Mastering SANS FOR508 (GCFA): Dos and Don’ts for Effective Preparation
I recently got an opportunity to take a SANS Institute training. I opted for SANS FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics and GIAC Certified Forensic Analyst (GCFA) certification (I’ll go over reasons why I chose this training, in a minute). I appeared for the exam recently and passed it with a good score.
In this post, rather than sharing my experience (I have included links to experience related posts towards the end) and training overview, I will focus on my indexing strategy. I believe it was one of the key factors behind my score without any Digital Forensics and Incident Response (DFIR) background.
TL;DR: Wanted to explore DFIR. Got once in a lifetime opportunity so opted for SANS FOR508 and GCFA. Don’t skip on any content and prepare a good index. Key things I focused on while creating my index i. easy to search, ii. included notes, iii. concise, iv. don’t create another book, v. well-organized and vi. battle-tested.
Why I chose FOR508?
Here’s why:
I received a SANS Training + Certification voucher at work. This was my first (and probably only) opportunity to take a SANS training (given their pricing), so I wanted to make the best of it.
FOR508 is one of SANS’ oldest, battle-tested and hardest training and certification. It’s market acceptability is good and it was recently updated. So what better way to make the most of once in a lifetime opportunity.
I have some knowledge of other technical domains of cyber security (penetration testing, red teaming, reverse engineering, exploit development, malware analysis etc.) except for DFIR (and a few others). So I thought it would be a good opportunity to pick up some DFIR skills.
I would have opted for SANS SEC565: Red Team Operations and Adversary Emulation but at the time of my registration there was no certification attached to it. GIAC Red Team Professional (GRTP) was announced two days later though. However, even then, it’s much newer compared to other trainings and certifications that SANS offers, so market acceptability is still to be seen.
How not to prepare for FOR508?
During my journey with FOR508 following were valuable lessons I learnt on what not to do:
Study without preparing an index – Unless one has an eidetic memory, an index is must for any SANS certifications. Even though the exam is open book, there is so much content to go through that having a good index can be a deciding factor between pass and fail. I will speak about my indexing strategy in the next section.
Making an index that takes a long time to search – The exam is open book but no electronic materials are allowed. So one can’t just simply Ctrl+F and search the term and during the exam one doesn’t want to spend much time on searching through the index.
Not knowing the content well-enough – The exam has a tendency to ask questions about topics that are mentioned one-time throughout the content. Unless one knows the content well-enough (not by heart though, cramming up is not required), it’s difficult to understand where to look for the information.
Taking practice tests without an index – Unless one is a seasoned DFIR professional, I will not advice to take practice tests without an index. Some people do it to gauge what topics they need to prepare but for a novice like me, I knew if I went this route I’ll end up wasting my practice test (and they aren’t cheap).
Not doing the labs – The exam has about seven questions where one will need to run a tool and analyze the output (CyberLive questions). Skipping on labs may not prepare one for those questions.
How to prepare for FOR508?
Do opposite of everything mentioned above and prepare a good index.
How I created an index for FOR508?
Disclaimer: This section does not imply that mine is the best and only strategy for creating a good index. There are several schools of thought, I have included links to many of them towards the bottom. Even my strategy is adapted from other people’s ideas. The best strategy is what suits your learning style.
Things I needed in an index:
Easy to search during exam time
Includes important notes
Concise
Does not become another book in itself
Well-organized
Battle tested
Before I get into details, I’d like to share pictures of my index. It’ll help in relating with some of the things I am going to talk about.
Easy to search during exam time
I included a keyword column, with a maximum of three keywords in a cell, separated by a hyphen (-) to achieve this (see Books index page image). This helped me narrow down the number of rows I was searching on and also categorize topics into a broader category. For example, for everything related to credential attacks, I used the keyword credential attacks. If the topic had a sub-topic which I felt is important enough to call out, I added an additional keyword. For example, the keyword for Credential Attack Mitigations will be credential attacks – mitigations. Following this approach the keyword for the topic ‘Credential Attacks Mitigations for LSA Secrets’ will be credential attacks – mitigations – lsa secrets.
Includes important notes
I added a “Notes” column to the index. This saved me a ton of time during the exam as there were many questions for which the notes included in my index were sufficient to identify the correct answer.
Concise
Most of the content was new to me so many a times I was tempted to put a lot of notes in the index. Therefore, I renamed the column Notes to “Most Important Notes“. This served as reminder to jot down only the stuff which I felt is most important (I could always refer the book for anything else). If there was a table or a list, I added a reference to page number. For example, See the table on page 78 for event log summary. This helped me keep the index to a manageable length of 48 pages.
Does not become another book in itself
Despite making a concise index, your index may run over 100 pages depending on how you structure it while printing. A 100 page index is as good as a book in itself which may require another index for it. I certainly didn’t want that. I printed my index in the landscape mode, ensuring the columns are wide enough to cover as much page area as possible. I used a font size of 9 which made the text small enough yet readable (I didn’t need to squint to read the text -> this was my litmus test for deciding the font size).
Well-organized
A well-organized index does not only looks good but makes it much easier to quickly jump to relevant topic. I used Excel to create my index, with a separate tab (or worksheet) for each book and a separate tab for Tools. I assigned a different color to each book and different colors to each chapter or major section in a book. I then marked each book with assigned colors using colored index tabs and I used the same colors within my index to represent each book and each major section of a book. I also marked the index provided at the end of Book 5 with alphabetical index tabs. Additionally, I also put index tabs at every tenth page to narrow down my search for a page to a 10-page block instead of 100.
Here’s how my index and books looked after this:
Printing
I wanted to avoid printing multiple copies of the index so I printed it only after taking the first practice test (more on this later). I printed the index in two formats: i. Book-wise alphabetically sorted ii. Combined alphabetically sorted. The tools section was already in combined format so I just alphabetically sorted it before printing. Since alphabetically sorting meant that I lose the sequence or order in which the contents were added to the index, I added sequential numbers in the section color column before alphabetically sorting it. This helped me in searching the index sequentially. This was helpful in certain cases where I forgot the keyword for a certain topic but landed on a row sequence near it.
Total length of printed index came out to 86 pages.
Finally, I marked the printed index with index tabs. In the Book-wise alphabetically sorted part, I added index tabs of corresponding colors to mark the beginning of each book. In the Combined alphabetically sorted part, I added alphabetical index tabs.
Here’s how the printed index looked:
Color schemes
I am including this information here to help save some time and energy while deciding upon which colors to choose. Most likely the color scheme you use will be governed by the color of index tabs available to you. So your color scheme may vary from the one mentioned below.
The idea behind choosing color schemes is to choose colors distinct enough so that it’s easy to tell them apart when the index is printed.
I used the following colors for representing each book:
Book 1 – #55BBEC or rgb(85,187,236)
Book 2 – #E9F89E or rgb(233,248,158)
Book 3 – #FCCC8C or rgb(252,204,140)
Book 4 – #C1D849 or rgb(193,216,73)
Book 5 – #FA63CE or rgb(250,99,206)
I used the following colors for representing each major section in a book (note: you may not need all colors for each book):
Section 1 – #EDE6DA or rgb(237,230,218)
Section 2 – #77A5AE or rgb(119,165,174)
Section 3 – #B54428 or rgb(181,68,40)
Section 4 – #E9B547 or rgb(233,181,71)
Section 5 – #243C6C or rgb(36,60,108)
Section 6 – #AB8FA0 or rgb(171,143,160)
Section 7 – #A3C4D3 or rgb(163,196,211)
Section 8 – #0258AB or rgb(2,88,171)
Index tabs
Here are the links to index tabs I used:
Battle-tested
Ultimately, the worth (effectiveness and efficiency) of any index is tested based on how easier or difficult it made the exam experience.
I printed my index only after taking the first practice test. This helped me gauge it’s worth. For example, after the first test I realized that the then version of index was not easy to search. That’s when the keyword column was added. I also noticed that for certain topics it would be easier to identify them with a separate keyword instead of clubbing them with a larger topic. I fixed all that before I printed it.
I then went through the books cover-to-cover again just to make sure my index has all relevant topics. Not so surprisingly, I found more topics to add. However, instead of fixing the index in Excel, I preferred to add content by writing in the printed index (hence, the scribbled notes).
Post the second practice test there was very little that I needed to add to the index and my score increased by almost 10% (putting me in 90s).
Conclusion
Like every other thing we use in our day-to-day life, my indexing strategy was built upon the shoulders of those who took the training before me and chose to share their methods, so much of the credit goes to them. I have included links to their indexing strategies after this section. I have also included links to posts which share experience of taking the FOR508 training and the GIAC certification exam. If you have any suggestions, questions, corrections or request for inclusions, please feel free to reach out via Discord. My index template is available on request (On second thoughts, I think preparing an index from scratch is part of the process. Besides, there is enough information in this post that will help in replicating my index format). I hope this post becomes your only reference post for SANS FOR508 and GCFA preparation (aka the mother of all FOR508 preparation posts).
Links to other indexing strategies
My GIAC Certified Forensic Analyst Certification [GCFA] – This indexing strategy is closer to mine or rather mine is closer to mentioned in this post.
A Roadmap to Earning Your First (or Next) SANS Certification – Includes a sample index template.
GIAC GCFA – GIAC Certified Forensic Analyst Exam Preparation Tips – Good visuals of an index.
Enterprise Cloud Forensics and Incident Response, Re: SANS FOR509 OnDemand Experience – Not FOR508 related by has good visuals of an index.
mformal / FOR508_Index – Possibly outdated index but good if you want to leverage the format.
Links to FOR508 and GCFA experience and review posts
Following posts are more focused on experience sharing and review of FOR508 and GCFA:
Into the Rabbit Hole: A Security Engineer’s Review of SANS FOR508
Review: Advanced Digital Forensics and Incident Response (SANS FOR508) Course and GCFA Certification
The featured image was generated via DALL.E.