I was lucky enough to take part in the SANS work study program this summer during the DFIR Summit to take the FOR585 Smartphone Forensic Analysis course. If you haven't applied for the work study program, I highly encourage you do as you get to take a training course of your choosing for a steep discount (especially needed for SANS) as well all the fine On-Demand resources including hard copies of the books, and an exam attempt. GIAC tests and their certifications are some of the most coveted in the DFIR industry and may be more difficult without taking the associated training which are pretty much tailored to the certification test.
Index, Index, Index
Indexing is key to your success on taking the GIAC test. The course has 5 books, some featuring a mix of subjects, and with others solely focused on specific operating systems for iOS and Android. Check out the syllabus here.
Right when my books came (about a week before the start of training) I started digging into the books. I used Google Docs/Sheets for taking these notes as I could add items as I came across them from multiple computers. SANS has now also started using protected digital PDF copies of the books as default so I could open these using an iPad or my laptop on the go. I started by writing down any bolded terms or artifact locations, as well as page headers. Having previously taken the FOR500 Windows Analysis course, I thought this would work well. In hindsight, the page headers were not as descriptive as I wanted so my index definitely transformed a bit over the course of reading through the books.
My final breakdown of tabs resulted in the following (all items have book and page numbers included):
iOS Files - File names with paths, descriptions, and significant tables
Android Files - File names with paths, descriptions, and significant tables
Various Notes - anything else noteworthy such as ADB commands or Malware types
Tools - different tools and use cases referenced in the books
For any major section I would create a tab on the specific book with the title using Post-It flags. I will say that I printed out most extra items that came out of the class as well as information from the FOR585 poster. The SQLite commands and ADB commands came in handy for sure.
SANS Quizzes
With the On-Demand videos each book section had a quiz. I cannot stress it enough to treat these more or less like you are actually taking them for an exam. It will help you learn the wording that the real exam uses (pretty close). The best part of the quizzes are that if you do get a question wrong, it will explain what the correct answer is and where in the book you can reference to look it over again. Before I went to take the final exam, I actually retook each book's quizzes a few times. The questions will be somewhat different each time you take them so this is great for learning the information on the fly.
Practice Tests
You are given 2 practice exams to use as part of the SANS training package so I was absolutely going to take advantage of them. Like the section quizzes these are a great measure of how much studying or tweaking of notes you need to do. The first practice test I took, I basically only had a rough index and didn't study at all. It showed as I only scratched out a 71%. Since I still had another practice test and another month and a half to take the actual exam I spread it out a little bit before taking the second one. I thoroughly revamped my notes and my indexes to better suite how I felt the test questions would be asked. It worked out well as on #2 I ended up getting a 91%.
Test Day: COVID Times
I contemplated taking scheduling my exam using the virtual proctor at home but the requirements of only one monitor and a four walled room with stable internet seemed too much of a risk. Luckily one of the local community colleges was open as a testing center. WEAR A MASK! I made sure to print out as many items as I could as well as bringing my physical copies of tabbed books. 75 questions and about an hour and half later, I finished the test and completed it with a 96%!
Lessons Learned
I think if I would take another training and exam again I wouldn't wait 5 months to take the certification exam. I did appreciate having the extra time as I navigated life through a pandemic, through graduate school classes, through a job change, and a house move (it was a busy summer). The key is to do what works for you. I really enjoyed referencing others strategies in studying and preparing for the GIAC exams as I prepped for my own exam.
DFIR Diva - https://dfirdiva.com/gcfe-exam
Hacks for Pancakes - https://tisiphone.net/2015/08/18/giac-testing/
I'm looking forward to hopefully taking another SANS training course in 2021, with my eyes set on FOR498 or FOR518.