GIAC Certified Forensic Analyst Certification GCFA Study Guide for Procrastinators

Why FOR508 And The GCFA

FOR508 with the GCFA is a course offered by the SANS Institute that provides comprehensive training in digital forensics, incident response, and threat hunting. The course focuses on the latest techniques and tools used in these fields and provides hands-on training to help participants develop the skills they need to effectively perform digital forensics and incident response. The course is designed for cyber security professionals, incident responders, and forensic analysts who are looking to gain a deeper understanding of these critical areas of information security.

The course is taught by experienced instructors who are experts in the field of digital forensics and incident response. It is typically offered as a five-day in-person seminar, but it is also available online through the SANS Institute’s virtual classroom platform.

The GIAC Certified Forensics Analyst (GCFA) certifies that candidates have the knowledge, skills, and ability to conduct formal incident investigations and handle advanced incident handling scenarios, including internal and external data breach intrusions, advanced persistent threats, anti-forensic techniques used by attackers, and complex digital forensic cases.

To earn the GCFA certification, candidates must pass a rigorous exam that covers a wide range of topics in digital forensics and incident response. The GCFA certification is intended for professionals who work in roles such as forensic analysts, incident responders, and security consultants. It is a highly respected and sought-after certification in the field of DFIR.

To maintain the GCFA certification, holders must earn continuing education credits by attending relevant training and workshops, participating in professional organizations, and conducting research in the field.

I luckily had the opportunity to complete the FOR508 course and the GIAC Certified Forensic Analyst Certification (GCFA) certification. This guide is not going to breach any of the NDA material supplied by the course, however I would like to pass on my tips and tricks that helped me to complete the course and complete the certification.

Read The Content

Now that I have procrastinated long enough about what to actually put in a useful study guide, I will get to the important bits.

In my case for the FOR508 course I opted to complete the course through self paced learning, which was a combination of online videos and course books. While you can just sit through all the videos and never open the books, keep in mind that the GCFA is an open book exam, if you don’t read the books then you will find it terribly hard to find information you need during the exam.

It is essential to thoroughly study the course material to gain a deep understanding of the subject matter because it provides the foundation of knowledge required to understand the concepts and topics being tested.

Here are some reasons why reading the course content is important for passing exams:

  1. Comprehensive Coverage: Course content is designed to cover all the important topics and concepts related to the subject, ensuring that you have a complete understanding of the material.
  2. Organization: The course content is organized in a logical manner, making it easier to understand complex concepts and retain information.
  3. Practice Questions: Many course materials include practice questions and exercises that can help you test your understanding of the material and identify areas where you need further study.
  4. Relevance to the Exam: The course content is directly relevant to the exam, so studying it thoroughly will increase your chances of passing.
  5. Understanding of Terminology: By reading the course content, you will become familiar with the terminology and language used in the exam, making it easier to understand questions and answer them accurately.

Overall, reading the course content is a vital step in preparing for an exam and helps to ensure that you have the necessary knowledge and understanding to perform well on test day.


I admit that I am a terrible procrastinator. For the FOR508 course you are given four months of access to complete it. If like me you spend the first month thinking of when you are going to get around to it, don’t!

Set some deadlines. One of the best videos I have ever seen about procrastination was this Tim Urban TED talk with the Panic Monster. It gave me one of the best weapons to fight procrastination; Deadlines.

Deadlines allow procrastinators to function in society. They force us to complete things rather than just think about them. So I came up with deadlines with where I wanted to be as the course progressed. I didn’t finish early. But I wasn’t a raging mess at the end either trying to fit all the content into three all nighters.

Once the course is done. Success!!! No! You need to now set a date for that pesky GCFA exam. If you don’t set it then you will find it harder to motivate yourself to log that content in your head.

An Index is one of the most important things you are going to have to work on. This means going through those books again, grabbing your favourite method for finding pages quickly (I quite like the little sticky notes) and log what is important in those pages.

I found it very useful to tag relevant pages, and I created both and index of useful words and where to find them in the books, and a table of content that enabled me to know where the sections of the book were. For example “Malware persistence” If the question was about that, I would at least know the general area to start my search.

If you want more information on indexing, please go look at preparing your GIAC exam index by Hacks4Pancakes (Lesley Carhart). This is an amazing guide and I couldn’t even think to try and write a guide that would compare.

Practice Tests

The practice tests are an important part of preparing for the exam as they provide several benefits:

  1. Assess Your Understanding: By taking practice tests, you can assess your understanding of the material and identify areas where you need to improve.
  2. Time Management: Taking practice tests also helps you manage your time effectively during the actual exam. You can learn to pace yourself and allocate time for each question in a more efficient manner.
  3. Test Format: Practice tests familiarize you with the format of the exam and help you become comfortable with the types of questions that will be asked. This can reduce test anxiety and improve your performance on the actual exam.
  4. Improving Weaknesses: By taking practice tests, you can identify your weaknesses and focus your study efforts on those areas. This can help you avoid making the same mistakes during the actual exam.
  5. Confidence Building: As you see your performance improve through practice, you can build confidence in your abilities and reduce stress and anxiety related to the exam.

I found one of the most important parts of the practice tests was learning the way the questions are worded, managing your time and understanding how to use the systems for the final virtual machine part of the test.

On that last part, I practiced on a very large 4k screen. This gave me tonnes of room for the questions, unfortunately, the exam centre where I did my exam had extremely small resolution screen which caught me quite off guard. Please take this into consideration as I found it very difficult at the end of the exam and that section took much longer than in my practice exams.

The Exam

Ok, so you have set the date for the Exam and it is coming up. You have your books marked, you have your index, you have any other documents to assist you. Now, practice using them.

Its not easy with the pressure of the exam, all those books, your index and anything else you have (they gave me a whiteboard) to use them all in an effective way.

I know I saw the first question and I basically forgot how to use my index, shuffled through the 7 books, and just looked dumbfounded at the question again. I had practiced meticulously so I took a breath and put that practice into action and worked methodically through the exam.

Don’t get caught like I did on the final practical questions. Make sure you give yourself enough time to overcome any obstacles that may arise during them.

Overall I achieved a good result, 86% which I was happy enough with. There was definitely areas I could have worked harder on but being able to at least make that score came down to everything I had put work into.

I hope this helps you in some way for studying for a SANS exam if you are a procrastinator like me. Best of luck and keep on learning.

For further Cyber reading look at my Small Cyber Bytes series


Digital forensics experience working within the criminal investigation environment. Working on furthering incident response and pen testing experience in the cyber security environment.
Back to top button