I'm scheduled to take the GCFA certification test on April 13th. I have been studying non-stop since right after the New Year.(Call it a resolution if you'd like) I took a practice test last week and scored 86%. I was pretty happy with that score considering I'm learning it under self-study.
Before you take any of the SANS practice tests you are required to sign a legal notice regarding divulging any test questions and their ethics standards.(see: have some or look for a new field) If you landed on this post hoping for a brain dump or a list of the hard test questions, move along, there is nothing to see here.
If you're looking for an overall view of the type of materials you need to study and the background that computer forensics requires, stick around, I may be able to help.
Me: I'm 37, I've been playing around with computers since I was 11 or 12. My first was a TI-99/4A hooked up to a black and white TV. It came with some really cool "programs" that would let you draw a giant with a flashing pixel for a hand. It was the coolest thing I had ever seen. That may have been the last coding I ever did. I did join the Navy on a 6 year hitch to get into some advanced electronics training. Aviation Electronics Technician (AT) "A" and "C" schools taught me everything from positive and negative to "hole flow" theory and NPN doping. I got out after 7 years and more or less( I did a little drinking to celebrate my newfound freedom. I'm told I had fun) started my MCSE certification immediately. I went through the NT 4.0(yes that's a Microsoft operating system) MCSE courses at University of Phoenix in 1999 and 2000 and passed all my cert tests in 2000. I've been working as a Sysadmin or consultant ever since. I've worked at everything from one of the largest data centers in the world(at the time), to private customers that were literally a one woman show. From junior help desk ticket guy to tech lead of a 20 person team. I started a consulting business in Phoenix focused on secure networking and then moved to Montana and continued consulting, auditing, etc... for a company here.
So , "blah, blah, blah, you've been around computers for awhile" right? Well yah! That's sort of my point. Don't expect to just go out and get a certification like this and expect great things to start happening. You need to have a breadth of experience with hardware, software, client relations, project management and technical writing to stand a chance.
For what it's worth, here's my recommendations:
1) If you can swing it, suck it up and pay for the SANS training. SEC:508 looks like an awesome class. The instructors are friggin' rocket scientists and the list of materials that come with the course look great. I can't come up with the $$, if I could I'd be there in a heartbeat.
2) Read everything you can get your hands on. Here's a starter list:
File System Forensic Analysis, Brian Carrier. Carrier wrote most of TSK. I'm pretty sure this dude dreams in binary. This is NOT an exciting book, but it is an absolute must read and, more importantly, a book you need to understand.
Windows Forensic Analysis, Harlan Carvey. He wrote most of the PERL tools used for parsing timelines, logs, registries, etc.. I'm not just pimping his book because he reads my blog. (thanks Harlan) There are gobs of great info in this book backed up by years of experience. Again, you can't just read it, you need to understand it. The test I took required you to apply tools and technique to a specific situation to come up with the correct answer.
UNIX and Linux Forensic Analysis, Chris Pogue. Chris teaches the SEC:508 course with Rob Lee and is heading up a movement called "Sniper Forensics" inside the community. His book deals with the same techniques as Harlan's on the UNIX platform. Don't think for a second that you won't run into *NIX boxes as an investigator, especially if you get into the server arena. If your goal is to be a crime lab guy 98 out of 100 cases are going to be Windows boxes but you don't want to have to pay me to handle those 2 Ubuntu machines. I plan to be expensive.
Incident Response and Computer Forensics, Mandia, Prosise and Pepe. Kevin Mandia is the primary here. I mentioned one of his tools in an earlier blog, he has a very successful software/incident response company to his name among other things. This is a great book regarding the actual process of performing an investigation as well as many of the legal precedents. Read and understand this book.
3) Go out and network. I live in a small town and have a long list of customers. I also co-organize a large charity event and I'm a volunteer firefighter. I know lots of people. I just picked up the phone and called the local DOJ crime lab. A week later I sat down with the lead computer crimes investigator for the State of Montana for an hour and a half. I also called around until I found the most knowledgeable computer crimes defense attorney in town. He gave me an hour of his time to talk about the Wiretap Act and Pen/Trace. These 2 interviews allowed me to correctly answer at least 6 questions.
Next post: blogs, websites, and Introduction to The Sleuth Kit.