Took my GCIH for the second time last Thursday and passed with a 79. Honestly didn't think I'd make it after failing at 68 the first go-round, so I want to share what made the difference this time around for anyone grinding through the same material.
The biggest change was how I approached incident handling scenarios. First attempt I memorized definitions and thought that'd be enough. It wasn't. GIAC wants you to think through the process — containment before eradication, documentation at every stage, that kind of thing. I found a solid GCIH practice test that actually simulated the scenario-based questions, which was way more useful than flashcards. Combined that with the SANS SEC504 GCIH study guide materials and started making sense of topics like buffer overflows and lateral movement that seemed abstract before.
Spent about 6 weeks studying the second time, probably 90 minutes a day on weekdays and 3-4 hours on weekends. If you're just starting out, my biggest exam tips: don't skip the network forensics section, and practice reading packet captures until it feels automatic.