Tuesday, April 6, 2010

Studying for the GCFA certification: Part 2

Last post I gave you some books to read, let's move on to web resources.


The forensics community is not very large but many of the people in it are more than happy to share the latest developments in hardware, software and techniques. If you search Google  for "computer forensics blogs" you come up with a fairly long list of related blogs. Some of them are  geared towards hardware reviews and others towards tool usage. Many are by the same people that wrote the books I mentioned last post.  My best advice is to follow a couple that suit you and follow the cross-links from each blog.

For example: My blog has a link to "The Digital Standard" written by Chris Pogue, his blog is linked to "Windows Incident Response" written by Harlan Carvey, his blog is linked to the official SANS blog and so on, and so forth.  These guys write regular posts about installations, incidents, tool suites and plain old opinion.  There are more than a few tasty informational nuggets on their sites. After you take a practice test or two, you'll start to find discussions related directly to best practices and tool usage that you will likely see on the test.

More related blogs:

Hacking Exposed
Security Ripcord
IT Audit Security

By the way, those of us writing the blogs like to know that you're out there.  Do us a favor and click on the "follow" link or leave the occasional comment.

Go out and play.

Many of the tools and suites have trial periods or outright free software that you can download, install and test out.  Go get as many of the tools as you can store, install them and take them for a test spin. For instance, one of my practice images had Skype installed. After searching for ASCII strings and looking at them with a hex editor, I wondered if there was anything out there to help me crack the default .dbb storage files.  A quick google search landed me on Belkasoft's Skype analyzer.  Free trial, $50 dollars  for the fully licensed version. Perfect!  By the way, if you're using Skype to talk about anything you wouldn't want others to see....STOP!

The new version of the SIFT workstation is available. Go get yourself a portal account and download it. Version 2.0 comes with a PDF user guide chock full of forensicy goodness.

Take a look at the GCFA Gold certified list. These guys had to write papers to get gold certified and most of their papers are out their for public review.

The leading incident response and forensics companies publish whitepapers regularly.  Go download them, read them, highlight them.  The exam is open book, open notes.

I found a gem called "Introduction to The Sleuth Kit"  It's got everything from the history of TSK, to command line switches and sample outputs.  It's going with me on exam day.

Write out your own study guide, I took notes as I was reading and interviewing people and compiled them into a document. When I took my first practice test I realized that were several holes so I added pages. My study guide is about 50 pages long now. (No, I will not sell you a copy) The process of re-typing things I know are important reinforces them in my head and makes for a great test reference.

Take your time, take the practice tests, ask me questions if you'd like.

I may be the new guy, but I'm here to help.


  1. I know there's a lot of these out there, but a guy I work with told me about BackTrack Linux as a bootable live cd for forensics use. Looks pretty cool, can boot from a USB key as well.


  2. I was actually thinking about doing a comparison/review of several of the live forensics discs for the blog. There are several out there. HelixPro, knoppix, BackTrack to name a few. Even more interesting is the custom scripts for grabbing live data and the associated "live" cd's.

  3. Grayson,
    I like your comparison of forensic disks idea. Can't wait.

    My problem with writing those kinds of posts is that they take so long to write, and I only have time to do chunks here and there. However, writing them can be most fulfilling, and they are good pillar posts that generate traffic. I have a few in the hopper.

    I'm studying for a cert also, and am compiling my own notes, which I'm thinking of posting on my blog for free, not only to generate traffic, but to give back. I used a couple different CISSP cheatsheets that people posted a few years ago. I also read 3 other books and took my own notes.

    Not criticizing your choice, as I can imagine after spending all that time, it's hard to sell it, much give it away. On one hand, I don't want to want to give anyone a shortcut for something I had to work hard for, but on the other hand, people who get certs but don't know the material will be found out eventually. We'll see what I end up doing....

  4. I am preparing to take this exam in june. I have reading the books over and over. I made an index of the books with page numbers and notes. Can suggest any other tips I should use to prepare?

  5. I took 3 practice tests and created a "cheatsheet" with the topics that were coming up more frequently and the page numbers of my reference books where I found answers. Keep in mind, I did it self study and didn't have the actual course books available to me.