Passing the GCFA exam

Recently, I challenged the GIAC/SANS GCFA exam. And I am excited to say I passed and have obtained the GCFA certificate!

This was one of the more detailed courses I had taken in awhile. The IR and Threat hunting sections were not as new to me. However, the memory and forensics section were very deep and detailed. Normally, most organizations will contract out major forensic type of work to 3rd party external partners. So, the forensics section was something I do not work on as often. But I found learning and getting the knowledge of various ways malware can hide in memory, or how to detect Time stomping attacks from malware was extremely fun and exciting to learn. Feeling incredibly grateful to learn about all these new attack techniques and detection mechanisms.

Prepping for the exam

I highly advise everyone take the SANS FOR 508 course. You can read my review of it here ->

The course will prepare you for the exam and cover topics and tools that you will be tested on. There is a lot of material to learn in the course. So, dedicate a good amount of time towards learning the course material and all the concepts. The class itself was amazing especially when you get into Memory Analysis, File system analysis and the Anti-forensics sections.

After you take the course try going back to each book and building your index. After this, it is a good time to use up practice exam 1 and see how you fair in it. Use the section at the end, which lists out which sections you were weak in and go study them some more. Take practice exam 2 and hopefully this time you see an improvement. If so, then book your final exam within the next 2-5 days and go for it. This format always has worked well for me.

Making an Index

In my case, though I had a rather good index built up. I found I did not really use it as much as I thought I would. I spent a lot of time learning everything from the courseware material. So, I felt comfortable with most of the questions on the exam and being able to answer them with the knowledge I gained from the course.

If you are looking for an index guide, here is a great guide on making an excellent index for yourself ->

I used a similar format to the index above and found it helpful when I did need to use it.

Lab work

If you have taken the course, I highly encourage you to go over the whole lab book. However, aim to understand why you are running certain commands, what each tool is used for etc. It is easy to sit there and copy a command while typing it in. Sometimes people forget why they are running a certain command in the first place. Or, what benefit the tool provides and how they can use it for certain use cases. So, really pay attention to each lab section and question what you are learning, and why you are working on a particular step. Personally, I felt this helped me understand all the tools/techniques better, and when I would need to use them in in specific use cases.

Practice Exams

If you have registered for the exam, you will have 2 practice exams to use. I highly recommend you make use of them and really treat it like as if you are writing the real exam. It will prepare you for the actual exam format, which consists of a 3-hour time limit (which goes by very quickly). And not only will you have exam questions, but also a lab section of questions to show that you obtained some hands-on knowledge too. Hence, why I state earlier to really understand the tools you use in the lab workbook.

At the end of each practice exam, you will see a 5-star rating on each major topic and how you did on them. Focus on the section where you are weaker e.g. (only got 1-3 stars). This will make your study time either between the practice exams or the final exam more efficient and worthwhile.

The exam for me was done from home, as COVID is still a huge issue. So, it made more sense to take the exam remotely. I did not have any issues during the exam, the connection was great, and the proctor was super attentive and explained everything well. If I had a recommendation for SANS, it would be to find a way to increase the speed of the lab VM. I felt it was a bit slow and laggy sometimes. Overall, I had a surprisingly good experience for my 1st remote GIAC exam.

Future Plans for the next cert

SANS has released a lot of great courses lately, and there are so many amazing courses to choose from versus only have a few available back 5 years ago. Right now, it is going to be a toss up of either GDAT, GCTI or GCLD. I know they are all quite different topics and courses. However, I feel all of them would provide great value in their own ways.

Have you passed the GCFA or have any questions? Post them below in the comments section!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.