GCFE - Training Techniques

GCFE

I often see where people took or are taking certifications and list how they went through the materials. So lets do one of those posts. Here's the latest thing I'm working on passing. I already have worked in DFIR (Digital Forensics & Incident Response) and have other GIAC Certifications (GREM), but I found many people don't find that suitable for evidence of forensic capabilities and have since started demanding certifications such as GCFE and GCFA. As google show it 'GCFE is often seen as intermediate, while GCFA is considered advanced or the "gold standard"'. That said, reviewing older versions of Sans500 course work, I think there's some nuances that trip me up and I definitely got caught up with while taking the practice tests. 

So basically, when you sign up for course and test together (like $10k USD, its insanely expensive that companies expect you to already have this instead of being willing to fund someone getting it) you get the ability to get 2 practice test examples. I failed the first, passed the second, but both times found things worded in ways that I'd never considered before and it tripped me up. 

"With digital investigative analysis, there is no such thing as full forensic analysis. What we do is an investigative iterative process. We're always learning." - Quote from Ovie on the SANS MP3s. Hopefully they won't sue me for quoting something from the training, I just wanted to make a point that this is really what the deal is in the real world. It's not a static learned trade by any means, which means certifications are, for lack of better phrasing, solely academic reference material about someone who is certified. But I definitely learned from this course work. 

The training material can be sorted into categories:Videos, MP3s, Books, Labs, CTF, and Practice Tests. 

Videos/On Demand

The full course, including slides and discussions/walkthroughs of the labs is found in the videos. I sat down and watched these, writing notes in obsidian day after day, until it just became too much to keep writing. I was stopping and going back  and doing this all day taking up easily 10x longer than the video for each video. Total waste of time. My suggestion here, go through the whole thing, work all the labs, then go back over the series. You'll spend less time that way and soak in more of the knowledge. When going through this, knowing that the test, or at least practice tests, may go through extremely specific details you probably don't have written down anyway, it just makes sense to get as much data in the time allowed so you can reasonably solve for the missing information

One thing that I didn't have written down, that wound up being of use, was the MFT Records Table (you can find on google). I didn't see this in the videos, or hear it read through on the mps, it was solely in the books. So keep in mind when doing through the Videos, there may be things in the books that gets tested on thats not in the videos.

MP3s

I like the mp3s cause I can keep them going in the background while I do other things just all day long. When doing a lot of projects at once, this is a great way to handle this. It also contained information not in the videos, but I think it's mostly just the difference in the latest video series and the mp3 series being different folks doing it.  

Books

The books seem to be the defacto "the test focuses on these". The best advice for these is plan to read through a section, then watch the video or listen to the mp3s, then do the associated labs. 

Labs

In all platforms the Labs (available in the lab books with the associated virtual machine) will get you practice doing each technique and tools relevant to the training. These are definitely essential for the training as this is what makes it practical in the real world. For nearly every tool, the quick advice I can give, is sort by date/time and use search features.

CTF

Boy howdy did this CTF upset me. "This is literally what it shows verbatim for the device, its in plain text" -> wrong answer. -> "What do you mean wrong answer?"

O_____O

So there's a capture the flag at the end of the course using ranges.io. If you're like me, you will likely want to investigate the case and have the whole case what you thought was figured out, before you ever start answering questions. Then, you'll have questions ready and in your face, that ask for obscure things that might seem completely unrelated. The goal here, I believe, is to make you break down your investigations into questions and sub-questions, to document the whole case appropriately without tainting your own investigation. This is a critical point if that is the reason, because at the end of the day, thats what sorts good and bad practices in this realm.

Practice Tests

We all know testing is going to be designed to mess you up. Well, in case you missed what else I was saying about this, these tests go over things that were never in the videos or mp3s, but if it's book 1 page 75, then it can be on the practice tests. This showed me a crucial point of why people discussed indexes so much about this test. If the book has it and you didn't use the otherwise obscure reference, they sure can test you on it even if it's completely impractical to the use for any given case. 

These practice tests also included the cyberlive format, so you can test your ability to complete these questions. These are somewhat like the ctf questions, in that they are potentially obscure questions that they expect you to use the tools discussed in the training to guide you through, but much more straight forward of a solution (imo). Because you are timed, if you're spending your time during these tests writing down where you've failed, you won't get time to complete these. It was primarily due to this I failed one of my practice tests. I missed every cyberlive because I didn't get to those on time. 

Self Prep

For me, GREM was a much easier course because things were very pragmatic and solution driven, rather than investigation driven. So after failing the first practice test I realized I need to both do more practice with quickly answering obscure questions (flash cards? more practice tests?) and I need to practice more of the cyberlive possibilities. 

Here's my solutions for both sides:

Step 1: Build my own toolkits

I have a tools folder that I share between virtual machines, but on the host itself, I also use some of these tools. So while looking over the toolkits on the SIFT Workstation, I noticed it used iTop Easy Desktop to sort it's things. Well I don't wanna use any paid things just to sort my icons for me into frame windows. Instead I found a tool called Desktop Fences (https://github.com/limbo666/DesktopFences). I also installed this in a similar way to my windows vm that I normally use, as this gives me that access on the desktop. 


Disclaimer, normally I don't use my desktop for anything, so this makes the desktop a useful part of the system for me. idk if that helps others.

Step 2: Flash cards

I wound up telling copilot to find me things relevant to the course (based on public syllabus, please don't put real course info into public ais) and create 1000 q & a for it. Well i generated 500 and quizlet only uses like 200, so I created this:

https://quizlet.com/1180634670

Which allows us to do things like matching:


Or flash cards, though I don't know that I like all of these, trying to edit these to be as useful to real life as possible. But also, because it's likely to have broken stuff, this requires me to spend the time actually diving into some of these, causing more chances of remembering due to emotional correlation. I know that's a bit of a mouthful to say, so I assume that was lame to read, so lets try this again. The same results work for each of these even if I found they were generated wrong or aren't the best way to answer.



Step 3: Try tools for myself

I've used a lot of these tools already anyway, like kape, volatility, photorec, etc... but some of these I hadn't. Like arsenal mounter and axiom (tended to use ftk and autopsy). Definitely one of those "should have taken this 15 years ago" sort of situations. So since I now have an updated toolkit, I make a quick memory dump of my windows vm, and started investigating it on my host. Due to the free version of arsenal mounter letting you use local cached writes instead of writing to the actual disk, I then mounted the vmdk disk image for my vm and got investigating.

I also worked on completing as much of the CTF as I could along with this.

Final Suggestions

While going through this, things that I wish I did from the start, along with other suggestions I have for others trying to study for this:
  • Treat the course first as a weekly class, then as a continued learning replay.
  • Read the chapters before each section of the video class, maybe the night before if you have time.
    • while reading, mark key points. For me, instead of marking key words, I marked specific things that I knew wouldn't be likely to remember. Like mft sections, chrome and firefox transition types, etc..
  • During the course videos, be working on the labs too.
  • Listen to the mp3s while not able to sit down and watch the videos (driving, working, running, whatever)
  • Making and index is definitely helpful, there's also basically an appendix as an example index. But I needed more, so I wrote up my own based on the training suggestions and quick references that were given with the course. If you can't understand where things go when using these references, they're of no use to you. So, use whichever method works.
  • Challenge yourself to study alternative tools, artifacts, or "linking artifacts" to better yourself as a DFIR Investigator
  • Dont sit on the knowledge without using it. Take the practice tests, make your own tests, practice until you take your exam. 

Thanks for reading

If you need any IT or CyberSecurity work remotely or within the DFW area, please contact us over at FeemcoTechnologies.

Comments

Post a Comment

Popular Posts

ISP Routing Hell

Image
Weird Routes?  History:      So I wasn't really sure how to start this post, but I guess some back story. Many in the IT world know consumer ISPs (internet service providers) like ATT, Comcast, Charter (now spectrum), all have a weird history of "you can't prove there's a problem because we don't escalate it properly, now you're stuck with this while we replace your router 200 times because it can't be on us" sort of problems. I switched to spectrum because in my area its the only non-att fiber lines, and ATT couldn't tell me why my router had an ssh server listening on it. They couldn't think it was compromised or could be compromised, they couldn't tell me anything they just replaced it. Then replaced it again. Then again. After 2 years of doing that, I just had enough. Later that year after leaving ATT, https://en.wikipedia.org/wiki/Salt_Typhoon . But sadly, despite my contempt for ATT by this point, this post isn't about them. More ...
Read more

Yara hunting phishing samples

Image
     So, I made a yara rule a while back based on some suspicious phishing nonsense I found in some open (unauthenticated + file directory listing enabled) cloud storage buckets. I decided only recently to see if I could do some public hunting with these. One possibility was on hybrid analysis. After just a few days, I have 9 detections already found.       The YARA rule is hosted on my github ( https://raw.githubusercontent.com/ferasdour/SpecialYaraRules/refs/heads/main/Bucket%20Phishing%20Kits.yar ) but basically it's like this (notations added for this post): rule phishingKits3 {     meta :       description = "PhishingKits3: This was found in multiple phishing kits hosted on open/unauthenticated S3 buckets."       author = "ferasdour"     strings :       $s1 = "https://ajax.googleapis.com/ajax/libs/jquery/" ascii // adds jquery       $s2 = "https://code.jquery...
Read more

How-to: Hacking Lab Environment

Image
Introduction      I recently asked what tutorials I should do, and the first response that made sense to do was to write a how-to for making a lab environment. Because this is a tech blog, I think it's safe to assume this meant tech lab, or even hacking lab, not like science lab or something too crazy like that, though those are also things that probably could use a how-to these days. Generally, labs like this would be made to test new ideas, technologies, or techniques. When used for hacking labs, its usually the same with a gearing towards exploitation, with malware analysis, the same geared towards understanding the malware. So, lets go through some basic setups, the requirements for them, then follow that up with a dive into ways we can expand on that as well for different variations.       To do this, we're going to be using virtualization and containers, as this will provide us the widest range of capabilities for what we want to do. I'm going to...
Read more