So you’ve taken the plunge and have decided that a GIAC certification is right for you. You’ve paid the fees and your course/exam is marked on your calendar. Now what?? Well now comes the fun part (or not so fun part). Studying for this type of cert can be daunting and anxiety inducing. Fear not, I have a sure-fire way to make sure that you come away with a passing score!
Background
The GIAC exam I took was the GCFE, which I passed with a 91% in April of 2022. I do not consider myself a digital forensics expert, but before this exam I had already earned the CCE and EnCE certifications. I’d worked at a forensic lab for four years: 1st as a Lab Tech, then as an Examiner (though the bulk of my work involved eDiscovery tasks like processing, searching, culling, and exporting data to Relativity).
I decided to go with the onDemand course taught by Chad Tilbury. With SANS onDemand, you get four months of access to the online course portal, which provides all the resources you’d get if you went to a Live class.
Regarding the practice exams, I took one the day before the actual exam (89%) and the other one I gave away.
To Begin…
First off, lets get something out in the open: GIAC exams are not easy! Unless you’ve been in the field for several years and have hands on experience using the tools and techniques outlined in the exam overview, you’re going to need to study hard. And I’m going to be honest with you, the old adage “You get what you put in” definitely applies here.
Second, start studying immediately. Life happens and sometimes that four months you had to study suddenly turns into two weeks. Don’t do that to yourself. Start as soon as you can to set yourself up for success.
Now let’s get started on a fool proof way to study for your exam 😊
Building an Index
As noted in this GIAC blog post, an index is a “systematic, color-coded guide that you create.” Think of it as your buddy. A buddy that you get to build. A buddy that won’t let you down (unless you build your buddy wrong). Essentially, your buddy is a “super” index that covers each coursebook and should, at the very least, contain Book #, Page #, and Topic columns. Your buddy, coursebooks, and other notes are allowed to be with you during the exam.
The Method
Although there are several different ways to study and create your index for the exam, the method I used is actually a combination from two other DFIR professionals: Lesley Carhart and Andrew Rathbun.
Lesley’s system brings in color and categorization. It’s a great way to build a lightweight index that is easy to navigate. Their method is the benchmark for index creation and serves as the template for my own.
Andrew’s system is less frills but more content. It focuses on summarizing every page and creating a verbose index that saves time during the exam by having the needed information right in the index. This way you’re not having to waste time flipping through multiple coursebooks during an exam.
Putting both systems together, I believe, provides the best style for building an index and also, and much more importantly, learning the material.
WARNING: This method is going to be incredibly slow. I don’t mean to dissuade you from doing it in this style, but you should know right off the bat that this will eat up a ton of time. I still think that it is the best way of studying for the exam and creating the index.
What’s Needed
- The sacred texts (SANS coursebooks)
- Colored tabs (the more colors the better!)
- Colored flags
- Highlighter
- Fine tip marker
- Excel/Sheets/Calc (pick your poison)
- Color printer (use the one at the office if you have one)
- Binding Machine (Optional but highly recommended)
Getting Started
Our 1st order of business is to grab our books, highlighter, spreadsheet software of choice, tabs, and marker. We will be going page by page and highlighting important/relevant items while also adding information to our spreadsheet.
Spreadsheet
The spreadsheet will have four columns: Topic, Book, Page, and Comments.
Topic – This will be the word or topic being discussed. You’ll need to be careful when entering info into this cell as later on we will be sorting it alphabetically. It’s best when going through the book to start thinking about the different sections and subsections each book covers. For example, say the main topic is Google Chrome. I’d make separate lines for “Google Chrome-Cache”, “Google Chrome-Timestamps”, “Google Chrome-Cookies”, etc. In this way, after the sheet has been sorted, you’ll still have the main topics available to filter through during the exam.
TIP: Don’t be afraid to duplicate Topic entries. For example, dupes for the MFT system files (i.e. “MFT-$BITMAP” and “$BITMAP”). You can either copy and paste your comments into the duplicate, or put a short note pointing to the original entry (i.e. “See “MFT-$BITMAP”).
Book – This is the book number. Place a tab at the top of each book and color this cell based on the tab color. Each book needs to have its own unique colored tab.
Page – This is for the page number(s). The color of these cells will reflect the color of the tab that you have used to section your book. You’ll be applying tabs at logical sections of the book, and although the book will have some sections laid out for you, you don’t have to piece out your tabs by the way the book is divided. As an example, if the books has sections for different browsers but none for each component of the browser (cache, cookies, history, etc), then add your own where you see fit. Remember this is all for your benefit, the more it makes sense to you the better results you’ll have.
Comments – These cells are for adding any important and/or relevant information you find on each topic. You’ll spend the bulk of your time living in this column. It’s best to summarize each page in your own words when adding to these cells.
The Process
Although I took an onDemand course, this process can still be applied to those who have taken a Live course as well.
Follow along the onDemand videos, page by page, and start filling in your index. Be aware that although a video may be two minutes, there could be enough content on the actual page that takes 15-20 minutes to summarize. You’ll also be adding tabs to the long side of your books and labeling them depending on how you want to section them (starting from top to bottom). Apply the tabs one color at a time in a repeatable order. This way you don’t have the same color right next or too close to one another.
Anything considered a “tool” should be labeled under the Topic column as “Tool-toolname“. Having all the tools in one place makes them easy to find during the exam. Be sure to include command line switches and a brief summary of what the tool is used for.
Your end goal is to have all the books with one tab on the top (to distinguish it from the other books), a line of tabs running down the long side (one for each section), and a spreadsheet containing all the info you’ve recorded.
Be sure to complete the exercises in the workbooks. You don’t need to index the workbooks, but you should be familiar with each tools’ UI, functions, and output that has been covered.
Once you’ve made it through all the books and videos, it’s time to for another pass through the books again. This second pass is to ensure that your index isn’t missing anything that might be important during the exam.
TIP: Check to see if you were provided an index in your book. If you were, I’d recommend copying and pasting it into your index. Even though it won’t be color coded or have neat comments, it can still be useful for helping to fill potentially unknown gaps.
Next, you’re going to want to sort your sheet alphabetically based on the Topic column. Use Print Preview to see what adjustments you’ll need to make (i.e. adjusting cell size, previewing figures, adding borders, etc.). If it’s possible, print on both sides of the page and bind your index. My index ended up being 53 pages but yours could be smaller or larger depending on a whole bunch of factors.
Now your going to want to grab your colored flags to add them to the side of your index and label them with the letter that section corresponds with. You’ll want to alternate the colors of the flags just like you did for the tabs.
I was able to bind my index which, along with the flags, makes it super easy to navigate through during the exam. I also recommend binding and adding flags/tabs to any of the notes or worksheets that SANS has provided. For my exam I had the registry worksheets (Cloud, User, SOFTWARE, USB), the EZ CLI poster, and the “red’ Windows Forensic Analysis poster bound together and tabbed for quick reference.
TIP: You can always go back and rearrange your tabs in the coursebooks, but be sure to update the colors in your index!
Practice Tests
Now it’s time for the practice test. When you take a practice exam you will receive feedback on the topics that you’ve missed, making it a great resource for the content that you need to brush up on. I recommend taking your 1st practice test between one week and up to a few days before the exam.
Once you’ve covered those missed areas and studied them thoroughly, it’s time for your next practice exam. This should probably be taken a couple of days before the actually exam (not on the same day as the 1st practice exam) as it gives you time to zone in on what is missing from your knowledge base and index.
TIP: SANS provides audio MP3 files of their live courses. It is essentially like you’re sitting in the class as it is being taught over the four or six days. The instructors will drop nuggets of wisdom, personal insights, exam tips, and a joke (or ten) throughout the “week”.
Exam Day
GIAC exams are proctored, either remotely or at a testing site. Be sure to read the F.A.Q.s before taking an exam.
Most notable is that you’re allowed to skip questions (10-15 depending on the exam) which you can try to answer at the end. This is nice to have since a question that stumps you can eat a lot of time. It’s better to skip it and move on to stay on pace.
I took the exam at a testing center and brought the following:
- The required forms of identification
- Print out of the email confirmation booking my exam
- Print out of the GIAC exam policies (I was nervous the proctor would object to the open book format and wanted evidence)
- The index
- The five coursebooks
- Collection of bound posters, guides, and other notes
Just like any other exam, be sure to get enough sleep the night before, have all your materials ready, and show up early.
Final Thoughts
I do hope you found this guide helpful. Please feel free to contact me if you have any good (or bad!) feedback. It’s much appreciated.
Lastly, good luck! I’m sure you’ll do great 😉