I recently sat and successfully obtained my GIAC Certified Forensic Analyst certification and thought I'd write a small post about it. What a year it’s been of study. I started my OSCP in early February. As per my previous post about it, it was a brutal 90 days of persistence, patience and suffering :)
After passing my OSCP, I had about 1 week of ‘free time’ before attending the SANS event for the FOR508: Advanced Digital Forensics and Incident Response course. I had this already booked from late 2017. So I knew it was coming, which I guess added to my stress of passing the OSCP first time and quickly.
--> What is it?
The course was great, it was the usual SANS format which entailed 6 days of lecturing from industry experts. The courses themselves are always valuable, not just from the content, but from the stories of people in the industry. You get real-life examples of how the content you’re learning is applied in day-to-day work.
There’s a lot covered in the course and at a high level:
- The incident response, threat intelligence & threat hunting process
- Cyber kill chain and Mitre ATT&CK models
- In-depth memory forensics
- Finding evidence of malware and answering (who, how, why?!)
- Carving out artefacts to create a ‘story’ and timeline of what happened
- In-depth look of the Windows file-system and how it all works
--> Study tips
This is my 3rd SANS certification and I think I’ve now got the hang of studying for these. During the course week, I tend to just listen as much and as I can and not really focus on the books. Tip, Get the most out of being there. It’s how you study later in your own time for passing the exam. While you’re there, just enjoy it. You’ve probably paid good $$$ for it too!
After the course, I take a few weeks away from it then get into studying. My method is simple, read the books and create an index.
The exam is open book where you can bring in an armful of written content. The best and only content you need is the official books and an index of keywords and page numbers.
I give all books a thorough read-through highlighting keywords, statements and points. This can take a while if not weeks. Once I’ve gone through all books, I then do it again, this time I create an index in Excel which is simply:
Keyword, Book Number, Page number.
For this certification, my index was 18 pages long. After I’ve completed the second read-through and built this index, time to sit a practice exam. My advice, sit them as you would the real exam. Set aside 3 hours of uninterrupted time, only using what you’d bring into the exam. I passed my first test with 73% (just scrapped through). Pass mark is 71%.
At the end, a summary is provided. Use this to focus on areas where you should devote more time.
In the end, I passed my exam with 88% and only 37 seconds to spare! It was a nerve racking final 5 minutes.
I could definitely tell during my second read-through of this course I was ‘burnt-out’ with study. Having just finished the OSCP where I dedicated easily 300-500 hours, I had one week break, then onto the GCFA.
--> Why the GCFA?
You might be wondering why I did do a forensics course/certification after my OSCP? Simple. I’m passionate about all things security and an advocate for learning both sides of the story. A great blue-teamer should have an understanding of how their adversary is attacking them. Likewise for a penetration tester. Understanding how your actions will be detected, what footprint you’ll leave behind and how you may (or may not) be detected, can only do you justice in rounding out your skills.
I’ve learnt great techniques to help me with my journey as a penetration tester. There’s definitely ways in which forensics can be used for the offensive. Why try and break through a hardened host with multiple layers of security? For example, if you can obtain or somehow gain access to a hypervisor with the right privileges, and take snapshots or memory of servers, it makes hacking easy.
Once you have a memory image, you’re not restricted by defensive security products and Windows security controls. You have free rein access to data. At the end of the day, that’s what an attacker/pentester is after. Data.
I’m amazed at how mature forensic tools have become. I can’t imagine how a lot of this would have been done 20-30 years ago. Now, it literally is just mounting an image, running some tools to get what you need. It’s great, and kudos to all the developers of forensic tools.
--> Next certification?
You cray! For now, I think it’s time to rest the brain. But keen to attack a CREST certification or the OSWP. Perhaps in 2019
--> n33dle
