I just passed the exam a few hours ago, so here is my initial reaction while it is fresh in my mind, as well as what my prep was like:
-I found the exam to be very comparable to the two practice exams. Those were my guide/measuring stick for cleaning up my index and putting together my notes for the CyberLive portion of the exam.
-I did better on the actual exam than the practice exams! SEC504 was my first SANS course, so I was new to SANS and GIAC material and exams, but my approach was to watch all the videos and read the books, did all the labs at least once. THEN index the books as a way to basically re-reading everything. At that point, I was about a month out from my exam, so I took the first practice exam without completed notes from the labs and I got a 62%! I only got half the CyberLive correct, so I had a lot to do to clean that up!
-I had a coworker who has several GIACs tell me not to worry, and that they had never passed the first practice exam, and they never failed an actual exam. So I kept on...
-I then spent significant time putting together careful notes and commands from ALL of the labs (not Hayabusa... I took my chances with that...), and then I made some adjustments to my index based on notes I took during the first practice exam (terms I had difficulty finding or wasn't able to find at all).
-I took the 2nd practice exam one week before the actual exam, and I had been sick so I hadn't studied AT ALL for at least 2 days beforehand, but I didn't want to wait any longer to take the second practice exam, so I had a little bit of brain fog. I ended up with a 79%, but I felt significantly more confident, having missed only 1 CyberLive question (which was more user error than my preparation, but whatever).
-After that, I reviewed my index to make a few more adjustments, which ended up being just over 300 entries.
-I went through my lab notes and re-did a few labs for what I thought would most likely be on the exam (I was pretty close), and for the sections I felt very confident with (Smbclient, Metasploit persistence, Nmap) I did not re-do the labs, I just reviewed my notes.
-I then put everything in a Word doc and sent it to Office Depot who put everything in a nice spiral notebook for me (cost was around $30).
-I tabbed my notebook alphabetically for the index (which included a smaller Lightning Lab index) and I tabbed each tool/technique for the CyberLive notes. This made for an easy to carry option which was very easy to work with for the actual exam.
-As far as exam questions: I found them to be pretty easy to understand. There were a couple curveballs in there, that I had to spend a little time making sure I was actually understanding the question, and identifying the RIGHT key word. There were several questions that I knew the answer without needing to reference my index. It took me right around 2 hours to get through the 95 MCQ.
-I had 11 CyberLive questions, and there were a couple that required me to play around a little bit, but I honestly made a couple of the questions more complicated than they actually were (good thing I got them all right!). But my main takeaway for these is DO THE LABS AND TAKE NOTES and they are VERY comparable to the practice exams. Just don't overthink it, and you will be fine.
-According to my results I completely missed every question about SMB Security, then went on to ace the SMB CyberLive question(s)... yeah, I don't know. I must have misread something.... I don't even remember getting any SMB security questions... maybe it will come to me eventually.
Finally, the course was awesome. I have several certifications, and honestly this is the first time I have walked out of a certification exam having felt like I really learned something. This was course 1 in the Graduate Certificate program for Incident Response, and next up is FOR500 + GCFE. But first, I am taking some time off and will take care of all the stuff my wife wanted me to do while I was studying lol.