Taking on FOR500 and sitting the GCFE Exam: Insights and Preparation
It's been a minute since I last made a blog post, but as you can see a brother has been busy!
Earlier this week, I officially became a GIAC Certified Forensic Examiner (GCFE) and since I got 98% on the exam I also got invited to become a GIAC Advisory Board member.
This wasn’t just a personal milestone; it was a professional turning point. It marked my first SANS GIAC certification and brought me a deeper understanding of Windows forensic analysis—a foundation for my work in DFIR (Digital Forensics and Incident Response).
Now let me just say, IT IS ABSOLUTELY INSANE what trails (forensic artifacts) are left behind on a system even though you think you covered your steps.
Now for anyone in Cyber you'd understand the hype when it comes to SANS certifications.... and also the price tag.
A little side note, I don't advise anyone paying for them at their expensive price point, I did not. Try to get assistance from your employer or into one of the SANS Work Study Programs. Rather than paying over 9,000 USD for the training, practice tests, and the exam, you would get it discounted at 2500USD for the same package. You just have to work at the Live Online event that you are supporting as a moderator.
Back to regular programming, so let’s be real.. the journey to acing this wasn’t smooth sailing. There were days when my brain felt absolutely tapped out, and I questioned whether I’d ever get through all the material. Still, through a mix of perseverance, trial and error, and a few strategic pivots, I crossed the finish line. Here’s the story of how I did it, what I learned along the way, and how you can benefit from my experience.
Why I Chose the GCFE
The GCFE focuses on forensic analysis of the Windows operating system, which is crucial in understanding what’s normal and what isn’t during investigations. For someone like me, looking to advance in digital forensics and incident response, it was the obvious choice. My goal wasn’t just to pass an exam—it was to build a skill set that would serve me for years to come. I also felt that there was room for improvement in my understanding of the OS and there still is. However, when you fast track into cyber after spending a relatively short time in IT, it is important to sharpen your knowledge and skills in areas you identify as necessary. It is also my entry into the GIAC Certification Pathway I have planned.
GCFE -> GCIH(Started today, as we say where I am from, 'No rest for the weary!' ) -> GCFA
My Preparation Journey: From Textbooks to Team Knowledge Transfer
Over the course of eight weeks, I dedicated myself to a structured plan (somewhat lol), but not without some hiccups. Here’s how my process unfolded:
Starting With Textbooks Initially, I leaned heavily on the textbooks. For the first three books, I focused exclusively on reading and indexing. I saw many posts mention that 80%-90% of the questions tested on comes from the text in the textbook, so I figured why not fast track this by skipping the on demand videos and simply reading the text material.
The Video Pivot By the time I got to the latter books though, I started leveraging the videos more heavily as some concepts were new and others were becoming increasingly challenging. To my surprise, the videos made complex concepts click. They allowed me to visualize and conceptualize material in ways that text alone couldn’t. Also, in those videos you get the real world experiences presented by the instructors and it goes a long way. At first, I thought watching the videos would slow me down, but I quickly realized the opposite was true. By understanding the material upfront through the videos, I was able to move faster in my indexing and retention.
Lab Work: Hands-On Learning The labs are really good, but they are also super long, so they are what you make it! The hands-on labs were pivotal. I made it a point not to just follow instructions but to really dig into the “why” behind each step. This approach helped me connect the dots between theory and practice, reinforcing the knowledge in a way no textbook could. For example, Browser forensics was particularly new to me and I had to go over the concepts a few times. I think the most challenging concept in browser forensics to wrap my mind around was LevelDB databases. The labs helped a lot with that.
Knowledge Transfer Through Teaching One of the most impactful parts of my preparation wasn’t just studying—it was teaching. I created PowerPoint presentations to share my learnings with my team, which not only helped them but reinforced the material for me. I also talked to my other friends about what cool stuff you could find on your machine even though you think you have deleted them. To teach something effectively, you first have to deeply understand it, and this exercise made me assimilate the concepts on a whole new level.
Audio Support for Weaker Topics For topics I found more challenging, I turned to the MP3 recordings. These allowed me to immerse myself in the material during downtime, while doing chores or even on the treadmill. Hearing the concepts explained differently helped solidify my understanding.
Indexing: The Lifeline
Now credit to these two articles as they inspired my approach for indexing.
Now below, is my spin on the indexing process which closely aligns with Andrew Rathburn's long form model, just that mine is a bit more boring. I didn't color code my entries.
The only way you are passing a GIAC cert is if you have an index. The only way you are acing a GIAC cert is if you understand the material and you know your index. I started building it early and refined it after each quiz and practice test, adding almost 100 entries between my first and second practice test attempt even though I got 90% on my first attempt. I don't like probabilities so I will do what it takes the margin for error as close to zero as possible, which led to 98% on the second practice test.
Indexing is also a skill that you get better at overtime... I have to laugh because when I compare my Book 1 index to my book 5 index, I was wondering what on earth was I doing on the index I did for my first book. When going over I was able to add around 50 entries to my book 1 index.
Here is another tip I did not see mentioned but also came in the clutch during the exam: some SANS books come with their own built-in index. Don’t ignore it! On exam day, if you miss a keyword in your own index, the book index can be a lifesaver. And trust me, it did save me once during the exam.
I can show you a sneak peek of my index below.
Now, I would like to comment on something above.. You may ask, how do you handle indexing large topics that have a lot of subtopics. For example for USB forensics I have over 100 entries alone. I was confused about how was I going to be able to find anything in this! Ultimately each entry began with the word USB lol, but I made sure that I could figure out logical sub groupings, and even then you have to know your subgroupings very well otherwise you will not be able to find them in your index during the exam when the clock is ticking. My USB section looked like this.
For another topic under USB I would have another sub grouping. For example,
Now, I don't consider myself a full blown minimalist, but the color filling for each row that is often done, I decided not to do it. I felt I could take the chance because I knew my index well. So my index looked like below. 30 pages and roughly 800 entries. I also had a tools index. The books are all packed up now, but my index stays close as it is detailed enough where I can refer to it when I do digital forensics labs or real world investigations.
The Exam: Strategy Is Key
Walking into the exam, I had two main strategies:
Know Why the Wrong Answers Are Wrong: This tip exponentially increased my coverage of topics during revision and will help you to eliminate wrong answers in the actual exam. Understanding why the other options in a multiple-choice question are incorrect helped me reinforce the material in ways I hadn’t anticipated.
Use Every Resource Available: If you’re stuck on a question, don’t panic. Search your index first, but if you hit a dead end, check the book index. It’s a backup plan that can save valuable time and points.
READ CAREFULLY: I came to the realization that GIAC is out here literally trying to trip you up lol. At the end of my first practice test I got 90% but I got like 4 wrong for answers that I really knew, it was just that I preemptively answered the question without genuinely trying to understand what they were testing and which of the 2 potentially correct answer is BEST. So definitely keep that in mind.
Lessons Learned: What I’d Do Differently
While my overall preparation strategy worked, hindsight is always 20/20. Here’s what I would change:
Lean Into Videos Earlier: I waited too long to start using the on-demand videos. If I could do it again, I’d incorporate them from the start to better conceptualize the material before diving into the text.
Flatten the learning curve with AI: Do not put the material into ChatGPT but if there is a concept that you are struggling with... "Hey Chat, Master file tables from a forensic perspective. I want to build out my knowledge in that area, can you build me from the ground up in that domain." Ask ChatGPT to explain it to you as if you were five years old. Trust me on this, on your next iteration of that same topic, more of it makes sense; and the pieces that don't? Well do the process again.
Practice More Real-World Scenarios: While the labs were great, I’d spend even more time applying the concepts to hypothetical cases. It’s one thing to understand forensic artifacts in isolation; it’s another to see how they come together in a full investigation.
Key Takeaways
Adaptability Is Crucial: Don’t be afraid to adjust your study plan if something isn’t working. Whether it’s switching from text to video or taking a break to avoid burnout, flexibility is key.
Use the quizzes to test your index. If you have the on demand version of the training, you need to be doing the quizzes at least twice, you get some new questions on the second go which means more opportunities to see what you don't know.
Teach What You Learn: Sharing knowledge with others not only benefits your team but strengthens your own understanding. It’s a win-win.
Index Early, Index Often: A well-organized and thoroughly tested index can be the difference between passing and failing.
Understand the “Why”: Knowing why an answer is correct—or incorrect—gives you a deeper grasp of the material and prepares you for real-world applications.
Final Thoughts
Passing the GCFE wasn’t easy, but it was worth every ounce of effort. The skills I gained during this process have already started to influence how I approach my work. If you’re considering the GCFE, remember that it’s not just about the exam—it’s about the knowledge you’ll carry forward.
If you’re preparing for the GCFE or have your own experiences to share, let’s connect. The cybersecurity community thrives when we learn from each other, and I’d love to hear your tips and insights!
So, what’s your next challenge? Mine has already started! GCIH began on Monday and the books should come on Wednesday. Time to do this all over again!
Comments