It was great-hands on and theory based-went through things like file systems to creating timelines to methodologies etc. One of the great things was learning from a wide range of people who become your classmates for the week. Definitely well worth it and Rob Lee is a great instructor.
After doing the course, I would recommend it to even people who've been doing Forensics for a while-there were guys from the Tax office and from defence who all needed a refresher and maybe a catch up with new advances etc. Me, I'm still pretty new to all this so benefited from all of it.
I had a lot of fun too-using tools and actually having to think rather than just retain.
Dear list,
I cleared my GCFA last july and I would like to share my experience with you all. I have been in this field for about 2 years. My company did not have the resources to send me for the SANS classes (which I am sure are worth every penny) so I had to do something myself. I got hold of the list of topics covered on each day of the class and started preparing myself. I purchased the exam which allowed me 4 sample tests (2 for each test). I read through any material which I got through the web and based on my own training experience ( I conduct three day Computer Forensics workshop in India). Since I did not have access to any study material from SANS… I adopted a strategy…give the sample exam, note the topics from the questions asked and then prepare accordingly. This is how I finished my exam.
Few notes about the exam IMHO, its not a great exam as hyped. I think the questions test more of your cramming power than your computer forensics knowledge. I got so disgusted at some of the questions that I had no choice but to write to SANS evil …
In a nutshell. it may look good on your profile but I guess for 800$, it is just not worth it. A CCE or ENCE is better recognized in the market for that matter. Still, if someone is keen, do not hesitate to contact me for any details and tips on the exam (I m sure I could be of great help especially for the grind I went through wink )
Regards,
Chetan
Thank you all for your comments. I ended up not going to the training. I feel that an exam, in digital forensics, that does not test with practical exercises is not as valuable as exams that do.
> I think the questions test more of your cramming power than your
> computer forensics knowledge. I got so disgusted at some of the questions
> that I had no choice but to write to SANS
I can't say that I'm surprised…I found the same thing with the CISSP and some of the MCSE stuff before that.
Did you ever get a response from SANS?
Harlan,
No I did not get any reply from SANS. By that time, I had already paid for GCIA (Intrusion Analysis) exam and so I appeared for it as well. There also it was the same scenario. The first paper on TCP/IP was kinda ok but in second paper I had almost 6-7 questions repeating in the same exam. Its high time they looked at the randomizer program that powers their engine! wink Also, some questions explicitly refers to the training content. Poor guys like me who do not have access to the study material have no choice but to guess in such questions. evil
Its amazing how they can base the whole question paper on Snort and its remote unknown plugins when there could have put some questions on intrusion detection as a science. I would have loved to see some questions on sample traces of virus/trojans/intrusion attempts…. that would have made the whole effort worthwhile and given me the confidence to face real life intrusions in a better way!
Regards,
Chetan
I wasn't really sure about the GCFA and what the exam actually proved. Let's see..questions on sleuthkit, a few procedural questions, more questions on sleuthkit, linux based examination question (strings output etc), command flags….hmmm not really about forensics at all.
See, this is what i was afraid of. Cramming, instead of learning. ( Memorizing, instead of understanding.
Unfortunately where I am located, those extra letters do mean a lot.
So Cinux, you registered for the class, and the test, and used the example tests to pull information from the class. Is that correct?
Can you be a bit more specific as far as the content of the class/test? You mentioned Snort for the GCIA. What if you I used commercial products, am I out of luck? Is that the same for GCFA? All open source, no commercial products?
I have to agree with regards to the exams-it does seem a bit like cramming-however I was only talking about the course itself, which is hands on and gave me a springboard to experiment from(grab HDDs from friends and from the dump etc and just play).
I suppose there could be a better way of having a practical exam to pit your wits against-kind of like a challenge exercise. AFAIK< the gold cert requires a paper-not sure if this is the case with the GCFA.
So Cinux, you registered for the class, and the test, and used the example tests to pull information from the class. Is that correct?
Can you be a bit more specific as far as the content of the class/test? You mentioned Snort for the GCIA. What if you I used commercial products, am I out of luck? Is that the same for GCFA? All open source, no commercial products?
No libertate, I did not register for the Class. I just registered for the exam which is 800$. When you register for an exam, they give you 4 sample tests. From those sample tests (and the course contents given on the SANS site ) I got an idea about what they are covering in the exam.
No you are not out of luck if you are using commercial products since you do understand the nuances of Intrusion detection. However, for the purpose of passing the exam, you have to know in and out of snort (cram snort concepts like distance, offset, within etc )….
Yes, GCFA/GCIA is all about open source….not commercial products….
Regards,
Chetan