After years of getting their course catalogs in the mail. I was very excited to finally be able to take a SANS course after landing my job in the DFIR field. I love to learn. I even like taking certification exams, but for the first time while studying for a certification (I already had 9 of them), I lost all focus and motivation for a while.
I took the FOR500 OnDemand course with Rob Lee as the instructor. He was great! You get 4 months to complete the training and take the exam. The course started on March 20th and was set to expire on July 21st. The course has five training sections, and section 6 is the Hands-on Forensics challenge. In addition to the three training books, you get two hands-on lab workbooks.
Please do not ask me for a copy of my index or for my books.
I got through the majority of Section 1 of the training when I just couldn’t focus on anything anymore…at all. Not the training, not my favorite TV shows, nothing. I was constantly zoning out. Finally, at the end of June, not long after participating the in the #ShareTheMicinCyber campaign, I got my drive and motivation back. I was also shocked to see that the deadline for my course had been extended from July 21st to August 4th (thank goodness!). I knew I had to kick it into high gear to attempt to pass the exam by the deadline.
I took a break from social media while I studied, and took a week off of work as well. Side note: I never realized how drained I was always being on social media until I got off of it for a while. I’ll most likely be taking more breaks.
The first thing I originally did, and I suggest you do as well if you’re taking the exam, is read what others have posted about taking the GCFE or GIAC certification in general. I ended up using a combination of the long-form summary indexing method from My Take on Preparing for GIAC Certification Exams by Andrew Rathbun and the colorful indexing method from Better GIAC Testing With Pancakes by Hacks4Pancakes.
This is the timeline after my brain started working again:
- July 1st: That evening, I announced I was taking a social media break on Twitter and LinkedIn, turned off all notifications and got to work. Completed Section 1 of the training videos and passed the quiz.
- July 2nd: After work, I ordered indexing supplies from Amazon, completed Section 2 of the training videos and passed the quiz. Got halfway through Section 3.
- July 3rd: The first of several days off of work. My indexing supplies were scheduled to arrive. I completed Section 3 and was partway through Section 4 when my order arrived. After hearing that having a good index was very important, I decided to stop watching the videos and start indexing right away. While indexing, I was thoroughly reading the books and indexing per Andrew Rathbun’s method.
- July 4th – 8th: Reading and indexing. I got partially through the 3rd and final book.
- July 9th and 10th: Read and indexed after work.
- July 11th and 12th: More reading and indexing.
- July 13th: Finally finished indexing after work. My spreadsheet was now 120 pages long. I didn’t think my cheap little inkjet could handle that so I uploaded it to Fedex Office to have it printed double-sided and shipped to me.
- July 14th: Saw a tip that said it helps to have a list of just tools and page numbers in your index so I made an additional tools index as well. I also used a download of the Windows Forensic Analysis poster to print and fit in the index as well.
My plan was to document what I did to study every day, but my basement pipes had a mind of their own and I lost track while dealing with that mess (quite literally).
So, long story short, I got 79% on my first practice exam. I wrote down what I missed and made sure that was in my index. I also tried to find anything else I might have missed and ended up adding about 6 more pages to the index. I got 86% on the second practice exam.
I scheduled the exam for August 2nd. In between the time I completed indexing and the day I took the exam, I was re-watching the videos and doing the lab exercises.
The Index
This was my index shopping list:
- 1-1/2″ Five Star Flex Hybrid Note Binder
- Avery A-Z Extra-Wide 3 Ring Binder Dividers
- Sharpie Permanent Markers – Ultra Fine Point
- Highlighters
- Post-It Flags Combo Pack (1″ and .5″ wide)
- Sheet Protectors
- Colored Sheet Protectors (I used these to make it easier to find specific things such as a list of Event IDs, list of tools, AppID’s ect that were in my index)
The Exam
The exam was online using ProctorU. There is a GIAC Guide to Taking Exams With ProctorU. Being a WGU alumn, I’ve taken a few exams with ProctorU before. If you’ve seen my home lab/office, you know that I have a “few” monitors and computers. When I took exams through WGU, it was no problem for me to just cover them up with a few cardboard boxes. For the SANS exam however, you’re only allowed to have one monitor, keyboard, and mouse (or laptop) in the room. ProctorU will ask you to do a 360-degree view of the room with the camera to check. From the GIAC Guide:
“Only one computer is permitted in the
testing room. Your exam computer should have a single
mouse, keyboard, and display— Additional
computer monitors and/or external
displays connected to a laptop are
prohibited, even if they are powered off.”
I used one of my home lab computers and uninstalled everything that I added to it. I didn’t have any technical issues during the exam.
For the exam, you get three hours to answer 115 questions. Even with a massive index, I thought the exam was tough. Panic set in about 20 minutes in and I seriously thought I was failing it. I completed it with about 1 minute to spare and ended up passing with a 79% score.
While my score wasn’t all that great, I was happy that I passed. I also used this as an excuse to redecorate my lab when I set it back up. Hopefully I’ll have my normal drive and determination the entire time for the next certification. My LFCS exam voucher expires in December.
Awesome job passing this exam!
Thank you!
Congratulations. Anything beyond minimally passing score is only bragging rights anyway you over achiever!!!!
Thank you! 🙂
You focused on the content right off the bat…..Killed it..
Great write up and congratulation on the pass!
Thank you!
Wow thanks for sharing the experience! Congratulations. I doubt I could pass doing the any GIAC exam the way you did so kudos to you! I have GCIH and would love to have this certification as well.
Thank you!