SANS Index How To Guide with Pictures

I got some great advice recently on creating an index for SANS exams and I wanted to write a blog post to share it with others.

I took the SANS FOR 508 Computer Forensics course in 2008. It was way over my head but I had a great time and learned a ton. A few months ago I finally decided to go for my GCFA certification. I had four year old material from a course that had been completely revamped and no index. I passed the exam with a score in the 80s but it was a grueling experience. I had to rush on the last part of the exam and never felt comfortable.

A few months after my GCFA exam I got an opportunity to attend a SANS SEC 504 class. I really wanted to prepare for my GCIH exam the right way so while I was at the conference I asked several individuals how they prepared their index.

Most people told me that their indexes were 8-10 pages. A lot of these people had more SANS certs than I have friends so their methods obviously worked for them. My class had a teaching assistant (also SANS mentor) named Neal Bridges who gave me some slightly different advice. Neal said that he tells his students that a 10 page index is a recipe for failure unless you’re a super genius. A bit tongue in cheek? Probably, but I’m so far from being a super genius that I needed all the help I can get.

When I asked Neal how long he thought an index should be he replied “fifty pages” without blinking. I followed up with a question on how he formatted his indexes and he offered to have his wife bring one of his when she came into town the next day.

The next day he showed me a copy of his GSEC index and I was impressed. It was close to 50 pages and had been professionally bound at Kinkos. I promised myself that I would put together an index like that for my GCIH exam.

Putting together a comprehensive index proved to be an incredible time investment but as I was going book by book putting it together I was also learning.

I went through the course via On Demand from Ed Skoudis and in person from John Strand. Even after double exposure from two of the best instructors in the world that third exposure to the material (from the books) really helped solidify a few of the concepts. At first I thought that was weird but when you look at the sheer volume of information covered in the course it makes sense. Also, since a lot of the material was new to me my learning went from exposure to concepts to specifics.

I ended up getting a 94 on my GCIH exam which I was obviously thrilled with and I think the index (both preparation and usage) was a big reason why.

My index ended up being 31 pages I created plus a few pages I copied (IvP4 breakdown etc. type stuff) tacked onto the end in a “misc.” section. My created content was broken down into two big sections (main and tools) and two small sections (windows commands and Linux commands).

The main section consisted of both items and concepts. If something wasn’t a tool or a windows or Linux command, it went in this section.

The tools section is self-explanatory. Any tool mentioned in a book went in here. If they mention a functionality and then listed 7 tools, all 7 tools went into this section.

The windows commands and Linux commands are also self-explanatory. I listed the commands, a brief description and sometimes a command line example. Any examples I made bold.

Getting a quick look at someone else’s SANS index (even though it was for a different course) really helped me out so here are a few pictures of mine.


SANS index cover example


side of SANS GCIH index


GIAC index example


SANS tool index

Linux commands:

GSEC or GCIH index example

If you’ve taken a few GIAC tests and have had good results, then by all means keep doing what you’re doing. But if you have your first SANS/GIAC exam coming up and feel like you could use a little extra help, I would seriously consider taking the time to make a comprehensive index. You’ll be glad you did for many reasons.

NOTE: I am unable to provide copies of this index so please do not ask. This post is meant solely to help students who have never seen an in-depth index get a feel for how they could design one of their own.

60 thoughts on “SANS Index How To Guide with Pictures

  1. Thanks for the review and suggestive comments on preparing an index for GIAC certifications, preparing to take SEC505 in the upcoming week with a prepared index of around 40 pages. Will post back with any input I can following the challenge.

    • Good luck!! Let me know how you do!

      I’d love to hear your thoughts on the class as well. SEC 505 isn’t on the top of my to-do list but it is on there.

      The difference between having no index and 4 year old books to having current materials and a large index was night and day so I’m sure you’ll nail it.

  2. I´ll take a GCIH course just have a question, maybe a fool question in the columns you have one in each pictures called “Bk” what it means “Bk”.
    Thank you

    • Same basic strategy of going through every page of the books and creating an index of ever topic, ever tool etc. The tool index is huge as it turns any tools based questions into freebies.

      Some extra things:

      Remember that your index can include anything. Those cheat sheets from the SIFT kit belong, a page of common ports, a page of hex/binary/decimal etc.

      I like to complete my index and print a rough draft before I take a practice test. I take that test just like I would the real one and usually add a decent amount to my index after that. It will also likely point out a few areas that could use some extra work.

      Make the index changes, do the extra study and then take test #2. Same post test process but you probably won’t have a ton to add. At that point you should feel good.

      Every SANS class I’ve ever taken has 100% rewarded the hours I spent studying and making a detailed index. Time consuming but it will make your test day a lot more enjoyable 🙂

      Good luck!!!!

        • When I took my GCFA my books were four years out of date so I took in my course books, some cheat sheets (log2timeline etc.), Carrier’s book and two of Harlan’s books.

          They won’t hurt to take in but recent course books combined with a detailed index should be more than sufficient.

          I’ve also started sticking a few cheat sheets onto the end of all my indexes. Common ports, a dec-binary-hex conversion chart etc. All stuff you would normally be fine without but after taking the GSEC, CISSP and GISP in a two-three month period my brain now fries early in the test process 🙂

  3. Of course. At this point between working full time and trying to get a cert a month I don’t have much time for original research so the biggest way I can contribute is trying to help others pick the course that’s best for them and properly prepare for those tests.

  4. Pingback: GCIH to take

    • Every index I’ve created for a SANS/GIAC exam has had a “tool” section and it has always been worthwhile. Any tool related questions are usually quick and easy with a solid index.

  5. Pingback: GCIH - Am I ready?

  6. I did this exact same thing for my 504 class! I ended up with close to 28-30 pages, but I know I missed quiet a bit of the tools that were discussed in it since that was brought to my attention 2 weeks before my exam that I should do it.

    The index REALLY helped a ton and if I second guessed a question I was able to quickly find the material/detail I needed to find the right answer. This being my first GIAC exam I would highly recommend doing this for ALL exams and plan to going forward.

    • Congrats on getting your GCIH Sam!

      A large index can be time consuming but is an awfully nice security blanket come test day 🙂 Do you know what course you’ll be taking next?

  7. Pingback: How big was your index?

  8. Pingback: Passed GCIH

  9. Thanks for the tips. I’m working on my SANS 401 index while going back and reviewing the material and I thought my index was going to end up way to big and detailed and be rendered useless but it sounds like I’m on the right track!

  10. Pingback: Gcih - sans 504

  11. Pingback: Starting the GSEC - First SANS Course

  12. If you need a 50 page index for a course like this then you’re doing something wrong, like maybe not reading the books before hand. This is a basic IT course, nothing special or complicated, just lots of it. You need to get familiar with the books by reading them, then create a basic index, oh and good luck.

    • I 100% agree about needing to read the books and understand them in conjunction with an index. An index can’t be a crutch for not understanding the material, just a quick reference for verification. I don’t think it would be possible to complete an exam if you were looking up each question. My recent indexes have been 8-12 pages of indexed book content then some extras (common ports, tool cheat sheets etc).

      When I’m going through books I think of of a guy I know who is kinda tech savvy but not an infosec guy at all. I ask myself “Could I explain this to him?”. If the answer is no then I need to get myself to the point where I could before I move on.

      On the basic it course part, basic to one person may very well be advanced to the person sitting next to them 🙂 I know things that would seem basic now would have looked like a foreign language when I started down this road two years ago.

  13. This is very helpful, Thank you for your time to craft this article. Wish i could upvote or like 🙂 I have 40 days to go for GCFA and have lot of things to do, Do you index using excel directly or use paper pen then turn it into digital ??

    • Thank you for the kind words. I’m glad you found it helpful 🙂

      I go straight into excel and type in any entries as I go through each book page by page and ask myself if I understand the concept good enough to explain it to someone else. It can be a slow process but a worthwhile one.

      The GCFA is a tough exam and one I’ve very proud to have passed. Good luck!!!

    • I don’t distribute them because (in addition to the you’re far better off creating your own factor) the material is constantly being revised so they would be out of date. It would take longer to modify than it would to make one from scratch. Those exams are costly to take and I would never want anyone using out of date materials that I provided as a guide.

      All that said I usually get at least one message a week from someone telling me that my example and explanation really helped them with theirs and that is exactly what I was going for.

  14. Matt,
    Your indexing method i really great!! Thanks
    Can you suggest some books in market or other resources for GCFA. SANS course I cant afford 🙁


    • No one book will cover the entire course but there are some great books out there.

      Harlan Carvey’s books on Windows operating systems and the new “Art of Memory Forensics” book by the Volatility devs are must owns.

      I haven’t had a chance to read “Network Forensics: Tracking Hackers through Cyberspace” yet but I’ve heard good things from people who do that style of work daily.

  15. Thanks for you tips Matt. Just passed GCFA with a nice 85%, never went below 73% but that was still a stressful test.

    The main thing is really to keep cool during the whole exam, and manage your time. I was at 93% after 15 questions but had only answered 20 after 1 hour. Thus I had to give it a boost. Fortunately, the second part of the exam was more practical-oriented and thus I could answer a fair amount of questions without having a single glance at books/cheatsheets.

    Second thing is : have your index (SANS FOR508 books). Index length is up to you. The right length is the one with which you feel comfortable. My books index was 4 pages (220 items, makes more sense), Tools index was 3 pages (115 items). At some times I ended up answering some questions without checking the Index, I actually knew where the stuff was located. The most important book to know/index precisely is the 4/5 from SANS FOR508 in my opinion. Make 2 or 3 passes on each book, highlight some stuff etc…

    Third thing is : have the SANS cheatsheets ! Gives quick confirmation whenever you have a doubt about a command, tool, plugin… Create your own additionnal cheatsheets if it can help.

    Final thoughts : that exam would have been a total nightmare without the FOR508 training materials. Still doable, but with 3 or 4 times the amount of work required with the SANS books.

    Always keep in mind you are required to give the correct/most correct answer, not the smartest-in-your-opinion one. You will often have questions where the correct answer appears as the dumbest/too-simple-to-be-correct one. In such cases forget you are a technical person, just think framework-process-theory. Practice assessments are really nice to grasp this philosophy.

    • Congrats on the pass!!! That’s a really tough test and you should be proud. Great advice too.

      You’re last paragraph made me chuckle. Conrad and Cole talk about that a lot in the SANS CISSP prep course. I’ve never had an issue with that on the SANS test but that was huge for me with the CISSP since sometimes I disagreed with all four options.

  16. Pingback: GIAC Index's

  17. Thank you for sharing your tips! I created indexes for 408 and 508 that were 17 and 21 pages long. I passed both, but wish I had scored higher. Hopefully with this advice, I can boost my scores on future exams. I found that creating the indexes was an important part of the learning process. Can you provide any advice on studying for the CISSP?

    • The CISSP is definitely a different beast than a GIAC exam. The best advice I ever heard was from Eric Cole. He said that whatever course/book you’re going to use to study (I used the SANS 414 and Eric Conrad’s book) go through that then instead of spending time studying other resources start doing as many practice exams as you can.

      One of the most important parts of preparing for the CISSP is preparing for the types of questions that they ask and putting yourself into the necessary mindset to pick the “best” answer. Sometimes you won’t like any of your options but you still need to identify the one that the test is looking for.

      I had practice tests in the SANS course, practice tests in Conrad’s book, signed up for the cccure practice tests and bought the exam cram practice test book (not their study guide). By going through all of these practice exams not only will you get a feel for the types of questions which will be asked but since they’re broken down by category it will help you identify which domains you should spend additional time studying.

  18. Pingback: Better GIAC Testing with Pancakes | Hacks4Pancakes'

  19. I am a infosec professional, instructor, writer, sans mentor. I have worked closely with several GSEs, and have established relationships with several sans course authors. Everyone else I work with has at least 3 GIAC certs. I currently am a GSEC, GCFA, GPEN, GSNA, GCIA, GCIH, GCWN, GCCC, CISSP.

    I am responsible for getting students through a very intensive that includes 3-5 GIAC certs in about 6-10weeks. 2 weeks a cert. Everyone is screened, selected for my program.

    When someone fails, they always say they ran out of time. I disagree. They often use a large keyword index to “brute force” the test. This means that they don’t understand the concepts, and look up keywords only to run out of time. How many places do you find nmap in a sans course?

    I recommend a short table of contents index, in book order, that outlines each concept. GCIH already breaks it down. I also recommend a short tools index, took cheat sheets, misc for quick wins on answers. These index don’t take much time. If available, get a keyword index, or create one with details as a study tool.

    I recommend doing a self assessment on each concept. Then taking a practice test, not for a score, but to validate understanding of the concepts, and the ability find the details with the index.

    During testing, I recommend:
    1. If you know the answer, answer it
    2. If it is something that can be found in a cheat sheet, you have a qw
    3. If you understand the concept, find the detail with concept index.
    4. If you don’t understand the question, keyboard index time, hail Mary, brute force

    This is all to focus,and save valuable time in a test.

    • Rob —

      Great points! People don’t believe you but honestly the process of creating a good index is as important as having the index. That’s why just grabbing one from someone else won’t help much.

      I also agree that understanding the material is key. I have a technically savvy friend who isn’t into infosec. When I hit a topic while making my index I always ask myself “could I explain this topic to him?”. That helps me gauge how much time I need to spend studying that or if I can move onto the next topic.

  20. Agreed with the sentiment about learning the material rather than trying to ‘brute force’ the exam.

    I’ve used Chris Crowley’s script for generating an index for several of them and found it helpful. Indexing is definitely a skill that needs to be practiced a few times other wise you will be creating something pretty useless.


    • Agree 100%. You need to understand the material and concepts.

      I’ve talked with Chris about his script before. I love the side benefit of having it index things across multiple courses. Good GSE prep.

  21. Pingback: GSEC Exam

  22. thank you very much for your tips and help. I am a CISSP, still valid, but left the technical field a few years back. Have to sit the GSEC now (401) – your tips will come very useful, thank you again!

  23. Pingback: Has anyone taken GMON exam yet?

  24. Hello,
    I have just registered for the SEC511 course, which I would like to take also the GMON certification exam for it. Do the instructor provide you with specific books to study for the certification during the course or you need to look for the material yourself? Also, the GMON is a new certification, thus I have not heard how difficult it is from anyone yet. Do you know where I can find samples of this test to get used to the type of questions of the real exam? Thanks in advance,

    • Your allowed to bring any printed material you wish into the exam but the exam questions will be based off content in the course ware books so those will be the one’s that you’ll want to reference an overwhelming majority of the time. I rarely take anything other than the courseware books.

      I don’t know anybody who’s taken the GMON yet but when you register for an exam you’ll receive two practice exams which in my experience have been by far the best indicators of what type of questions the exam has. I always use practice exam questions to help me refine my index.

    • I have taken the course and got the cert. I only used the books from the SEC511 course. Seth did create a basic index which was made available to the class. After extensive formatting, i used this as the basis for my test index. Quite frankly, i probably spent as much time editing the index than i would have if i created from scratch. And as mentioned, with the certification attempt, you’ll receive two practice tests to gauge your readiness for the real thing.

  25. Pingback: Passed GSEC 401, have an extra practice exam if anyone wants it

  26. Great guide, Matt.

    I’ll be taking the GCIH soon and need to prepare an index. I know how I want to approach organization, but I have a question regarding how you physically assembled it. Did you print out every page yourself, provide the tabbed dividers, and bring all of the loose sheets to Kinko’s just for binding? Or did they print and index everything according to a specification you sent over?

    I’m kind of sloppy and would not want to attempt to three-hole punch everything and place into a binder, so a binding from a print shop would probably be best and look better. Thanks!

    • Thank you for the kind words!

      I print everything myself (from excel), print the coversheet using powerpoint and then take it to kinkos where they slap a plastic cover on it and bind it. No 3 hole punch needed!!! They wouldn’t look nearly as nice if I tried to bind it myself 🙂

      Also, remember you can print up cheat sheets like common ports or anything else and tack them onto the back of your index too.

      Good luck and good studies!

  27. I just take five different colored index cards, fold them in half, and make an index per book. I’ve passed every single GIAC cert I’ve taken.

  28. Pingback: SEC511 - GMON - Prep

  29. Pingback: Looking for Index Building Tips

  30. Thanks for this post Matt. I just got home from the 408 course down in VA Beach. Great class!! SANS now gives students the exam index at the back of book #5. It isn’t what I would consider “complete” but it is a great starting point. I am still using your example to rewrite the one SANS provided.

    Good luck all!!

  31. Pingback: GCIH – GIAC Certified Incident Handler – Netlock Security

  32. Passed through GCFE at 90% with training books from 2014. Your blog helped me a lot. Thank you very much for posting your ideas. My index was around 8 pages + I made my own reduced materials … a “book” with most important parts from original book (100 pages). With this I went through materials around 3 times and I was able to quickly go through everything very fast just because of “my book”. In the end I was very familiar with what is where in which book.

    Anyway, your post helped me a lot, thank you once again.

  33. Excellent post and thank you for taking the time. Had a question on commands and tools section. I’m having a hard time deciding what goes where. For instance netcat is a tool, but also a command. Seems like it would go both places, but would be a bit redundant. How did you handle that sort of thing?

Leave a Reply

Your email address will not be published. Required fields are marked *