the format of the 7 lab questions, are they multiple choice questions where I choose a correct answer, or are they opened ended answers where I have to type my answer in a textbook?

    Thank!

    Like

    1. Hi Yon,

      Thank you.

      It’s multiple choice questions. You get a question with access to the lab, search for the answer and based on that, choose the correct answer from the options.

      All the best!

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s