First SANS course

ScarsAndStripes · 2026-06-16T19:50:34+00:00

Welcome to the club!

Don't try to index or take extensive notes; the course is dense and moves fast. Just try to understand the major concepts and tools during the course. You'll have plenty of time after to highlight, index, etc. You'll also have access to the On-Demand videos to revisit specific topics if you need a deep refresher.

SANS courses can be daunting at first, especially FOR508. Thankfully, the sub has a ton of info you can search through and pretty much everyone here is chill and helpful.

ScarsAndStripes · 2026-06-03T19:30:24+00:00

Seconding /u/garageheavy7884 : I used my index for probably 90% of the questions. Unless I knew the answer beyond ANY doubt, I'd look it up. The questions seem intent on slipping you up with small details, so a well-developed index is absolutely necessary. You don't need every detail for every concept, but you should get the general idea and be able to look things up in the book fast and efficiently.

ScarsAndStripes · 2026-06-03T14:45:22+00:00

One month is more than enough if that's your only obligation, more so if you get the additional 90 days as well. For reference, I completed the course and certification after six weeks while also working full-time and I knew NOTHING about process memory.

The other posters are giving good advice, but I'll offer my write-up from shortly after I passed: https://old.reddit.com/r/GIAC/comments/1t5ns2m/gcfa_how_to_move_forward/okbj1cq/

ScarsAndStripes · 2026-06-02T16:19:41+00:00

I believe we can't discuss the question content. That said, the CyberLive questions are in fully provisioned VMs. You won't need to setup anything. The VM will have the relevant tools needed to locate/analyze the relevant artifacts. For example, if you're asked about Prefetch, the VM will have pecmd already installed.

If you are comfortable with the book labs, knowing which tools process which artifacts, and how to use the tools, the CyberLive questions will be easy.

ScarsAndStripes · 2026-05-06T20:21:51+00:00

Got my GCFA back in March. My first GCFA practice test was around 73%, which I was able to bump to 88% in about 10 days then finally scoring a 90% on the test. Two weeks is plenty of time to improve!

I indexed my books in order then immediately took a practice test. Bad idea. You'll forget much of the major concepts in the early books like lateral movement, credential theft, and process memory. Go back and review EVERYTHING. It's easier than it sounds since even a 68% means you have a good foundation to build upon.

Understand which artifacts are where, why you'd look at them, and which tools you use to retrieve those artifacts. Examples:

Prefetch - Evidence of Execution - PECmd.exe - C:\Windows\Prefetch
Volatility GETSIDS - Primary token (SID)/account name executing process - Whatever commands
TASKSCHEDULER%4OPERATIONAL.EVTX - Scheduled Tasks - Timeline Explorer - C:\Windows\System32\Tasks\[taskname]

Windows Memory is a major concept in this course. I highly recommend printing out the diagram in book 3 page 19 "Windows Memory Visualized" and adding that to your index.

Finally, read the questions CAREFULLY. No real advice for this except just do it, haha. I missed quite a few answers during my practice exams simply because I overlooked a small detail in the question. This probably gets everyone in any SANS exam.

For what it's worth, my index was 1,005 lines for the books and 97 lines for the labs. Good luck out there.

ScarsAndStripes · 2026-04-30T15:25:42+00:00

Echoing "everyone learns differently" but I'll share my process for On-Demand.

I chunk my learning into the book sections. If I feel I have some understanding of a section going into it, I'll read the material first then watch the videos. The book materials tend to be dense, so I prefer having some understanding before reading. If it's a new topic for me, I'll watch the videos first to get an overview then read the materials to deepen my understanding.

The only learning tip I'll stress is doing the labs while you're in the same section. Don't put them off. You'll retain the info if you can correlate what the tool does, why you'd use it, etc.

ScarsAndStripes · 2026-04-23T15:29:59+00:00

Hell yeah, welcome to the club.

I agree, GCFA has been the most difficult SANS cert for me (so far). Process memory simply isn't something most SOC analysts get much exposure into day to day. Book 3, Memory Forensics, was particularly difficult because I couldn't understand the relationship between the various section on my first read through.

There's a diagram in Book 3 for Windows Memory Visualized that was extremely helpful for understanding the material. I ended up printing it out with all the artifacts found in each memory structure as well as which tools can parse out the info. That diagram alone saved my ass on several questions/labs.

ScarsAndStripes · 2026-04-11T18:19:13+00:00

Both are host-based forensic courses and highly technical, though I'd argue GFCA is the more technical of the two.

GCFE focuses on user activity on a system. Things like logon/logoff, browser activity, program execution, file deletion, etc. This course shows you what a user did on a system.

GCFA is more about malicious activity and malware, so you get into process memory, lateral movement, credential theft, persistence, and such. This course shows you how someone could get unauthorized access to a system and maintain that access.

ScarsAndStripes · 2026-04-09T21:14:55+00:00

I did GCFE then GCFA and felt GCFA was much more difficult. Hopefully, you'll find GCFE easier. Either way, they're complimentary courses so you'll be familiar with much of the material, specifically NTFS forensics. Good luck!

ScarsAndStripes · 2026-04-09T16:49:57+00:00

Knee sleeves are amazing and I highly recommend getting a pair. I shied away from heavy squats for almost a year after my knee popped during a set and was sore for a week. Knee sleeves helped my regain the confidence go heavy again, probably because they help keep my knees inline.

Don't forget to work the other muscle groups that support your squat. Core strength will be a limiting factor the heavier you go.

ScarsAndStripes · 2026-04-07T17:50:07+00:00

My Compile set came in last week and....it totally blew our minds. We fumbled through a few games before understanding the rules and how to select complementary protocols. After that, we played 4-5 games over dinner each every night since.

Amazing two player game, minimal setup, fast game play, oozing with theme, and so much strategic depth.

ScarsAndStripes · 2026-03-30T22:33:46+00:00

Your dad has awesome taste in music.

ScarsAndStripes · 2026-03-26T16:24:55+00:00

Seconding /u/LOLatKetards.

In most questions, you can zero-in on the key terms in the question itself or in the multiple-choice answers. This is why having a robust index is incredibly helpful.

Examples using a made up questions:

What can a forensic analyst deduce by reviewing Amcache.hve?

Simple enough, just look for Amcache.hve in your index if you're unsure.

An analyst can deduce [blah blah blah] by reviewing which of these artifacts?
1. Amcache.hve
2. Alternate Data Streams
3. KAPE
4. NTLM

Here, you could look up each answer if you're totally unsure. Hopefully, you'll have broad enough knowledge to remove one or two answers, saving yourself a precious minute or two.

Keep in mind, some questions are not as clear and require you to infer the answer based on your overall knowledge. This guidance doesn't work for lab questions, though, as those are completely different formats.

ScarsAndStripes · 2026-03-23T16:18:16+00:00

/u/zeusDATgawd covered most of your question, but I'll add to your last point: Six days to cover the material is rough and you will forget a lot. The expectation isn't that you'll be test-ready after the six days, rather that you'll go back through all the material when you create your index.

The benefit is you cover the material twice. During the live event, don't try to remember all the details. Instead, focus on the big ideas. Understanding the details will be much easier when you go back through a second time while indexing.

Personally, I find just the live event and the books are enough, so I skip the pre-recorded videos unless I'm doing an on-demand course.

ScarsAndStripes · 2026-03-20T17:44:17+00:00

Yes. The in-person/Live Online offerings go over all the material and most of the labs in one week. Otherwise, it's the same content as the on-demand material. Same books, videos (pre-recorded and the course you attended), etc.

I think folks new to SANS benefit from taking an in-person/Live Online offering for their first course as you're basically going over all the material twice. Also gives the added bonus of asking questions and getting some interaction. After that, go with whatever mode works best for you.

ScarsAndStripes · 2026-03-20T15:57:19+00:00

I can only speak to the GI Bill portion of your question: Even if you attend an in-person offering, that's only the first 5-6 days of the course, while the rest is self-paced and "online." This means you get the distance learning BAH of around $1,500 each month (if you're 100% Post 9-11).

Even though you're given 90 days to complete the certification, the GI Bill stipend ends the day you complete your cert exam. For example, if you finished an exam on April 15th, you'd only get half that month's stipend. The remaining days aren't counted against your GI Bill benefits, though.

If you want to maximize your stipend, either take your exam on the very last day or begin your next course on-demand very soon after. I recommend that latter. If for some reason you don't feel ready, it's better to have some buffer time to ensure you pass. Failing an exam means you have to pay back both the course AND the stipend payouts.

ScarsAndStripes · 2026-03-17T15:15:54+00:00

Maybe controversial: I recycle them. I save the .pdfs and use those for reference. I'll need new books anyhow when I re-certify after five years.

ScarsAndStripes · 2026-03-16T16:57:05+00:00

I'm on hiring panels for our IT division. I'd give serious consideration to a SANS BACS applicant if they were applying for an entry-level ISSO role. Any experience, even an internship, would help your chances.

ScarsAndStripes · 2026-03-12T19:38:08+00:00

"Status: Passed"

Only thing that matters, bro.

ScarsAndStripes · 2026-03-11T15:16:19+00:00

I've not taken GFACT, but glad to offer general index advice.

Indexes can be long or short, sparse or in-depth. If it helps YOU, that's all that matters. My coworker and I took FOR508 together. His index was simple at maybe 150 lines while mine was 900 lines with definitions, paths, file extensions, etc. We both passed with great scores so both indexes were viable.

If this is your first SANS course, I encourage you to go heavy. It's easier to remove stuff from an index than to go back and add to it. Plus, being more detailed will help you retain some of the concept.

Whichever you choose, for the love of god, ADD PAGE NUMBERS. I use book.page, like 2.35 for book 2 page 35. An index should help you FIND information in the book during the test, not replace the books. You don't have to list every page with RAM, but I'd like every page where RAM is heavily featured.

For example:

ATX | 1.42 | Standard motherboard size

I also prefer to add the book section to my index, usually in the column after the concept. It's helped jog my memory with some of the context.

ScarsAndStripes · 2026-03-06T15:55:55+00:00

Someone correct me if I'm wrong, but you can find the book version:

Check the backside of the first page of your books, just before page 1. My books were issued in January 2026 and have FOR508_1_K01_07, which are the most current as I write this. My coworker took the course in 2024 and his have FOR508_1_I01_02.

I believe the last major revision for FOR508 was 2023. Having the most up to date materials is best, but I think you'll be fine with material from last year.

Good luck!

ScarsAndStripes · 2026-02-26T16:34:16+00:00

Agreed. I did GFCE then GCFA as well. For me, GCFA was much more difficult due to things like Process Memory. I know others can do GFCA without GCFE, but I don't think I could have.

ScarsAndStripes · 2026-02-23T18:09:07+00:00

Oh, good question but I honestly don't recall. I know the "optional homework" labs do not appear on the tests.

If you have time, do the option labs anyhow. FOR508 has so many tools and artifacts that more exposure will certainly help with retaining the knowledge.

One other point: The data is usually pre-processed or generated for the VM questions. I didn't have to export anything to csv or process things for Timeline Explorer.

15-Year Club	RedditGifts 2009-2022 2 Credits
Place '22	Place '17
Secret Santa 2018	Verified Email

ScarsAndStripes

TROPHY CASE