How to Build a High-Impact GCIH Index: Open-Book Exam Strategy for GIAC Certification Success
This comprehensive guide walks you step-by-step through building a powerful, exam-ready index for the GIAC GCIH certification. Learn how to structure, format, and refine your index for maximum speed and accuracy in the 4-hour open-book exam—plus tips on keyword selection, command indexing, and practice exam integration. Ideal for cybersecurity professionals aiming to boost confidence, cut lookup time, and pass the GCIH on the first try.
Intro: Why GCIH Indexing Matters
Preparing for the GIAC Certified Incident Handler (GCIH) exam isn’t just about knowing the content – it’s about quickly finding the right information when under pressure. The GCIH is a 4-hour, 106-question, proctored open-book exam, which means you’re allowed to bring printed course books, notes, and your personal index. But “open-book” only helps if you can instantly locate answers. With over a thousand pages of SANS course material, flipping aimlessly through books can burn precious minutes. This is where a well-crafted index becomes your secret weapon: it serves as your custom roadmap to every key concept, tool, and tactic in the course.
Indexing matters because GCIH questions often require recalling specific details – a command switch, an event ID, a step in the incident handling process – under strict time constraints. A strong index cuts search time, calms nerves, and lets you focus on understanding the question rather than hunting for where that topic is covered. Equally important, building your index is an excellent study exercise in itself. By extracting and organizing information for your index, you’ll reinforce your learning, spot knowledge gaps, and deepen your understanding of the material. In short, an index is both a study tool and an exam-day performance booster. It turns the open-book format into an advantage, provided you invest the effort to create an index that’s tailored to how you think and remember information.
Understand the GCIH Blueprint First
Before you even start indexing, take time to familiarize yourself with the GCIH exam blueprint – the core domains and objectives the exam will cover. Understanding the “big buckets” of content helps you align your index with what matters most. The GCIH objectives can be grouped into several major areas, for example:
· Attacking Passwords: Covers password attack techniques (e.g. brute-force, password spraying, dictionary attacks, cracking hashed passwords) and likely tools used for these attacks. Expect content on recognizing password weaknesses and countermeasures.
· Detecting Evasion & Post-Exploitation: Focuses on how attackers hide their presence or maintain persistence after gaining access. This includes stealth techniques, rootkits, anti-forensics, and methods to detect an intruder who’s already in the system (for example, spotting persistent backdoors or unusual scheduled tasks).
· Incident Handling Process: Emphasizes the steps of incident response (think PICERL: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned). You should know the phases cold. This domain is typically in the foundational course material, outlining how to manage incidents from start to finish.
· Network Scanning/Mapping: Involves discovery of networks and hosts (using tools like Nmap), port scanning, OS fingerprinting, and vulnerability scanning. Likely tied to content on network reconnaissance and mapping out targets, as well as how to detect or defend against scans.
· Web & API Attacks: Covers common web application exploits (SQL injection, XSS, file inclusion, etc.) and API abuse techniques. Also includes understanding insecure web app references and how to identify/defend against these attacks. This might map to a web security module in the course.
· SMB Security: Focuses on Windows SMB protocol vulnerabilities and misuse. Topics include discovering open SMB shares, pass-the-hash attacks via SMB, NTLM relay, and how to secure or harden SMB services (like enabling SMB signing).
· Cloud Credential/Data Security: Introduces cloud-specific threats, such as stolen cloud access keys, insecure storage (e.g. misconfigured S3 buckets), and defending credentials and data in cloud environments. It ties traditional incident response knowledge to cloud platforms (AWS, Azure) – for example, detection of compromised cloud credentials or responding to cloud breaches.
Each of these objective areas usually corresponds to specific SANS course books or modules. For instance, one book might cover network scanning and enumeration, while another covers web attacks, and so on. By outlining the objectives up front, you create a mental map of the content. This helps you later decide how to organize your index – possibly having sections or tabs that mirror these domains. It also ensures you don’t overlook any major topic: your index should have entries spanning all these core areas. In short, know the blueprint first, so your index scaffolding aligns with what the exam will actually test.
Plan Your Indexing Workflow
Indexing for GCIH isn’t a one-and-done task – it’s a multi-phase process that you should integrate into your study plan. In fact, you’ll want to schedule dedicated indexing sessions just like you schedule study or practice exam sessions. A well-planned workflow will make your index more comprehensive and save you time in the long run. Here’s a recommended three-pass indexing workflow:
Pass 1 – Scaffold: Begin indexing after your first full pass through the course. Once you’ve attended the SANS training or read through all the books once, start your index. In this first pass, don’t try to capture every detail. Focus on building a scaffold or outline of the major topics and chapters. Go book by book and note the big themes and headings that correspond to the GCIH objectives (from the blueprint you just reviewed). Think of this as laying down the foundation: you might record broad keywords like “Incident Response process – p.123” or “SQL Injection overview – p.78”. This pass helps you become familiar with where high-level topics are located. It’s also a good time to mark your books with sticky notes or highlights for each section, which will help later. Tip: Some people like to jot down these broad topics in a separate “summary index” first – a high-level index that will later be expanded.
Pass 2 – Detailed Extraction: Next, do a deep dive through the material to fill in your index with detail. This will likely be the most time-consuming step (don’t be surprised if it takes many hours – plan accordingly). Go through each book page by page (or section by section) and extract specific, exam-relevant keywords with their page numbers. Aim to pull out about 3–6 key terms or concepts from each section or subsection that you could imagine being the target of an exam question. For example, if a section covers Nmap scanning, you might index entries for “nmap -sS (TCP SYN scan) – Book 2 p.45” or “Service version scan (nmap -sV) – p.47”. If a chapter discusses password cracking tools, index the tools (like “John the Ripper – p.10”) as well as techniques (“Rainbow tables – p.12”). Essentially, in Pass 2 you’re populating your index with the meat of the content: tools, commands, techniques, processes, artifacts, etc. Don’t forget to include any important definitions (e.g. terms like “buffer overflow”, “SQL injection”) and any names of attacks or malware called out in the course. This pass will result in a much longer index – possibly hundreds of entries. It’s normal for a good GCIH index to span dozens of pages once complete. Schedule these extraction sessions in manageable chunks (maybe one module or one chapter at a time) so you don’t burn out. Remember, consistency is key – try to use the same formatting and approach across all books.
Pass 3 – Refinement (Practice-Test Driven): After you have a solid draft index from Pass 2, begin incorporating practice exam feedback. This means as you start taking practice questions and exams, note any time you hesitate or struggle to find something in your index. Each practice question you miss or spend too long on is gold for improving your index. Maybe the question used a synonym you didn’t index, or referred to a concept obliquely that you didn’t include. After each practice test or quiz, update your index immediately: add missing keywords, add cross-references, clarify notes, and even mark entries that you realize are especially important. For example, if a practice question said “authentication tokens” and you realize your index only had “cookies” (a related concept) listed, you’d add an entry for “Authentication Tokens – see Cookies (session management) – Book 4 p.77”. This refinement phase makes your index tighter and more attuned to how questions are asked. It’s also a good point to trim any excess – if during practice you never used certain entries or you find some entries are too trivial, you might simplify or remove them so they don’t distract you on exam day. By planning for multiple passes (scaffolding, detailed indexing, then practice-driven tweaks), you treat indexing as an iterative process. Don’t wait until the week of the exam to start your index – begin early, and revisit it often. Treat your indexing sessions as important study appointments. This approach not only yields a high-performance index, but it continuously reinforces your learning each time you refine it.
Tip: You can intermix indexing with active study techniques. For instance, after indexing a particular domain (say “Web & API Attacks”), do a quick Domain Practice session of questions on that topic to test your knowledge and the effectiveness of your new index entries. This can highlight if you missed any key terms in that domain before you move on.
Choose Format, Tools, and Layout
One of the first practical decisions is what format and tools to use for your index. While some old-school folks handwrite their index on paper, using a spreadsheet (like Microsoft Excel or Google Sheets) is overwhelmingly recommended for a GIAC exam index. Spreadsheets offer the flexibility to sort, search, and reorganize your index easily as it grows. They also help enforce a clean structure so your entries are uniform. Here are some guidelines on format and layout:
· Use Clear Columns: Set up columns that capture all the info you’ll need under pressure. A tried-and-true column setup is: Book, Page, Keyword 1, Keyword 2, Keyword 3, and Notes/Context. In practice, this might look like:
Book (or source) – which book/module the info is in (e.g. Book 3 or Module 5).
Page – the exact page number where the content is found.
Keyword 1 – the primary term or concept you’d look for (e.g. “Pass-the-Hash”).
Keyword 2 – an alternate keyword or related term (e.g. “NTLM relay” if that’s discussed in the same section).
Keyword 3 – a second alternate or another related term. (You might not always use all three keyword fields, but having them encourages capturing synonyms or closely linked ideas together.)
Notes/Context – a short note to yourself about what’s on that page, or a brief definition or reminder. For example, “Pass-the-Hash – uses stolen NTLM hash to authenticate, tool: Mimikatz”.
· One Tab per Book: If your course has multiple books or PDFs, consider using separate tabs (worksheets) in your spreadsheet, one for each book or module. This keeps the index for each volume manageable and lets you filter or sort within a specific book when you’re studying. For example, you might have tabs named “Book1-Intro”, “Book2-Network”, “Book3-Web”, etc. On exam day, however, you’ll likely print the combined index sorted alphabetically (more on that later), but organizing by book during creation helps ensure you systematically index each source without skipping around.
· Sort Alphabetically: Plan to maintain your master index in A–Z order by keyword. This is crucial for quick lookup under stress. Spreadsheets make it easy to sort your entries alphabetically by the keyword column. If you’ve used multiple keyword columns, you might sort primarily by Keyword 1. The goal is that on exam day, if you think “SQL injection,” you flip to the “S” section of your printed index and find “SQL injection” immediately. Alphabetical order is faster to scan than, say, grouping by book or by objective, especially when you’re not sure which domain a question falls under. Tip: While building the index, if you prefer, you can keep entries grouped by book/topic and then do a final alphabetical sort at the end. Just ensure that when you print, it’s A–Z.
· Consider Topical Sections (Optional): In addition to the main alphabetical index, some people create topical quick-reference sheets or special index tabs for certain data that spans across books. For GCIH, you might consider separate mini-indexes or reference lists for things like “Common Windows Event IDs”, “Linux Commands”, “Well-known Ports”, or “Tools & Cheat Sheet Commands”. For example, having all the port numbers (and associated protocols/services) on one page can be handy if a question asks “which service uses TCP port 445?” and you can just glance at your ports sheet. Or if you want a single list of all the tools covered and their primary purpose, a Tools tab could be useful. These are optional add-ons – the core of your index will still be the main alphabetical list. If you do make topical tabs, be sure to cross-reference them from your main index. For instance, your main index entry for “Event ID 4624” might say “Event ID 4624 – Successful logon (see Windows Event IDs cheat sheet)”. This way, during the exam you know that detailed lists exist and you can flip to them quickly if needed.
· Digital Tools for Creation: Use the features of your spreadsheet software to your advantage. As you build the index, the Find function (Ctrl+F) can help you avoid duplicate entries or spot if you already indexed a term. However, remember that during the exam you won’t have digital search – you’ll be relying on the printed index with your eyes. So design the layout to be easy on the eyes (plenty of white space, clear columns, large enough font when printed). Some people even use coloring or highlighting in the spreadsheet (and print in color) to delineate different types of content:
· For example, you could shade tool names in blue, attack techniques in red, defensive controls in green, etc. This kind of color-coding, if done consistently, can make scanning quicker (“Oh, that’s a tool, I marked tools in blue, so let me scan for blue entries under ‘M’ for Mimikatz.”). If you use color coding, include a tiny legend on your index to remind yourself what the colors mean.
· Even without color, you might use bold or italics selectively in the notes to make key words stand out. Just be careful not to make the page too busy or it can have the opposite effect.
· Consistency in Format: Decide early on how you will format things like book names, page numbers, abbreviations, etc., and stick to it. For instance, you might label pages as “p.123” or just “123” – whichever you choose, use it throughout so it’s uniform. If your books have their own numbering or codes (sometimes SANS books are labeled by day or have codes like 504.1, 504.2 for book 1, 2, etc.), include those identifiers so there’s no confusion about which book the page number refers to. Consistency will make your index look professional and prevent confusion when you’re in a hurry.
Overall, using a spreadsheet with a clear column layout and thoughtful organization will set you up for success. It makes the building process efficient and results in an index that’s logical to navigate. You’ll thank yourself on exam day that you took the time to format it well.
Design an Index Schema That’s Fast Under Stress
The GCIH exam is a high-pressure situation – you’ll be juggling complex scenario questions and a running clock. Your index schema (structure) needs to be optimized for fast retrieval under stress. Designing the index for usability is just as important as what content goes into it. Here are key design principles to ensure your index is an asset and not a hindrance on exam day:
· Book and Page References Must Be Obvious: On each index entry, make sure it’s immediately clear where to find the info. This means your Book ID and page number fields should stand out and be unambiguous. If your books are labeled “Book 1, Book 2…” or by titles, include that. For example, an entry might start like: “B2 p.45 – Nmap – SYN scan (…notes…)”. Using a consistent shorthand like “B2” for Book 2 throughout the index helps your brain quickly parse the location. Tip: Consider sorting primarily by keyword but secondarily by book, so that all entries for Book 1 are together within the “A” section, etc. This way, if you need to switch books, you’re not constantly bouncing around.
· Choose Primary vs. Alternate Keywords Wisely: Under stress, you’ll typically think of one term first when searching for something. That’s your Primary Keyword – make sure it’s the first word of an index entry. For example, if you want to index the concept of pass-the-hash attacks, think about how you’ll recall it. If “Pass-the-Hash” is the term you’d remember, make that the primary keyword (alphabetized under “P”). But also consider alternate terms: maybe you’ll think “NTLM Hash” or just “Hash attack”. Those can be secondary keywords or separate entries. In your index schema, you might use the additional keyword columns for these alternates (e.g. Keyword 2: NTLM; Keyword 3: Authentication). Alternatively, you can create separate entries like “NTLM hashes – see Pass-the-Hash (B3 p.88)” to cover multiple entry points. The key is to anticipate synonyms and variations. Under exam pressure, if the question uses a different phrase than the SANS book did, you should still be able to find it.
· Keep Notes Short and Action-Oriented: The Notes/Context part of your index is very useful but can become a crutch if too long. Design your notes field to give just enough context to confirm you’ve got the right thing, without needing to read a paragraph. For example, for an entry like “TCP 445 – SMB file sharing port”, the note “SMB file sharing port” is enough to jog you that 445 is SMB. Or for “Mimikatz”, a note might be “credential dumping tool (Windows)”. These little cues help differentiate similar terms (e.g., many tools might be for “privilege escalation” – your note can specify which OS or technique). By keeping notes brief (a few words), you ensure you can glance at an entry and know it’s the one you need. In an open-book exam, the index shouldn’t contain full explanations (that’s what the book pages are for), but a tiny hint can save you from turning to the wrong page.
· Standardize Abbreviations and Capitalization: Decide on consistent naming for things like commands, tools, and abbreviations. If one book says “Active Directory” and another says “AD”, you might index under one term but note the other. For instance, you could choose to list “Active Directory (AD)” as the keyword so it covers both. Or list separate entries for “Active Directory” and “AD” pointing to the same page. The crucial part is to avoid confusion. Use the same abbreviation throughout your index for a given concept. If you use “APT” for Advanced Persistent Threat, don’t sometimes spell it out and other times abbreviate – pick one as primary and maybe include the other in parentheses or in the notes. Consistency will help you quickly scan because your eyes will be trained to look for familiar patterns. The last thing you want is to overlook something in your own index because you wrote “Win Sec log” in one place and “Windows Security Log” elsewhere – you might think they’re different when they’re not.
· Optimize for Scanning Speed: A good index schema might include some visual cues that speed up scanning. We touched on color-coding earlier – if you print in color, that’s one way. Another technique is to use indentation or formatting for multi-word entries. For example, you could left-align the primary keyword and indent continued text so that each keyword stands out at the start of the line. Some people will make the primary keyword bold in printouts to draw the eye. If you have long lists of entries, even simple things like one blank line between each letter section (every time you start a new letter like “A…”, “B…”) can break up the wall of text and make it easier to find the section you need.
· Test Your Schema: Before you finalize the index format, do a few dry runs. Pick a random term and see if you can quickly parse the entry and find the page. For example, if you have an entry for “Nmap – B2 p.50 – UDP scan (-sU flag)”, check that in the heat of the moment you’d understand that means Book 2, page 50. If any part of your entry format is confusing or requires extra thought, tweak it now. You want using the index to be almost mechanical during the test – see keyword, note book/page, grab that book and flip – done. The schema should make that as seamless as possible.
To summarize, design your index not just to be comprehensive, but to be user-friendly for your future stressed exam-taking self. Clear locations, intuitive keywords, and consistent formatting will pay off massively when every second counts.
Selecting High-Value Keywords and Concepts
One of the biggest mistakes candidates make is trying to index everything, which can clutter your index with low-yield terms. Instead, apply the 80/20 rule: focus on the 20% of terms and concepts that are most likely to account for 80% of the questions. In GCIH, that means zeroing in on high-value keywords – the core attacker techniques, defender steps, and artifacts that the exam is likely to probe. Here’s how to identify what to include:
· Prioritize TTPs and Core Concepts: Emphasize Tactics, Techniques, and Procedures (TTPs) of attackers, as well as key defensive concepts. For instance, index the names of attack techniques like pass-the-hash, pass-the-ticket, ARP poisoning, SQL injection, cross-site scripting, privilege escalation, lateral movement, etc. These are fundamental ideas that often come up in questions. Similarly, index core defense concepts: principle of least privilege, encryption, multi-factor authentication, network segmentation. If a term represents a technique or concept that could be the subject of a “what is this and how do you respond?” question, it’s high-value.
· Include Tools and Their Flags: Tools are a big part of GCIH – both the ones attackers use and the ones defenders use to investigate. Make sure you index all the major tools mentioned in the course (e.g. Nmap, Metasploit, Netcat, Nessus, John the Ripper, Burp Suite, Wireshark, etc.). But don’t stop at just the tool name – also index important flags, commands, or modes of use for those tools. For example, under Nmap you might have entries for “Nmap -sS (SYN scan)” and “Nmap -sV (service version detection)” and “Nmap output – grepable format”. Under Metasploit, include things like “meterpreter command to migrate process” or specific exploit modules if they were discussed. Command-line flags and syntax often show up in GIAC exams, where a question might present an output or ask “which flag enables X?”. If you’ve indexed those flags, you’ll save time digging through the tool documentation in the books.
· Log Artifacts and Evidence: Incident handlers need to recognize clues in logs and traffic captures. So index things like Windows Event IDs (4624 login success, 4625 failed login, 4688 process created, etc.), Linux log file paths (/var/log/auth.log, etc.), and network indicators (for example, “DNS exfiltration pattern – multiple TXT queries” or “HTTP user-agent anomalies”). If the course material calls out a certain event ID or artifact as important, treat it as high-value. You may get questions like “What log entry indicates a user added to domain admins?” – if you indexed “Event ID 4728 – added to privileged group” you’ll know where to find it.
· Incident Response Procedures and Checklists: GCIH covers how to respond to incidents, so index any step-by-step processes or checklists given. For example, the PICERL phases should each be in your index (“Preparation phase, Identification phase, …”). Also things like “scoping an incident”, “eradication steps for malware infection”, and “evidence collection procedure”. These might show up as scenario questions (e.g., “During which phase of IR would you preserve evidence?”).
· Capture Synonyms and Variations: English is tricky – the same concept can be referred to in multiple ways. The exam writers know this, and sometimes they’ll use alternative wording to see if you truly understand. That’s why your index should capture synonyms, plural forms, and variations. If your book uses the term “penetration testing” but a question says “pentest”, will you have it indexed? If you see “secure shell”, would you look under SSH? Ideally, include both. Some examples: “filesystem” vs “file system”, “IDS” vs “Intrusion Detection System”, “WAF” vs “Web Application Firewall”, “MITM” vs “Man-in-the-Middle”. A good practice is, whenever you add an entry, think for a moment: “Is there another term or acronym the exam could use for this?” If yes, either add a separate index entry for that term or include it in the notes. It’s better to be redundant in the index than to miss the connection under pressure.
· Index “Problem-Solution” Pairs: Many GCIH questions are scenario-based: they present a problem and ask for the best solution or tool to use. Structure your index to help with that by including action-oriented keywords. For example, index phrases like “detecting stealth processes – (tool X)” or “removing rootkit – (steps)” if the material shows how to do that. Another example: “restore MBR after rootkit – p.123 tool usage”. These are effectively micro use-cases that could match a question. If you think of a question like “What tool can identify hidden processes on a Windows system?”, you’d want to have an index entry under “Hidden processes” pointing to something like “Sysinternals PsTools – p.220” or “RAM analysis techniques”.
· Examples of Keyword Groups: To ensure you cover the breadth, it’s useful to think in terms of categories of things to index. Here are some high-yield groups:
· Attack Techniques: e.g., Brute-force (passwords), Credential stuffing, SQL Injection, Cross-Site Scripting, Pass-the-Hash, Lateral Movement, Ransomware, DNS Tunneling.
· Tools & Commands: e.g., Nmap, Metasploit, John the Ripper, Responder (LLMNR/NBT-NS poisoning tool), tcpdump (and common filters), PowerShell (and important cmdlets like Get-Process, Invoke-WebRequest if covered), Mimikatz.
· Malware/Exploits Names: e.g., if the course mentions specific malware or exploit kits like Mimikatz (for credential theft), Golden Ticket attack, EternalBlue, etc., index those names.
· File Paths / Registry Keys: e.g., Windows RUN key path (for persistence), Linux .ssh/authorized_keys (for backdoor access), /etc/shadow (password file location), $MFT (Master File Table in NTFS, if mentioned).
· Protocols/Ports: e.g., SMB – TCP 445, RDP – TCP 3389, DNS – UDP 53 (as well as DNS over HTTPS, etc.). Sometimes a question might just reference a port number with no service name; your index should let you quickly identify the service/protocol.
· Defensive Controls: e.g., EDR (Endpoint Detection & Response), SoC processes, Firewall rules, Group Policy, patch management. If the material covers ways to mitigate attacks, include those terms too (the exam could ask “what would prevent this attack next time?” which maps to a defense concept).
By being deliberate about selecting high-yield keywords, you make your index efficient. Every entry is something you might realistically need to look up. This not only saves you time during the exam but also streamlines the indexing process itself (you’re not wasting effort indexing trivial facts). Remember, you can always use the course’s glossary or chapter summaries as a clue – if the instructors bothered to define or highlight a term, it’s probably important enough for your index.
Building the Index: Pass-by-Pass
Now let’s dive deeper into how to actually build your index in practice, following the pass-by-pass approach we outlined. Constructing a GCIH index is a bit like painting a wall: you do it in layers rather than all at once, allowing you to refine with each layer. Here’s what you should do in each pass:
· Pass 1 – Scaffold the Major Topics: As mentioned, after your first read-through of the material, create the framework of your index. Go through the table of contents of each book and the section headings, and make initial entries for those big topics. You’re basically mapping the territory. For example, Book 1 might have a section “Incident Handling Overview” – make an index entry “Incident Handling Overview – B1 p.10” (even if you don’t fill in details yet). Book 2 might have “Network Scanning with Nmap” – index that as a broad entry. At this stage, you might also mark important figures or tables in the books that you suspect could be handy (like a table of common ports, or a flowchart of an attack sequence). Jot them in the index with a reference, e.g. “Common Ports Table – B2 p.30”. The scaffold pass ensures that when you later fill in details, you have a skeleton to hang them on and you won’t forget a whole section. It also gives you a high-level index that’s somewhat useful on its own for locating chapters quickly.
· Pass 2 – Detailed Extraction of Keywords: This is where your index grows from a skeleton into a fully-fleshed directory of knowledge. Set aside distraction-free time and go through each section carefully. For each paragraph or slide, ask yourself, “If there were a question on this, what keywords would I search for?” Those are your index entries. Suppose you’re reading about Rainbow Tables (a password cracking optimization) – likely an exam question could be “what technique allows precomputed hashes to speed up cracking?” So you’d index “Rainbow Tables – B1 p.55 – precomputed hashes for password cracking”. If an important command is shown, like a firewall rule example or a Linux find command to locate malware, include it (e.g., “Linux find command – find suid files example – B3 p.77”). Strive for about 3–6 entries per subsection as a rule of thumb. Some dense sections may yield more, a lighter section fewer. Pay special attention to diagrams and screenshots in the books – if a diagram illustrates an attack sequence, add an index entry for that attack name pointing to the diagram’s page. If a screenshot shows a tool’s output (say, Snort alert or Wireshark capture), index something like “Snort alert format – B2 p.88”. These visual elements are often sources of questions. By the end of Pass 2, your index should have captured virtually all the terms, tools, and concepts you think are fair game for exam questions. Don’t worry if it’s long – thorough is good (some indexes for GIAC exams run 30-50 pages or more). You can always trim later, but it’s hard to add what you didn’t record.
· Pass 2.5 – Labs and Hands-On Exercises: (This might be considered part of Pass 2, but worth calling out.) SANS courses usually include lab exercises or case studies. Do not skip indexing the labs! Labs often mirror real-world scenarios and by extension, exam scenarios. Go through each lab step and make index entries for what you did or observed. For instance, if a lab had you use metasploit to exploit a target and then find a flag on the system, index the exploit name or the Metasploit module used. If a lab walked through analyzing malicious traffic in Wireshark, index the filter used or the indicator found (e.g., “Wireshark filter http.request.method==POST – B5 p.22”). Labs might show unique command combinations or investigative techniques that aren’t in the main text – you want those in your index in case the exam expects you to know how to approach a similar task. Essentially, treat labs as high-yield content. A question like “Which tool would you use to gather volatile memory from a live system?” might not be answered explicitly in lecture slides but was something you did in a lab with Memoryze or FTK Imager. If it was in a lab, put it in the index.
· Pass 3 – Refinement and Cleanup: After you’ve populated your index with all these entries, take a short break, then come back and do a cleanup pass. Look for any obvious duplicates (maybe you have “AV (Antivirus)” in one place and “Antivirus (AV)” in another – consolidate or cross-reference them). Ensure formatting is consistent (all book references use the same style, etc.). It’s also a good time to alphabetize the entries now if you haven’t been doing that all along. Skim through alphabetically and see if anything looks out of place or if any important concept is missing. Put yourself in the examiner’s shoes: is there any buzzword or critical concept in the material that you don’t see in your index yet? If yes, find it in the book and add it. By the end of this refinement, you should have a polished index draft.
· Pass 3.5 – Practice Test Driven Edits: We’ve covered this, but it’s worth repeating as a final step in building the index. Once you start doing practice exams or quizzes, be vigilant about tweaking your index. For example, if a practice question asked about “SQLi” and you realized you only had “SQL Injection” indexed under S, you might add a new entry under “S” for “SQLi – (see SQL Injection) – B3 p.12”. Or perhaps you had the info but it took you too long to find because you had it under an unexpected keyword – fix that now by adding the keyword you looked for. Use your practice exams as a reality check: they simulate the exam experience and will reveal how well your index performs. It’s a bit like testing a software product and then debugging it. By the time you’ve done a couple of practice runs, your index will be a battle-hardened tool, ready for the real exam.
Throughout these passes, remember to maintain that conversational relationship with your index – it’s your personal guide, so it should make sense to you. The passes help ensure you’re progressively deepening your familiarity. By the time you’re done building it, you’ll have mentally covered the material multiple times (first read, indexing passes, practice tests), which means even without the index you’re going to know a lot – and with the index, you have a serious advantage.
Mining Labs, Tools, and CLI Examples
As you compile your index, pay special attention to labs, tool output, and command-line examples from the course – these often contain the nuggets that differentiate a mediocre index from a great one. GIAC exams, including GCIH, love to test practical knowledge: interpreting an output snippet, knowing which command achieves a goal, or which tool to use in a scenario. Here’s how to make sure your index captures these details:
· Leverage Lab Scenarios: Labs are basically guided real-world scenarios. If one of the labs had you investigate a breach on a Windows server, what artifacts did you check? If it was a web app attack lab, what steps did you follow to exploit or fix the issue? Index the key actions. For example, if a lab involved rooting a Linux box and then setting up persistence, you might index terms like “Cron job persistence (Linux) – B4 Lab p.5” or “Linux backdoor Bash alias – B4 Lab p.7”. If a lab has a unique scenario (like an insider threat case or a cloud breach), be sure to note the main points – they could easily be inspiration for exam questions.
· Index Tool Flags and Parameters: It’s not enough to just have “Nmap” or “Netcat” in your index. Include specific modes or flags of tools that are significant. For example, netcat (nc) can be used for many things – listening on a port, sending a file, making a reverse shell. If the course demonstrated “netcat -lvnp 4444” as a listener for a reverse shell, create an entry like “nc -lvnp – open listener (reverse shell) – B3 p.30”. Similarly, if a tool like nmap was used with the -O flag for OS fingerprinting, index “Nmap -O (OS detection)”. The idea is, if the exam mentions a tool being used in a specific way, your index should get you to the page that describes that usage. Some other examples: telnet for banner grabbing (e.g., “telnet <host> <port> – banner grab technique”), tcpdump with a filter (like “tcpdump port 80 -X – capture HTTP traffic in ASCII”), PowerShell cmdlets (like “Get-EventLog – retrieving Windows logs”).
· Use Action Phrases as Entries: This is a pro indexing tip: sometimes it makes sense to index by action rather than just noun. For instance, instead of only indexing “pass-the-hash”, add an entry under “Detect pass-the-hash” or “Mitigate pass-the-hash” pointing to wherever the book discusses detection or defenses for that technique. Why? Because an exam question might be phrased as, “What is the best way to detect a pass-the-hash attack on a network?” and in your stressed state, you might think “How do I detect PTH? Where did they mention it?” If you have an index entry starting with “Detect…” it will jump out. Some useful action-oriented entries could be:
· “Detect pass-the-hash – B2 p.77 – (Kerberos event anomalies)”
· “Reset NTFS permissions – B3 p.112 – (icacls command usage)”
· “Block USB malware spread – B5 p.30 – (Group Policy to disable autorun)”
· “Trace email header – B4 p.18 – (email header analysis steps)”
· “Snort rule to catch X – B2 p.90 – (example Snort signature for C2 traffic)”
Think of tasks an incident handler might have to do, which the course likely covered. By indexing those under a verb, you make it very easy to find the procedure. It’s like a mini how-to index within your index. - Index Error Messages or Log Snippets: If the course shows an example of an error message (say, what a brute force attempt looks like in a log, or a specific malware’s output), consider indexing a unique keyword from it. For example, if a Windows Event Log entry for a failed login contains “0xC000006A” as an error code (bad password), you might index that code “0xC000006A – B3 p.45 – (bad password attempt code in Windows log)”. It’s a detail, but GIAC exams have been known to include snippets of log or code and ask what it means. Having that in your index could save a lot of search time. - Cover Both Attack and Defense Tools: GCIH is about handling incidents, which implies both understanding attacks and knowing the tools to investigate and respond. So ensure you index offensive tools (Metasploit modules, exploit kits, privilege escalation scripts, etc.) and defensive tools (forensics suites, endpoint security tools, monitoring utilities). If you did a memory analysis lab with Volatility, index “Volatility – memory forensics tool” and key plugins you used. If the course talked about OSSEC or an EDR product screenshot, index that. On exam day, you may get a question like “Which tool would help analyze a memory dump of an infected machine?” – with a good index, you’d quickly find the section on Volatility or similar. - Real-World Reference in Notes: Sometimes adding a quick real-world reference in your notes can help cement an entry in your mind. For example, next to “Pass-the-Hash” you might write “(reused NTLM hash like in SMB hacks)”. Or next to a tool like “Responder” you add “(LLMNR poisoning)”. These are like mental joggers. They make the index a bit more conversational and easier for you to remember why you included that entry. Just keep these notes short to avoid clutter.
Mining the labs, tools, and CLI examples in your course material ensures your index is tuned to practical knowledge, not just theoretical definitions. The GCIH exam will test your ability to apply knowledge – by indexing the how-to details (not just the what), you’ll be ready to quickly retrieve those application nuggets. Plus, as you compile these, you’re essentially reviewing all the hands-on skills you learned, which is fantastic preparation in and of itself.
Making the Index GCIH-Specific
Every GIAC exam has its own flavor. An index built for GCIH will look a bit different than one for, say, GSEC or GCIA, because the subject matter emphasis differs. You want to tailor your index to reflect GCIH’s unique mix of offense, defense, and incident management. Let’s break down some subtopics specific to GCIH and ensure your index strategy covers each:
· Password Attacks & Authentication Weaknesses: GCIH puts a significant focus on password attack methods and authentication security. Your index should thoroughly cover terms like Brute Force, Dictionary Attack, Password Spraying, Rainbow Tables, Pass-the-Hash, Kerberoasting, and tools like John the Ripper, hashcat, Mimikatz (for extracting hashes). Also include defensive angles: account lockout policies, password complexity requirements, multi-factor authentication. If a question asks how to conduct or prevent a password attack, you’ll have the references ready.
· Persistence Mechanisms (Post-Exploitation): Once an attacker is in, how do they remain undetected? Index common persistence techniques. For Windows: Registry Run keys, Scheduled Tasks, Services, WMI Event Subscription, DLL injection, etc. For Linux: cron jobs, rc.local, SSH authorized_keys backdoor, etc. Also index terms related to evasion, like rootkit, DLL hijacking, Timestamping (file time stomping), packer (for malware). GCIH expects you to identify these tricks and how to uncover them, so have entries for “Persistence – (technique)” as well as detection methods (e.g., “Autoruns tool – B4 p.88 – find startup entries”).
· Command and Control (C2) & Exfiltration: Attackers communicating out from a compromised host is a critical area. Index things like C2 channels (HTTP C2, DNS tunneling, SSH tunnels, etc.), tools like Netcat, Cobalt Strike, DNSCat2, and concepts like Beaconing, Data Exfiltration techniques. For exfiltration, note methods such as data hidden in DNS queries, exfil via cloud storage, or using common ports (443) to blend in. Also include detection measures: IDS signatures for C2, DNS query volume analysis, DLP (Data Loss Prevention) tools. If GCIH covers specific malware or threat examples (like using legitimate services for C2, e.g., using Slack or Gmail as C2 channels), index those examples by name.
· Scanning & Enumeration: This is more straightforward – ensure scanning tools and techniques are well represented. Index Nmap (with different scans as separate entries), ping sweeps, port scanning techniques (TCP SYN vs Connect vs UDP), service enumeration (SNMP enumeration, LDAP queries, etc.). Also include concepts like banner grabbing, OS fingerprinting (active/passive), vulnerability scanning (maybe OpenVAS, Nessus if mentioned). If the blueprint mentions mapping networks and discovering misconfigurations, make sure things like null sessions on SMB, SNMP public community string, NetBIOS name service are in your index, as those are classic enumeration angles.
· Windows and Linux Artifacts (Forensics-lite): GCIH isn’t a full forensics cert, but as an incident handler you need to know important artifacts. Index Windows Event Log IDs (especially security logs around logon, account changes, etc.), Windows Registry locations for evidence (like Run keys, SAM for passwords, etc.), Windows file artifacts (prefetch files, $Recycle Bin, etc. if mentioned). For Linux, index things like /var/log/syslog, /auth.log, command history files (.history), and so on. Also, include any memory artifacts if covered (like LSASS process memory for credentials). If the course material touches on indicators of compromise (IoCs)*, like certain file hashes or strings commonly found in malware, those could be worth an entry too. Essentially, think: if a question asked “Where would you check for X evidence on a Windows system?”, your index should point you to the right page.
· Web/API Exploitation Techniques: GCIH includes web app attack basics, so index SQL Injection, Cross-Site Scripting (XSS), Command Injection, Directory Traversal, CSRF, and anything specific to APIs like API key leakage, JWT attacks if covered. Also include any tools demonstrated (like Burp Suite, sqlmap, OWASP ZAP). Don’t forget defensive aspects: input validation, WAF (Web Application Firewall), API rate limiting, etc., since the incident handler might be asked how to mitigate a web attack in progress or prevent it. If the course includes something on cloud APIs or OAuth, note those as well.
· Incident Response & Remediation: This is what truly makes GCIH distinct – it’s not just about the hacks, it’s about handling them. So your index should capture incident handling process concepts (PICERL as we discussed, plus things like evidence preservation, chain of custody, legal considerations, reporting requirements). Also index any specific remediation steps: for example, if the material lists “Steps to respond to a ransomware infection” or “How to remediate a compromised AWS account”, get those in there under relevant headings (e.g., “Ransomware response checklist” or “AWS incident response”). The exam could ask multi-step scenario questions where you need to choose the best next step in handling an incident – having those processes indexed can help you quickly confirm the correct order or recommended action from the books.
· Blending Domains in Scenarios: GCIH questions often blend multiple domains (e.g., an attack that starts with a phishing email (social engineering), leads to malware (malware analysis), which then does network scanning (network sec) and data exfiltration (cloud sec perhaps)). Ensure your index ties these together. If there’s a big example or case study in the course that ties multiple concepts, index that case by name or by its key elements. For instance, if the course had a running scenario (like the “Sea Eagles APT incident” as a fictional case study), index that name – it could come up in an exam question, or at least help you quickly find the part of the book where multiple domains intersect.
Making your index GCIH-specific means focusing on the content mix that this exam covers. By tailoring around these subtopics, you’ll have an index that feels like it was built for the test (because it is!). It ensures you’re not wasting time on areas GCIH barely touches, and you’re deeply covering those it hits hard. As you compile these entries, you’re also effectively revising the whole scope of GCIH – reinforcing how all these pieces connect from an incident handler’s perspective.
Incorporate Acronyms, Ports, and Artifacts
Cybersecurity is full of acronyms and numeric identifiers, and GCIH is no exception. Often, exam questions will use a term like “IOC” or throw a port number at you assuming you know what it refers to. Your index should serve as a quick decoder for these as well. Here are some special categories of information to deliberately include:
· Acronyms and Abbreviations: The GCIH course material will include tons of acronyms: IoC (Indicator of Compromise), TTP (Tactics, Techniques, Procedures), EDR (Endpoint Detection and Response), SIEM (Security Info/Event Management), SoC (Security Operations Center), and so on. Make an acronym index pass where you collect all these. It might be worth dedicating a section of your index or a separate tab just for acronyms. At minimum, index each important acronym in place alphabetically. For example, have “IOC – Indicator of Compromise – B1 p.XX” in the I’s, “EDR – Endpoint Detection & Response – B5 p.YY” in the E’s, etc. And vice versa: if the acronym is well-known, also index the spelled-out term. GIAC exams sometimes use one or the other. If a question says “IoC”, you should be able to find that if you only remember “Indicator of Compromise” and vice versa. Acronyms can be easy points if you’ve indexed them, or a time sink if you haven’t.
· Ports & Protocols: Port numbers are fair game for incident handling questions. You might get a question like “An attacker was communicating over TCP/443. What protocol is this likely and what could it be used for?” If you indexed “443 – HTTPS (SSL/TLS encrypted web traffic)” you’ll quickly recall that’s HTTPS. Similarly, ensure you have the common ones: 21 (FTP), 22 (SSH), 23 (Telnet), 25 (SMTP), 53 (DNS), 80 (HTTP), 110 (POP3), 139/445 (SMB/CIFS), 3389 (RDP), etc., plus any oddball ones mentioned (like 5985 WinRM, or 161 SNMP). It’s helpful to list them as “Port 3389 – RDP (Remote Desktop Protocol)”. Consider also indexing by service: e.g., “SMB – see port 445”. That way, whether the question gives you a port or a service name, you can cross-reference. If the course provides a table of ports and protocols, definitely mark that page in your index.
· Windows Event IDs and Log Codes: We’ve touched on this, but to reiterate: index any numeric event codes and their meaning. Windows Security Event IDs are critical (4624, 4625, 4728, 4732, etc.). Also things like Linux exit codes or specific error codes (0x status codes for Windows auth). If the course mentioned HTTP status codes (like 404, 500) or TCP flags (SYN, FIN, RST), consider including those if you think you might blank on them under pressure. An index entry like “Event ID 4688 – New process created (Windows Security Log)” can be a lifesaver when you’re trying to recall which ID corresponds to process creation versus process termination.
· Registry Keys and File Paths: Many attack and forensic artifacts are identified by specific registry keys or file system locations. For example, HKLM\Software\Microsoft\Windows\CurrentVersion\Run (a persistence autorun key) – index that under “Run key” or “HKLM...Run”. If malware uses a specific directory (like drops files in C:\Windows\Temp or /tmp on Linux), note that. If there are known malicious file paths or services (like the PrintNightmare vulnerability involving the Print Spooler service), include the service name and related file path. The idea is, if a question references a particular registry path or system folder, your index can direct you to the content that explains it.
· File Extensions and Types: Sometimes file types can be relevant – e.g., “.pcap” (packet capture file), “.ps1” (PowerShell script), or forensic images like “.E01”. If these were mentioned, toss them in. They might appear in questions where they describe evidence (“you found a .ps1 file in startup folder – what is it likely?” – and you remember .ps1 is a PowerShell script, which could be malicious).
· Network Packet Patterns: For the network-oriented parts, if the course pointed out particular patterns (like “SYN flood has tons of SYN packets without ACKs” or “DNS exfiltration often has a bunch of TXT queries with weird-looking subdomains”), include an entry summarizing that. Maybe something like “DNS exfil pattern – B2 p.60 – (many TXT queries with long random subdomains)”. If you practiced PCAP analysis, you might index “TCP handshake – (SYN, SYN/ACK, ACK flags) – B2 p.20” so you can quickly find where normal vs abnormal traffic patterns are described.
· Malware Indicators: If any known malware indicators were given (like “if you see a file named svch0st.exe, it’s likely malicious because of the 0”), put that in. GIAC might slip in a question where the answer hinges on noticing a tiny detail like a misspelled process name. An index entry could be “svch0st.exe (zero instead of o) – B5 p.50 – malicious process name example”.
· Cross-Reference Numbers to Names: The general rule is: if it’s a number or acronym that isn’t obvious, index it to its meaning. During the exam, you don’t want to sit there thinking “I know 5985 is important but what was it again?” Your index should answer that in seconds: “5985 – WinRM (Windows Remote Management Port)”. Likewise, if the question gives a name and expects a number (like “What port does Kerberos use?” – answer: 88 UDP/TCP), you could find either “Kerberos – port 88” or “Port 88 – Kerberos (authentication service)” in your index.
By incorporating these acronyms, ports, and artifact identifiers, you turn your index into a comprehensive cheat-sheet for quick lookup of those pesky details that are hard to memorize but easy to look up. It’s far faster to scan an index list of ports than to page through the textbook looking for where port 3389 was mentioned. And every time you index one of these, you’re also reinforcing it in your memory (you might find by exam time you hardly need to look up the common ones anymore, thanks to repetition – but you’ll have the index just in case).
Iterating with Practice Exams and Drills
Building the index is half the battle; mastering how to use it efficiently is the other half. This is where practice tests and drills come in. They not only gauge your knowledge, but also stress-test your index under exam-like conditions. Here’s how to iterate and improve with practice:
· Take Practice Exams Strategically: Once you’ve covered the material and have a solid index draft, schedule a practice exam (or a set of practice questions). Simulate exam conditions: set a timer, have your printed materials and index like you would in the real exam, and do the questions without interruption. Pay attention to every time you flip through your index or books: was the info easy to find? Did any question leave you stumped on where to look? Mark those moments. For example, if question 12 took you 3 minutes because you were searching the index for “SQL injection” and couldn’t find it because you listed it under “Injection, SQL” instead, note that issue.
· Refine the Index After Each Test: Right after you finish a practice test (while it’s fresh), go back and address any pain points:
· Add missing entries for anything you had to search for by scanning the book. If you found yourself manually looking through the book’s glossary or index because your index didn’t have it, that’s an entry to add.
· Add synonyms or cross-references for terms that you had trouble finding. Using the example above, you might add an entry at “SQL Injection” that points to “Injection, SQL – B3 p.12” if that’s how you originally phrased it. Or just have both versions with the same page.
· If an entry was hard to find because of formatting (maybe you had it buried in a note under another entry), consider giving it its own line. For instance, you might have had “Malware – persistence techniques: Run key… page X”. If in the exam you’re more likely to look under “Run key”, then give “Run key” its own entry as well.
· Highlight or flag the entries that you actually used to answer practice questions. This can serve two purposes: one, it reinforces that those topics are important (likely to appear again); two, on exam day, you might subconsciously recall “I used this entry before, it was important”. Some people put a little star or different color next to frequently used entries.
· Leverage any analytics from your practice test. For instance, if you’re using a platform like FlashGenius with a Smart Review feature, it might tell you which domains or question types you struggled with. Use that info to inspect your index in those areas. Maybe you scored low on “Web & API Attacks” – double-check that your web attack entries are robust (perhaps add that missing CSRF token detail, etc.).
· Conduct Timed Lookup Drills: Beyond full practice exams, do quick drills to train your index reflexes. One way is to have a friend or study partner call out a term from the material and you try to find it in your index as fast as possible. Or use flashcards in reverse: instead of a question, you have a term on the card and you time how quickly you can flip to the index entry and then to the book page. You can also simulate a “mixed practice” by jumbling topics: e.g., randomly pick one term from network attacks, one from incident response, one from malware, etc., so you practice jumping between different sections of your index. The goal is to make sure you’re comfortable with the overall layout — you know, for example, that terms starting with “M” start on index page 10, or that Book 4 topics are mostly in the latter half of your index, etc. If you find any lookup taking more than, say, 30 seconds, ask why. Is the term hard to find? Could you make it stand out more or add a cross-ref? This is the time to tweak that.
· Use Mixed Practice to Simulate Switching Gears: In the GCIH exam, questions won’t be ordered by topic; you might get a Windows question, then a network question, then cloud, then back to Windows. Practice that mental context-switching with a Mixed Practice question set (a random mix of all domains). This is where having an alphabetical index shines, but you need to get used to jumping around. After a mixed set, reflect: did any question catch you off guard in terms of “I wasn’t sure which book to even look in”? If so, maybe your index entries need to indicate the domain or book more clearly. For instance, you might append “(Linux)” or “(Windows)” in notes to remind you if something is OS-specific.
· Iterate Until It’s Smooth: You might go through multiple cycles of practice and index updates. That’s normal – in fact, it’s great because each cycle makes you more prepared. By the second or third practice test, you should notice that you rarely need to add new entries and you’re finding things faster. If possible, try to get to the point where on a practice exam you finish with time to spare. That’s a good indicator you can confidently rely on your index under real exam timing.
· Don’t Neglect Memory: Ironically, by iterating so much with the index, you’ll find you start memorizing some info – that’s good! The index is a support, but if you can answer something outright, even better. Use tools like Flashcards for things that simply must be memorized (like the six steps of PICERL, or the exact syntax of a command you find yourself using often). Being less reliant on your notes for the easy stuff means more time for the hard lookups. A balanced strategy is to memorize what you reasonably can (with the help of flashcards and repetition) and index what you might forget or what is too time-consuming to memorize (like big IP ranges, long lists of steps, etc.).
· Listen to Your Gut During Practice: If during a practice question you had a gut feeling like “I think I know this, but I’m checking the book to be safe” – take note after. Maybe that’s something to commit to memory and mark in the index as something you usually know. Conversely, if you got something wrong because you assumed without checking, maybe highlight that entry in the index as “verify this next time”.
The iteration phase is about more than just fixing the index; it’s about building your confidence and speed in using it. By exam day, you want the process of searching your index to be second nature. The practice and drills you put in will pay off by making you quick on the draw. Think of it like training for a sports event: you’re not only devising the playbook (index), but also scrimmaging with it until you and the playbook are in sync.
Physical Prep: Printing and Binding
Because GIAC exams like GCIH only allow printed materials (no digital copies during the test), you’ll need to prepare physical versions of your index and any notes. How you organize these physical materials can make a difference in how quickly you navigate them on exam day. Here are some tips for the physical prep:
· Follow GIAC’s Rules: First and foremost, know the rules: you’re allowed printed books, your handwritten or printed notes/index, but no electronic devices. If you took the course digitally, that means you need to print out the slide PDFs or course books as well – don’t assume you can use a tablet or laptop (you cannot). Plan ahead to have everything printed well before the exam date. Also, remove any materials that are not allowed (for instance, you can’t have any papers with actual practice exam questions & answers written on them, as that’s against policy).
· Print the Index in a User-Friendly Way: When printing your index spreadsheet, format it for readability. Use a readable font (nothing too tiny – remember you might be tired during the exam and good lighting isn’t guaranteed). Many people print their index double-sided to cut down on the number of pages, which is fine as long as the paper isn’t so thin that text shows through too much. You might choose to print on heavier paper or in grayscale vs. color depending on resources; color is nice if you did color-code entries, but not strictly necessary if you have other cues. Ensure page numbers (if your index spans multiple pages) are present or you have some way to quickly jump within the index.
· Bind or Use a Binder: Decide how to physically compile the index pages. A 3-ring binder is common: it lets you easily flip through and even rearrange pages if needed (also easy to insert updated pages if you reprint just a portion after some changes). Get a binder that’s a comfortable size – too big and it’s cumbersome, too small and pages don’t turn easily. Something that can stay open flat on a table is ideal. Alternatively, some folks prefer to get the index spiral bound or comb bound at a copy shop. This can make it feel like a book and pages turn nicely. Spiral binding the index has the advantage of not accidentally losing a page or misordering them. It’s personal preference; just make sure whatever you choose, you practice with that format (for example, if you spiral bind, you can’t reshuffle pages on the fly, so double-check the order is correct).
· Use Tabs and Dividers: Physical tabs are a lifesaver for navigation. For your index, consider using A–Z thumb index tabs (those little sticky tabs or preprinted dividers with letters). If you have a binder, you can insert alphabet tabs and split the index into sections. If your index isn’t super long, you could maybe tab every few letters (A-C, D-F, etc.). If it’s long, do every letter. This way, when you need to find something that starts with “S”, you can directly flip to the S section rather than flipping through all pages. Additionally, use tabs for your course books themselves. Mark each book with a big tab (so you can quickly grab Book 1 vs Book 2), and within books mark major sections or frequently referenced charts/figures. For example, put a tab on the page where “Incident Response process summary” is, or the page with the “Common Ports List”. Use meaningful labels on the tabs if possible (or color code them by book).
· Color-Coding Sections: We talked about color-coding entries in the index, but you can also color-code your physical setup. Maybe use a blue tab for Book 1, red tab for Book 2, etc., so you can visually grab the right book quickly. Some people put a colored stripe or sticker on the spine of each course book matching their index key. Another idea is using colored sticky flags to mark where certain content is in the books – e.g., green flags for “attack tools pages”, yellow for “incident handling steps pages”, etc. Just be careful not to overdo it; too many tabs and colors can get confusing. Keep it to a coherent system that you understand.
· Highlight “Frequent Flyer” Pages: Within the books and notes, identify the pages you suspect you’ll refer to most often (based on practice exams and the content). These might be summary pages, tables, or reference charts. Use a highlighter or a bold bookmark on those pages. For instance, if page 250 of Book 3 has the master list of Linux commands or an important diagram of an attack kill chain, make that stand out. You can jot a quick reference on a tab sticking out: “Kill Chain diagram” or “Linux commands”. This way, even if a question is broad, you might recall “let me review the kill chain diagram to answer this” and you’ll instantly flip to it.
· Minimize Bulk: You will likely be carrying several books plus your index into the exam. Organize them in a tidy way. If using binders, you could combine some materials into one binder if it makes sense (just ensure it’s not overstuffed and hard to handle). During the exam, you want to be able to arrange your materials on the desk in a logical way – perhaps index front and center, books arrayed by number. Practice this setup at home: open your index, simulate flipping to a book, and see if anything gets awkward (like pages not staying open – maybe have a small paperweight or binder clips to hold books open if needed).
· Backup Plan: Print an extra copy of your index or at least have the digital file ready to print if disaster strikes (like coffee spill on the index the night before – it happens!). Also, bring spare writing tools (pencils, highlighters) to the exam in case you want to mark something on the fly. While you can’t bring electronics, you can usually annotate your paper during the exam if needed (like check off questions you answered or note time).
· Simulate Using Printed Material: When doing your practice exams, use the printed index and books, not a digital version. This is important – flipping physical pages is different than scrolling PDFs. You need to get a feel for it. It might sound silly, but building muscle memory in flipping to a particular book or section can shave off seconds. Know the layout of each book cold: e.g., Book 1 is primarily text and theory, Book 2 starts the technical stuff on page 100, etc. When you print, maintain the original page numbering (don’t let the printer re-number things if printing slide decks; often SANS slides are two per page – try to keep a one-to-one page mapping if possible, or note how the printouts map to original page numbers so you don’t confuse yourself when your index says p.50 but in printout it’s on the 25th physical page if two slides per page).
· Check Your Print for Legibility: After printing your index, skim through it fully. Check that nothing got cut off (sometimes spreadsheet printouts cut columns), and that every page is clear. If you see any issues, fix them and reprint that part. The day of the exam is not when you want to realize your index’s last column (the notes) got truncated in print, for example.
Good physical preparation might seem like overkill, but on exam day it contributes to a sense of calm and control. You don’t want to be wrestling with loose papers or trying to remember which book had that table. With everything neatly printed, bound, and tabbed, you’ll navigate your resources smoothly – giving you more mental energy to focus on answering questions correctly.
Common Indexing Mistakes to Avoid
As you craft your GCIH index, learn from others’ experiences and avoid these common pitfalls. Many of these “gotchas” can hinder your index’s effectiveness or even your overall exam prep:
· Indexing Everything (Information Overload): Perhaps the most common mistake is being too thorough. If you try to index every term, name, or minor detail from the books, you’ll end up with a phonebook-sized index that’s unwieldy. Remember, the index is a tool for quick lookup of key information – it’s not meant to be an encyclopedia of the course. Indexing trivial or obvious things (like “TCP – definition of TCP”) wastes time both in creation and in the exam (where it adds noise to sift through). Focus on the high-yield items as discussed. A lean, mean index will serve you better than a bloated one. Quality over quantity.
· Starting Too Late / Last-Minute Indexing: Some students make the mistake of leaving indexing until the final week before the exam, then rushing through it. This is a problem because you won’t have time to internalize the index or refine it. A rushed index might have errors (like wrong page numbers or typos) that you won’t catch until it’s too late. Plus, you miss out on the learning benefits of indexing if you cram it in. Avoid cramming your index – start early and update it gradually. It’s fine if your index is still a work in progress as you study, but have a stable version done at least a few days before the test so you can practice using it.
· Relying on Someone Else’s Index: It can be tempting to find a premade GCIH index online or from a friend. While it’s okay to reference others’ indexes for ideas, don’t rely on them in place of making your own. Using someone else’s index is like wearing someone else’s prescription glasses – it might sorta work, but it’s not tailored to your vision. You won’t know the nuances of where things are, and the act of creating the index is where a lot of the learning happens. In fact, GIAC instructors themselves emphasize that making the index is the most valuable part. If you skip that, you’re doing yourself a disservice. By all means, get inspiration or check if you missed a major topic, but build your own.
· Inconsistent Terminology: This mistake happens when multiple people or multiple sources contribute to an index, or when you’re not mindful of consistency. For example, you might have “IPv6” in one entry and “IPV6” (different case) in another, or “DoS attack” vs “Denial of Service”. Inconsistencies can scatter related entries and confuse you. Always standardize terms. Decide “I’ll use DoS (with one ‘o’) everywhere” and stick to it, but maybe also have an entry for “Denial of Service” pointing to DoS. The index should not look like it was patched together from different sources using different language. A consistent voice and terminology will make it feel intuitive.
· Missing Page Numbers or Incorrect References: This is a fatal error in an index. If an entry doesn’t have a page number, or has the wrong page, it’s effectively useless and will just waste your time in the exam. Double-check your references. It can help to validate by actually turning to that page to confirm the content, especially for critical entries. If you reorganize or sort your index a lot in Excel, watch out that the page numbers stay with their terms correctly (sometimes cells can slip around if you’re not careful). One technique is to do a quick quiz with yourself: pick 5 random entries in your index and go to those pages in the book, verify the info is right and that you can find it quickly on the page. If something’s off, fix it and consider if other similar entries might have an issue.
· Lack of Iteration (Not Updating): Treating the index as “done” on first draft is a mistake. You need to iterate, as we covered, especially after doing practice questions. If you never test your index until the real exam, you might discover too late that some terms are hard to find or missing. Always refine it with practice feedback. A living document approach ensures the final index is battle-tested.
· Poor Organization (Difficult to Navigate): An index that isn’t alphabetized or is split oddly will slow you down. Some people attempt to organize their index by book or by topic group only, without a unified alphabetical list. This can backfire when a question asks about something and you’re not sure which domain it falls under. Alphabetical with clear sections is usually safest. Also, avoid over-cluttering each entry – if an entry line has like 10 sub-entries or too long notes, break it up. You should be able to scan down a column of keywords without your eyes getting lost in a paragraph.
· Ignoring Physical Format: We just covered how to print and bind – ignoring those considerations is a mistake. If your index isn’t comfortably usable in physical form, it doesn’t matter how great the content is. For example, printing in font size 6 to fit more per page might seem smart to reduce pages, but you’ll pay for it in the exam when you’re squinting to read tiny text under stress. Balance density with readability. And definitely use those tabs/dividers; not using them is like refusing to use bookmarks in a web browser – technically you can still find stuff, but it’ll take longer every time.
· Overconfidence in Open-Book: Finally, a psychological mistake: thinking that because the exam is open-book and you have an index, you don’t need to deeply learn the material. This can lead to unpleasant surprises. The index is a support tool, not a magic answer sheet. You still need to understand concepts because sometimes you have to apply knowledge that isn’t word-for-word in the books. Also, time is limited – if you had to look up every single question, you would probably run out of time. So, don’t skip studying hard just because you’re building an index. In fact, building the index should be part of studying hard. Use tools like Flashcards for core definitions or lists (like “the six steps of incident response”) so that you know them cold and don’t even need to look them up. Use Domain Practice to ensure you grasp each domain’s concepts without immediately reaching for notes. In short, be prepared to answer maybe half or more of the questions from memory/understanding and rely on the index for those specific details you might otherwise forget or mix up.
· Buying an Index (Pitfall): Some third parties or individuals sell SANS indexes. It might seem like a time-saver, but it’s risky. Aside from the earlier point that you won’t know it deeply, you also can’t be sure of its accuracy. There’s no guarantee it matches the exact version of the course you took. Instead of spending money on someone else’s index, invest the time in yours – it will pay dividends on exam day, and frankly, that process might be what pushes you over the passing score.
By avoiding these common mistakes, you’ll ensure your index remains a reliable ally, not a source of frustration. Every entry should justify its place and be primed for rapid retrieval. When you catch yourself making one of these mistakes (we all do at some point), just correct course – it’s all part of honing your indexing skill.
Exam-Day Index Usage Strategy
Congratulations – if you’ve made it this far, you’ve likely built a comprehensive GCIH index and are almost ready for the exam. Now, let’s talk about how to use your index (and other materials) effectively during the actual test. Having a great index is one thing; deploying it under exam conditions is another skill to master. Here are strategies for exam day:
· Do a Pre-Exam Materials Scan: Before the exam clock starts (for instance, during the check-in process or the few minutes of instructions reading time), quickly scan through your index and remind yourself where things are. Flip through the tabs, look at how you organized it, and get in the mindset that “my answers are in here if I need them.” This brief review can build confidence and refresh your memory of less obvious entries. If you’re testing at a center, you’ll have your books and index with you – organize them neatly on the desk. If remote, have them within easy reach. Tip: Some people put their index in front of them and stack the course books by number on the side. Others lay out books open to key sections preemptively (if the proctor allows setting up materials beforehand). Do what works but be mindful of the rules and time.
· Plan When to Use the Index vs. When Not To: Time management is critical. Not every question warrants flipping through the index. Use the index for questions that involve specific details, unfamiliar wording, or when you’re unsure. For example, if a question asks, “Which tool uses the RC4 cipher for malware command-and-control communications?” and you think “Hmm I recall something about Poison Ivy RAT using RC4, but not positive” – that’s a good time to quickly check your index for “Poison Ivy” or “RC4” to confirm. On the other hand, if a question asks, “What does SQL injection target?” and you know it’s about injecting into queries to affect a database, don’t waste time looking that up – that’s general knowledge you likely have. A good rule of thumb: if you can eliminate obviously wrong answers and have a reasonably confident guess, you might not need to lookup. If you’re totally unsure or the question is a multi-step scenario, the index is your safety net.
· Use Bookmarks for Anchor Entries: If your index has some anchor entries (major topics that span many pages or multiple sub-entries), consider marking those with additional tabs or bookmarks. For instance, say “Incident Response process” is something that could come up in different ways. You might have multiple entries: one for each phase, one for the overall process. It might help to have a single summary page in the book or a one-page note that lists all IR phases, which you tabbed out. That serves as an anchor – one place you can quickly go to recall the whole process. Similarly, if “Nmap” is a huge topic with many flags scattered, maybe have a cheat sheet of common Nmap flags tabbed. Essentially, for broad topics that might require looking at several entries, create a quick pivot. Your index can point to that anchor (e.g., “Incident Response – see cheat sheet in notes page 5”).
· Handle Multi-Domain Scenario Questions: Some GCIH questions present a scenario that touches multiple areas. For example: “After a phishing email led to a malware infection on a client, the attacker established a DNS tunnel to exfiltrate data. What two security controls could have detected this and in which incident handling phase should this be addressed?” That’s a mouthful – it involves phishing (social engineering, maybe policy), malware (maybe EDR detection), DNS tunneling (network monitoring), and incident response phase (e.g. detection phase or eradication). To tackle these:
· Break the question into parts: phishing/malware, DNS tunnel, IR phase, controls.
· Identify keywords for each part and check your index for those: e.g., look up “DNS tunnel” in index, “phishing” or “email security” in index, maybe “incident handling phases” in index.
· It may help to jot quick notes on your scratch paper (if allowed) for each sub-question before searching, so you stay organized.
· Tackle one sub-part at a time, verify with materials, then combine your answers.
This is where having a broad and well-structured index truly helps – you might bounce from one section to another, but since it’s alphabetical, you go to D for DNS, P for Phishing, I for Incident response phases relatively quickly. The key strategy is don’t panic when a scenario is complex; systematically use your index to navigate each element. - Skip and Return Tactics: If you come across a question that seems time-consuming to look up (maybe it’s a very niche detail and you’re not immediately finding it in the index), consider marking it for review and moving on. GIAC exams typically allow you to flag questions and return to them. It’s better to get through all easier questions first (ensuring you collect those points) than to burn 10 minutes on one stubborn question mid-exam. When you skip, make a quick note of what you plan to look up if time permits (“Q35 – check tool X flags in book3”). Often, working through other questions jogs your memory or you might stumble on info in the book while looking for something else that answers the skipped question. - Trust Your Index, But Also Your Gut: By exam day, you’ve spent hours with your index. Trust it to guide you – if it says the answer is on page 100 of Book 2, go there confidently. At the same time, trust your knowledge. Sometimes an answer might be on the tip of your tongue but you feel compelled to double-check in the book. Manage this impulse; if you know it, just answer and move on. Use the index for confirmation only when needed. Over-reliance can slow you down. There’s a balance: the index is best used for those things you genuinely don’t know or are unsure about. If you’ve practiced enough, you’ll have a sense for when you should flip open a book versus when you can answer from understanding. - Keep an Eye on the Clock: Open-book exams can give a false sense of security time-wise. You might think “I have four hours, plenty of time to look things up.” But 106 questions in 4 hours means you have roughly 2.25 minutes per question. If you spend 5 minutes flipping through books for one question, that time has to be made up elsewhere. Use the index to speed up lookups, but also set personal checkpoints (like aim to complete at least 25 questions per hour). If you find you’re behind, you may need to rely more on educated guesses for some and save lookup time for others. This is not so much about the index content but how you deploy it – efficiently and selectively. - Stay Calm and Composed: Lastly, have confidence in the work you’ve put in. When you encounter a tough question, remember that you have resources at your disposal: your index, your books, and your own brain. Take a breath, and approach it methodically. Panic is the enemy of open-book exams; it can cause you to overlook what’s right in front of you. Often, just knowing “I have that term in my index” provides a psychological relief that prevents panic. If you feel anxiety rising, pause for a sip of water (if allowed) or a quick deep breath. A clear mind uses an index far better than a frantic one.
By following a thoughtful exam-day strategy, you’ll make the most of your index and your preparation. The index is your safety net, but you’re the one doing the tightrope walk – stay focused, use your tools wisely, and you’ll cross the finish line successfully.
Conclusion: Building a GCIH index is a journey that transforms how you engage with the material. You started by understanding the blueprint, meticulously cataloged key information, practiced under real conditions, and refined your approach. Come exam day, you’ll have in front of you not just an index, but a personal guide crafted through hours of hard work and insight. Use it with confidence. Remember, the process of creating and iterating on your index has already made you a more knowledgeable incident handler. By preparing early and refining intelligently – using every practice test, flashcard review, and drill to hone your index – you’ve set yourself up for success. When you sit down for that 4-hour test, you won’t be flipping pages in desperation; you’ll be executing a well-rehearsed game plan. Good luck on your GCIH exam, and here’s to achieving that certification with speed and certainty!
Explore Detailed GIAC Certification Guides
GIAC Certified Forensic Analyst (GCFA)
Dive deep into digital forensics and threat hunting. Learn how to uncover sophisticated breaches, perform memory and file system analysis, and master advanced investigation techniques.
Read GCFA Guide →GIAC Certified Incident Handler (GCIH)
Strengthen your incident response and defense skills. Understand attacker methodologies, manage live incidents, and gain the confidence to protect and recover systems effectively.
Read GCIH Guide →