GCFA - GIAC Forensic Analyst

Stats

• Study time: 55 hours
• Practice test: 92 minutes
• Exam time: 112 minutes
• Result: 92 / 100 PASS

Study resources

• FOR508 Advanced Incident Response, Threat Hunting, and Digital Forensics: https://www.sans.org/cyber-security-courses/advanced-incident-response-threat-hunting-training/

Review

This is my first time to challenge a GIAC certificate without getting the official training. I would say that this is a risky take and definitely not suitable for everyone. It is only that I have been working in DFIR for quite a while now, it gladly worked for me in the end.

Since I am paying for this certification out of my pocket instead of having someone else to sponsor me, I would like to cut the cost as much as possible. I first reviewed the syllabus outlined on the FOR508 page. I figured that most of the topics covered within the course seemed to be very familiar and relatable to what I do at work every day. Since I had no luck with the work-study program, I opted to challenge it.

The most concerning part was not about the theory or technical knowledge but more of what tools would be covered within the course and might have questions asked about them. From my experience with the FOR500 course, I had some idea of what SANS would have preferred to use.

I also looked for reviews on how others prepared for the GCFA. Obviously, they did not mention anything content wise, but the main takeaway was most of them found the exam tight in time that they did not have the time to check their index, not to mention referring back to the books. This was kind of a relief to me as from what it sounds, the exam is feasible to be done without referring to the books throughout the exam, given that you are familiar with the content.

The study time was mainly revisiting different technical knowledge like Windows artifacts and NTFS concepts. Also, I researched available tools and jotted down useful commands. I made a few cheatsheets for the above mentioned and used them along with the SANS Hunt Evil  poster (the timestamp part was particularly useful). Same as GCFE, I made a timesheet to keep track of time during the exam. I allowed 10 minutes for each CyberLive lab question, leaving the other multiple choice questions around one and a half minutes each.

Instead of risking my still expensive exam attempt, I bought a practice test to see if I indeed have the knowledge for the certificate. If I had failed the practice test, I would have rescheduled my exam to a later date and re-evaluated if I needed the official training. Luckily, I did pretty well on the practice test, apart from the NTFS part. I also found that I had a lot of time left. The lab questions took a lot less time than I expected (something like 3 minutes per question). These practical questions were somewhat similar to my daily job, so I figured it might not be the same case for the others.

I learnt from the practice test that there are a few concepts I need a bit more clarification on. So I spent some time studying for those areas before my actual exam. After taking the exam, it turns out that I managed to make improvements on those questions. Sadly though, the exam result was slightly lower than the practice test as I got one of the CyberLive questions wrong, in which I am not sure which one it was and what I did wrong. Anyway, I could not be happier with the final outcome.