- Read all the words on the page and not just the slide
- Highlight important parts: Definitions, Commands, Keywords, Anything you don’t understand and relevant facts
- Watch the section
- Add that section to your index
- Page number of <keyword> in depth
- <keyword> + definition
- <keyword> + full command line
Read the slide. Read all the words. Read the slide again.
There is definitely a lot more information on the page than in the video. Some questions can only be answered from reading. This is important because even if you don’t understand exactly what the sentence is saying, reading it will help your brain make sense of it when you encounter it again. If Chad Tilbury doesn’t explain that portion in his video then you can then do some research. Sometimes when the page was too long, I would read just a portion, watch the video and then continue where I left off.
Watching the section is mostly Chad talking about real world experience and how the section applies to being a responder. You will not be able to answer all the questions by watching his videos and listening to him. How watching videos help is by cementing what you just read and how it applies to the actual job
Read these articles and the articles they link to help make an index system that works for you.
I used the DFIR Diva’s method of index which is a mix of a couple different methods in itself. It is composed of: color coating, highlighting, and index+description.
Each book cover gets it’s own color. I won’t continue doing this for future exams because when I went through my index to find a keyword I wouldn’t even look at the colors. I just used the page numbers to flip through the book. Then, each section gets a colored tab in the order of ROY G BIV. I will continue to do this because it’s good to have a tab for each section of the book.
Use two colors to highlight the page so that you can distinguish between different sections. Like if one sentence is a definition and the following sentence is how it helps — having two colors will make it easy to see different ideas.
My index has 3 columns
- Page #
I will be more strict with this as I think I had too much unnecessary info. Also be conscious that the last book actually has an index of a lot of keywords if your index doesn’t give you what you need.
Extra Resources to Print
- Red Poster
- Blue Poster
- SANS Sift Workstation Cheatsheet
- SANS Memory Forensic Cheatsheet
Redo All of the Exercises
This is a good exercise to get you familiar with the command line and feel comfortable with them, which will help you throughout the multiple choice questions and “hand written” questions.
Practice Exams Wrong Question Review
Since this is just the practice exam, I used OBS to record my screen while taking the practice exam. THIS IS NOT ALLOWED BY SANS. DO NOT SHARE WITH OTHERS.
Will go through the recordings and review the questions I got wrong.
I passed the exam with a 74%.
I didn’t answer 4 questions in time. So those 4 are automatically wrong, it’s better to guess on questions.
Throughout the exam I kept dividing the minutes left by the # of questions to see how much time I could spend on a question (time in minutes / # of questions left = minutes/question).
Some advice for the next SANS exam:
- 30 min left, skip questions if they’re gonna take longer than 1 min
- When you get to the prac app questions, skip so you can go through the reg questions again
- Skip prac app questions if you have to look up the command in the book otherwise go through them one at a time
- When you have 30 sec left per hands on keyboard question, guess an answer. Guessing for a correct answer is better than leaving it unanswered