A SANS GCIH Guide to Pass the Exam

Logunt3rLogunt3r
6 min read

Whoami.

I am Cybersecurity professional working from the past 6+ years in the landscape and i have been working with multiple tools , technologies and research. I have started my journey from the NOC engineer to becoming the SME - Incident Responder was not easy that much. But, with the consistent learning and reading about the domains helped me much to uncover the tracks.

Before convincing myself to give this exam was quite roller-coaster , Sometimes Yes and sometimes No and sometime Maybe. These were my friendly terms for almost a week. Later i decided to go with the course and my organisation was only allowed me to reimburse the certification cost which is $999 and not the complete course. Even that was okay for me atleast a bit help is also fine. Before SANS i was holding a very descent certification like SC-100, SC-200 , AZ-500, PL-300, ECIH , CEHv11, CTIA.

I have been working with the tools like Kali Linux, Powershell , Linux Command line , Tcpdump , Wireshark , SMB Shares, SOC- Microsoft defender ,XSOAR, SPLUNK , Phantom , KQL , SQLMAP, Msfconsole. There are few of the technologies that i have spent a time which is SMB, hashcat, Memory Forensics [ Before my current role i never performed anything related to the forensics and that caught me to learn more on this topic].

Why SANS GCIH.

Now this question depends from person to person. Someone wanted to have just certification and that’s all , Some looks for learning and advancement and for some it is the organization requirement. One suggestion! I will share my story…[keeping concise :)], In 2018 when i graduated i knew there is some SANS certification which is considered to be most complex and time consuming and there’s the point a boy has decided to choose the toughest part [ As you grow , you will understand that this is JUST THE START].

SANS is known for its quality of education that they provide and learning , advancement using the labs helps to boost the confidence and second reason is also that i wanted to learn some of the important concepts of forensics and other tool , The Curiosity of learning actually helps me to grow in this landscape.

Learning Methodology.

There are lots of articles which says do this , do that and their own methodology which works for them and might work for everyone . Well in my view the learning methods depends upon person to person.

Someone wants to be too much theoretical and some other too much practical and some are mix of both worlds.But, trust me few things will remain same for everyone.

  1. Learning Material atleast Twice.

  2. Finding Keywords.

  3. Creating Index

How do you read? that also depends from person to person. But in SANS , you will have to read the books word by word because that will help you to create the solid index.

We have ChatGPT , Gemini, Claude AI tools that can help us , if you dont understand for ex .,what is hashcat? use chatgpt and tell with simple prompt “You are cybersecurity Incident responder expert and you will simplify all the complicated topics into simple explanation and easy to remember method. The topic for you to explain is about the hashcat usage, how do we use and how does it work?”

Although, it will not give you SANS level of learning but you will not feel yourself left out of the topic.

Finding Keywords , is a bit tricky but for me as an experienced i know what is hashcat , Metasploit and how does it work. But , for some other it might be totally new so they can make a note of it with the page number.

Dont worry about the index page number [ in general not the SANS one] , i had 35 pages, so it totally fine you are free to write all the keywords which you are not aware or you are aware for a quick glance.

Index, is the key to the success , you might be the best technical guy but, if you did answer what is being written in SANS notes then you will not get the score .So be cautious while you create the index and revalidate again. Also if you can highlight few of the keywords[ it makes it easy to quickly see through during the exam on every page].

Notes: if you want to take your notes {printed} please write your notes for the quick summary so that you can review when your exam is nearby.Whatever you have learned so far try to correlate in your work and in this way you will learn faster.

For ex: you learned about the memory forensics using the volatility and the respective plugins.Create your own lab if you have and if your organization or your friends working in forensics, ask for help. See i totally understand that you might feel uncomfortable reaching out to other for this things but trust me do it once and people will remember you because you will be asking a lot question and they will answer it and the conversation just started with the interesting topic.

I am sure you will do best in objective but the key player here is CYBERLIVE.

CYBERLIVE:

What is CyberLive?- As per Sans Cyberlive is a list of practical question that you need to perform during the 4 hour long exam. There are 11 question CL and each question depends on the topic like SMB, msfconsole, Volatility, Sysinternal , AutoRuns, SQLMAP

I strongly recommend to create your own VM or try out on your friend system and replicate the same scenario , the more you practice , the more you will be confident.

TimeManagement:

You will have to be very careful about each question , what i have used for my exam:

  1. Read the question atleast 2 times : First time read just quickly glance it and see if you can catch the keywords and second time read the question again and look at the index.

  2. Keywords identified: Once the keywords is identified, look at the section and highlighted keywords.

  3. Selecting Answer : Most of the question will be straight forward , but some might not be and for that simple hack Always keep in mind we never proceed any investigation or analysis without doing the proper scoping. SCOPING IS THE KEY.

Conclusion:

There are lot of articles that can explain you about the success of GCIH and how to create the index etc., but before doing anything ask yourself about the intention. if your intention is to get the certificate or job or just the requirement from the company because that will decide your upcoming journey and dont worry i know if you are reading this you will get PASS!!.

Also i have my small youtube channel , have a look : https://www.youtube.com/@LogSmith.IX01
I also upload some of the useful Technical Pdf that every cybersecurity must have it.

Open for any help : https://topmate.io/cyberbytecoach/

Thank you ,

Shubham.

0
Subscribe to my newsletter

Read articles from Logunt3r directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Logunt3r
Logunt3r