Josh,

Sorry you did not pass. I took it and passed, so I will be getting my plaque this week.

I think the key for me was going over the book and indexing EVERYTHING. I had over 40 place holders in the three books and it helped tremendously when I took the open book test to have the detailed index that I had. Hopefully you will not be too discouraged and try to retake the certification course. I agree it was not easy and there were questions outside of what the reviews had, but overall it was pretty much covered in the book.

good luck!  

That's what I did too. I had them everywhere on all three books. What books were you using? Maybe that's my problem.  

- diorillo

Josh,

Sorry you did not pass. I took it and passed, so I will be getting my plaque this week.

I think the key for me was going over the book and indexing EVERYTHING. I had over 40 place holders in the three books and it helped tremendously when I took the open book test to have the detailed index that I had. Hopefully you will not be too discouraged and try to retake the certification course. I agree it was not easy and there were questions outside of what the reviews had, but overall it was pretty much covered in the book.

good luck!

I used indexing for the GCIH -GIAC Certified Incident Handler. What I did was make an excel sheet with the Exam Certification Objectives and list the page where it could be find.

You still need to know the material and how to locate it fast.  

What books did you use? The name of it? Where did you get it?  

I did GCFE off the back of the SANS408 course so had the courseware. Fully agree with indexing, I did almost exactly the same with Word and the course objectives. I also put together an Excel file - a 'cheat sheet' - with lists of (e.g.) File System info across different OS versions, Event Codes, etc etc.  

I took both the 508 and the 408. Without a doubt to me the 508 was 10x harder then the 408. There were times in the 508 class I was just gonna toss my laptop across the room. My instructor was Dave Hull.

I took the 408 after the 508, I know a bit backwards. My instructor for 408 was Ovie Caroll. They taught us the new material but were in the process of writing up the test at the time of the class.

Both instructors were great.

As was mentioned I found 408 to be more basic general information and it was all about using the GUI tools. Where as the 508 was all command line and it was very LONNNNGGG command lines. I get the gist of the SIFT kit but in real life I could not imagine using that thing at all and I expressed that in class.

Personally I feel the GCFA should hold more weight then the GCFE since it is the 2nd step in the forensic classes if you get what I'm saying.  

I did my GCFA self study without SANS's books... let me tell you it was rough... what I did was drafted a book I dubbed "The Constitution" and researched what type of questions would be on the test as much as possible.... I had all of the cheat sheets, I printed out every law I could possibly imagine (The laws were probably the hardest on the test for me as I did not know the German laws to well)

I have no experience with the GCFE... but I've always been curious and I kind of want to take it just to say that I did