I decided to take the exam for the first time at the end of 2024 and It was a bit overwhelming. After the bootcamp at Ironhack, I thought I was more than ready and had my second try at it. I failed once more, by one answer.
This was my third attempt at the exam. I studied where I went wrong and realized that I was overcomplicating everything. As I was doing the exam, It clicked, “Wait, the answers are pretty straightforward. I don’t need to dig deeper, the answer is right here!”
So, I finally passed.
Before answering anything, I went through all the tools. First, I used Autopsy and just had a deep look at everything. I was basically doing reconnaissance and looking at some answers without knowing they were actually the answers. I was filled with curiosity, just looking around for interesting stuff, and eventually, I found IoCs (Indicators of Compromise) and was able to correlate all the events and their order. Everything was finally making sense. It felt close to a cathartic experience. I wasn’t able to ace the exam, but I got 90%, which made me very happy!
This is the type of exam that requires persistence and critical thinking. Correlating everything is a must.
Although, It wasn’t as hard as I made it out to be.
I was feeling pretty comfortable with the tools but I wasn’t accustomed to this kind of real world problem solving. So, now I guess I understand much better.
This exam made it feel like an actual investigation.
It’s not an easy exam if you’re just starting in cybersecurity. TryHackMe’s Splunk labs did help me a lot but this isn’t a super technical exam where you have to know everything about each tool. You just need to think like an analyst. Understanding the scenario and correlating events is the main part of the exam.
One tip that I would give for anyone doing this exam? Know your Windows Event Logs.
Getting to know the tools is only one small part of it. The hardest part is using the tools to investigate. It’s like a cop at a crime scene. You get an alert and after securing the scene, you assess what happened. Then comes the evidence gathering, correlating the clues until you can connect the events and identify the suspects (threat actors).
I couldn’t really rest until I had done this exam. BTL1 was definitely a challenge, and I’m proud to say that I beat it. Now, I can focus on my next certification: eJPT from INE.
