Friday, April 2, 2010

Studying for the GCFA certification: Part 1

I'm scheduled to take the GCFA certification test on April 13th. I have been studying non-stop since right after the New Year.(Call it a resolution if you'd like)  I took a practice test last week and scored 86%. I was pretty happy with that score considering I'm learning it under self-study.

Before you take any of the SANS practice tests you are required to sign a legal notice regarding divulging any test questions and their ethics standards.(see: have some or look for a new field)  If you landed on this post hoping for a brain dump or a list of the hard test questions, move along, there is nothing to see here.

If you're looking for an overall view of the type of materials you need to study and the background that computer forensics requires, stick around, I may be able to help.

Me:  I'm 37, I've been playing around with computers since I was 11 or 12. My first was a TI-99/4A hooked up to a black and white TV. It came with some really cool "programs" that would let you draw a giant with a flashing pixel for a hand. It was the coolest thing I had ever seen.  That may have been the last coding I ever did. I did join the Navy on a 6 year hitch to get into some advanced electronics training.  Aviation Electronics Technician (AT) "A" and "C" schools taught me everything from positive and negative to "hole flow" theory and NPN doping.  I got out after 7 years and more or less( I did a little drinking to celebrate my newfound freedom. I'm told I had fun) started my MCSE certification immediately. I went through the NT 4.0(yes that's a Microsoft operating system) MCSE courses at University of Phoenix in 1999 and 2000 and passed all my cert tests in 2000.  I've been working as a Sysadmin or consultant ever since. I've worked at everything from one of the largest data centers in the world(at the time), to private customers that were literally a one woman show. From junior help desk ticket guy to tech lead of a 20 person team. I started a consulting business in Phoenix focused on secure networking and then moved to Montana and continued consulting, auditing, etc... for a company here.

So , "blah, blah, blah, you've been around computers for awhile" right? Well yah! That's sort of my point. Don't expect to just go out and get a certification like this and expect great things to start happening.  You need to have a breadth of experience with hardware, software, client relations, project management and technical writing to stand a chance.

For what it's worth, here's my recommendations:

1) If you can swing it, suck it up and pay for the SANS training. SEC:508 looks like an awesome class. The instructors are friggin' rocket scientists and the list of materials that come with the course look great.  I can't come up with the $$, if I could I'd be there in a heartbeat.

2) Read everything you can get your hands on. Here's a starter list:

File System Forensic Analysis, Brian Carrier.  Carrier wrote most of TSK. I'm pretty sure this dude dreams in binary. This is NOT an exciting book, but it is an absolute must read and, more importantly, a book you need to understand.

Windows Forensic Analysis, Harlan Carvey.  He wrote most of the PERL tools used for parsing timelines, logs, registries, etc.. I'm not just pimping his book because he reads my blog. (thanks Harlan) There are gobs of great info in this book backed up by years of experience. Again, you can't just read it, you need to understand it. The test I took required you to apply tools and technique to a specific situation to come up with the correct answer.

UNIX and Linux Forensic Analysis, Chris Pogue.  Chris teaches the SEC:508 course with Rob Lee and is heading up a movement called "Sniper Forensics" inside the community. His book deals with the same techniques as Harlan's on the UNIX platform. Don't think for a second that you won't run into *NIX boxes as an investigator, especially if you get into the server arena. If your goal is to be a crime lab guy 98 out of 100 cases are going to be Windows boxes but you don't want to have to pay me to handle those 2 Ubuntu machines. I plan to be expensive.

Incident Response and Computer Forensics, Mandia, Prosise and Pepe.   Kevin Mandia is the primary here. I mentioned one of his tools in an earlier blog, he has a very successful software/incident response company to his name among other things. This is a great book regarding the actual process of performing an investigation as well as many of the legal precedents. Read and understand this book.

3) Go out and network. I live in a small town and have a long list of customers. I also co-organize a large charity event and I'm a volunteer firefighter. I know lots of people.  I just picked up the phone and called the local DOJ crime lab. A week later I sat down with the lead computer crimes investigator for the State of Montana for an hour and a half.  I also called around until I found the most knowledgeable computer crimes defense attorney in town. He gave me an hour of his time to talk about the Wiretap Act and Pen/Trace.  These 2 interviews allowed me to correctly answer at least 6 questions.

Next post: blogs, websites, and Introduction to The Sleuth Kit.


  1. Great article, glad I encouraged it :)

    Hey, I remember that NT 4.0 days. Used to lock myself in our little server room from 6-8 am studying. My boss used to knock on the door looking for me, and I'd just ignore him (I never gave him a key).

    I've only had the privilege of taking one SANS class (Wireless Auditing), and it was great. Never heard anything bad about a SANS class, except your brain can't handle all the info, it's so rich and thick.

    Your statement, "You need to have a breadth of experience with hardware, software, client relations, project management and technical writing to stand a chance" is so poorly understood by many.

    I find that IT auditors and security analysts don't have the years of slugging it out in IT, and as a result, don't understand how Active Directory works, how applications and databases interact, etc.

    I also had to train an MCSE who couldn't make a network drive on her first day!

    Keep hitting the books and don't blog too much. Sounds like you'll do OK on the exam. Good luck and early CONGRATS!

  2. Great article!! I want to obtain GCFA too. I was looking for official books but seems Sans decided to close the store. Now, if you want those books, you must do the course (3k)... I'm going to make a list of books from your posts and start collecting them. But first, CISSP is waiting for me :D


  3. I'm studying for CISSP myself, then on to a Bachelors in Information Security. The toughest material to get a hold of for the GCFA is the law portion. I recommend taking the practice tests and keeping hold of the material you will get from the questions. Good luck! Let me know how your tests go.

  4. Thanks Grayson, I'll do. Meanwhile, I'm doing forensics contest for increase my knoweldge (like the sans contest). Where do you get those practice tests? Directly from Sans?

    Good luck with CISSP!

  5. Great post! Thanks for sharing thoughts about the training and preparation for the GCFA Certification.

    Good luck to you too. Regards!

  6. Do you have notes from these interviews?

  7. I appreciate your help. You really helped me.