Background
In July, I had the opportunity to attend SANS FOR 500 at SANSFIRE 2024. As a course facilitator, I balanced learning the material with helping other students throughout the sessions. While this dual role occasionally left me short on time for some labs, my strong foundational knowledge from the team in Quantico proved invaluable in navigating these challenges.
The SANS FOR 500 Experience
Instructor Excellence
The course was expertly taught by Ovie Carroll, whose deep knowledge and engaging teaching style kept the entire class focused despite the traditionally dry nature of digital forensics content. His ability to make complex forensic concepts accessible and interesting was truly impressive—no small feat when covering material that lacks the flashiness of offensive security topics.
Course Structure
At the time of my attendance, FOR 500 consisted of five main sections:
Section 1: Forensics & Triage - Course introduction and foundational concepts
Section 2: Registry, App & Cloud - Core forensic artifacts and cloud considerations
Section 3: Shell Bags - Understanding user activity through shell bag analysis
Section 4: SRUM - System Resource Utilization Monitor forensics
Section 5: Web Browser - Browser artifact analysis across multiple platforms
The course also includes two comprehensive lab books that I highly recommend reviewing thoroughly. Given my facilitator responsibilities, I had to revisit all lab exercises before attempting the practice exams—a process that ultimately strengthened my understanding.
GCFE Preparation Strategy
Out of respect for SANS and GIAC, I won't detail specific course content, but I'll share my preparation insights for each section:
Book 1: Foundation Building
This introductory book was concise and well-structured, containing several valuable insights I hadn't encountered before. I primarily used it for confirmation and quick reference, finding it easy to index due to its focused scope.
Book 2: The Deep Dive
The largest of the five books, covering extensive material on prefetch files, LNK files, and shimcache—topics I'd studied in previous courses. While this section proved to be the driest during class sessions, it contained numerous gems worth revisiting. The indexing process for this book was the most time-consuming but necessary.
Books 3 & 4: The Challenge Zone
I grouped these together as they felt like natural continuations of each other. These sections represented my biggest knowledge gaps, requiring extensive indexing of every mentioned topic. To strengthen my understanding, I supplemented my studies with the complete on-demand video series for both books, recognizing this as my primary weak point.
Book 5: Browser Forensics
This section opened my eyes to the extensive tracking capabilities of modern browsers and the wealth of artifacts available to forensic analysts. While highly informative, the content became somewhat repetitive as it covered similar concepts across different browser platforms. Unless I transition into a dedicated DFIR role, I don't anticipate frequent reference to this material.
Index Creation Process
My approach was straightforward and practical. I started with the SANS-provided index as a foundation, then added terms I felt were essential for my reference needs. For Books 3 and 4, I created comprehensive entries for nearly every concept covered, supplementing this with insights from the on-demand videos.
After completing my initial index, I took the first practice test and added any missed or slowly-recalled items. I repeated this process with the second practice test while creating a separate lab-focused index. My practice test scores of 84% and 86% gave me confidence to schedule the actual exam.
The GCFE Exam Experience
The exam lived up to my expectations based on the practice tests. Your actual score will likely align closely with your practice test average. While the specific questions differ, the format and difficulty level remain consistent with the practice materials. Focus on performing well on the practice exams, and the actual GCFE shouldn't present any surprises.
Strong preparation through thorough indexing and practice test performance remains the key to success on this certification.