SANS Index How To Guide with Pictures
I got some great advice recently on creating an index for SANS exams and I wanted to write a blog post to share it with others.
I took the SANS FOR 508 Computer Forensics course in 2008. It was way over my head but I had a great time and learned a ton. A few months ago I finally decided to go for my GCFA certification. I had four year old material from a course that had been completely revamped and no index. I passed the exam with a score in the 80s but it was a grueling experience. I had to rush on the last part of the exam and never felt comfortable.
A few months after my GCFA exam I got an opportunity to attend a SANS SEC 504 class. I really wanted to prepare for my GCIH exam the right way so while I was at the conference I asked several individuals how they prepared their index.
Most people told me that their indexes were 8-10 pages. A lot of these people had more SANS certs than I have friends so their methods obviously worked for them. My class had a teaching assistant (also SANS mentor) named Neal Bridges who gave me some slightly different advice. Neal said that he tells his students that a 10 page index is a recipe for failure unless you’re a super genius. A bit tongue in cheek? Probably, but I’m so far from being a super genius that I needed all the help I can get.
When I asked Neal how long he thought an index should be he replied “fifty pages” without blinking. I followed up with a question on how he formatted his indexes and he offered to have his wife bring one of his when she came into town the next day.
The next day he showed me a copy of his GSEC index and I was impressed. It was close to 50 pages and had been professionally bound at Kinkos. I promised myself that I would put together an index like that for my GCIH exam.
Putting together a comprehensive index proved to be an incredible time investment but as I was going book by book putting it together I was also learning.
I went through the course via On Demand from Ed Skoudis and in person from John Strand. Even after double exposure from two of the best instructors in the world that third exposure to the material (from the books) really helped solidify a few of the concepts. At first I thought that was weird but when you look at the sheer volume of information covered in the course it makes sense. Also, since a lot of the material was new to me my learning went from exposure to concepts to specifics.
I ended up getting a 94 on my GCIH exam which I was obviously thrilled with and I think the index (both preparation and usage) was a big reason why.
My index ended up being 31 pages I created plus a few pages I copied (IvP4 breakdown etc. type stuff) tacked onto the end in a “misc.” section. My created content was broken down into two big sections (main and tools) and two small sections (windows commands and Linux commands).
The main section consisted of both items and concepts. If something wasn’t a tool or a windows or Linux command, it went in this section.
The tools section is self-explanatory. Any tool mentioned in a book went in here. If they mention a functionality and then listed 7 tools, all 7 tools went into this section.
The windows commands and Linux commands are also self-explanatory. I listed the commands, a brief description and sometimes a command line example. Any examples I made bold.
Getting a quick look at someone else’s SANS index (even though it was for a different course) really helped me out so here are a few pictures of mine.
If you’ve taken a few GIAC tests and have had good results, then by all means keep doing what you’re doing. But if you have your first SANS/GIAC exam coming up and feel like you could use a little extra help, I would seriously consider taking the time to make a comprehensive index. You’ll be glad you did for many reasons.
NOTE: I am unable to provide copies of this index so please do not ask. This post is meant solely to help students who have never seen an in-depth index get a feel for how they could design one of their own.