Saturday, May 22, 2010


As a follow up about my previous post about the Guidance Software purchase of Tableau, I saw that Tableau’s Robert Botchek announced on one of the digital forensic email lists that Guidance is going to remove the Tableau requirement for TIM. This means that TIM will work with write blockers other than Tableau.   This is an amazing bit of news for all of us and especially those of us who have been in the industry for awhile.  Great job, Guidance!

So I passed the GCFA exam this week with a 92.67% score.  I’m positive that I lost some key data from my past such as my old high school locker combination, past phone numbers and the like since more than a few brain cells died in the attempt.  I completed the SEC508 course that is the basis for the GCFA test via SANS OnDemand method and I’ll post a detailed review of that course and the SEC408 OnDemand course in the near future.  In the mean time, Joe Garcia of Cyber Crime 101 has posted his audio review of his SEC408 experience with the mighty Mike Murr.  As a teaser, Joe announces some exciting new news about the future of the SEC408 course.  I won’t steal his thunder here so you’ll have to give it a listen.

It’s not that the GCFA test is unreasonably difficult, but I had set a goal for myself to get a score over 90%. That means I could only miss 15 questions in a 150 question test that covers some pretty complicated material and has to be completed in 240 minutes.  Proper pre-test preparation is a must because if you don’t have a strong foundation in the material all of the books, notes and whatnot that you bring into the test facility aren’t going to save you.  You just don’t have time to teach yourself new concepts on the fly.  Thus, if you take the SEC508 material seriously when it’s presented to you through whatever format you choose from SANS, do a decent job with the practice tests and practice good test taking skills (including creating a proper index), you’ll have an excellent chance of passing the test.

SANS provides you with two practice tests as part of your GIAC attempt.  You can purchase additional tests for $99.  The impression that I get is the the practice test question bank provides enough unique questions for roughly one and a half practice tests.  Therefore, the score you get on your first practice test is going to be the best indicator of how well you can expect to do on the real test.   Subsequent practice tests will result in higher scores because of repeat questions.  My first practice test score was 88%, my second score was 96.67% and my third score was 98%.  Based on my first and second scores, I was reasonably certain my final test score would fall somewhere in between and it did.   Why did I purchase a third practice test?  Because SANS allows you to take their tests through an open book method, you can bring your SANS course material into the test with you.  The rub is that you need to be able to locate specific subject matter areas quickly if you are going to research the answer to a particular question.  The best way to do this is to create a proper index.  The methods vary, but one of the ways to ensure your best performance on a GIAC test is make sure that you are comfortable with your index.  The reason I took the third test is because I wanted one last test where I would concentrate on training myself to use my index. 

Another thing that I strongly recommend is to look up answers in the cases when you are uncertain of the answer.  The mistake I made during my first practice test was to answer some questions based on the thought that “it’s probably this answer”.  Probably isn’t a good standard to use for GIAC tests because it means you’re going to guess wrong in some circumstances.  If you know the material well and you have a good index, you should have time to look up those “probably” answers and turn them into “certainly” answers. Also, don’t be afraid to skip questions.  The test engine allows you to skip five and I used all of my skips for questions that I knew would require some extra reading and pondering.

I’ll be heading out to CEIC tomorrow and I’m looking forward to giving my presentation on Adobe Flash Cookies and meeting new people as well as people I normally just get to communicate with in the virtual world.  One of the reasons  I like going to these conferences is that I can finally meet in person those who I have only communicated with through email, twitter, etc.   They’re a very useful way to keep up on industry trends, tools and techniques.  It’s very powerful having so much knowledge from the community under one roof for a short amount of time.

It’s also a moral imperative that I get a Bacon N’ Egg burger at LBS.  I admit it.  I think with my stomach.  If you actually read this blog and you see me at CEIC, I’d like to know your thoughts on what you think of the blog so far.


  1. Your blog is being read in Saudi Arabia!!! I think it is outstanding and quite informative. Great job!


  2. The blog is good. You've addressed the Kindle, which was a good niche piece, and you've got the Flash stuff brewing.

    I'll admit though, I'm not sure what the "TIM" reference is as it relates to Tableau - could you explain?

  3. Thanks for the kind words, Fred and Crosser.

    I have added a link to the TIM program in the original blog post so you can check it out. TIM is Tableau's imaging software that can achieve some pretty fantastic speeds when you use it with a Tableau write blocking product.

  4. Thanks for the information ericjhuber..,, :)

    im preparing for GCFA exam, as i purchased the practice test,, i just wanted to know that the questions which r there in practice test are similar to the questions coming in exam..

    m so worried abt the exam as its very big amount we need to effort..

    pls mail me


  5. Ray,

    Unfortunately, there isn't much more I can do to help than what I've already posted in this blog post.

    How did you do on the practice test?

  6. Thanks for the good advice, I am gearing up to write the test in November. A bit nervous, but I have spent lots of time preparig (and learned tons!)