How to Prepare for the Applied Knowledge Exams

Applied Knowledge Exam Readiness

Test ReadinessDemo Set & ExtensionsTaking Your Exam

GIAC Applied Knowledge Test Readiness

Are your cybersecurity skills more advanced than your peers? When considering the Applied Knowledge Certification exams, it is important to recognize that the advanced hands-on difficulty in these exams is not for everyone. Applied knowledge exams are designed to test an individual's ability to apply what they have learned in real-world situations. These exams are very challenging and separate those that are truly the best from the rest of the crowd.

Study Guide Infographic

Be Prepared!

There are many components to preparing for an Applied Knowledge Certification exam. Hands on experience in addition to text book knowledge are both important.

View Graphic

Demo Question Set

The Demo Question Set provides a way to experience the intensity of the Applied Knowledge exam. If the question set is purchased multiple times for the same certification exam, some duplicate questions will be received. These questions are not meant to be a study tool or to determine if you are prepared for the exam.

470x382-sample-job-description-6.jpg

Exam Extensions

Get extra time to prepare for your GIAC Applied Knowledge Exam.

Purchase
470x382-sample-job-description-2.jpg

Exam Day Tips

Make sure to have your index, textbooks, and any other printed materials you might need with you whether you’re testing remotely or at an in-person center. Find out more about scheduling and exam day policies.

Scheduling Guide Day of Exam Information

FAQs GIAC Applied Knowledge Exam Preparation

  • Check out our preparation tips here.

  • Three. The same three questions are provided with each purchase.

  • You can purchase demo questions here. Three questions are provided at a cost of $39. If more than 1 demo question set is purchased, some questions will be repetitive.

  • Once purchased, Demo Questions can be accessed in the Assessments section of your GIAC Certifications Portal.

  • Demo Questions are available in your account for 10 weeks after purchase.

  • Demo Question purchases are non-refundable and non-transferable.

  • The best path forward is to mentally review your exam. Spend more time preparing in areas where you struggled before you schedule a retake. Review the retake policy.

  • The available demo questions for the GX-CS exam are as follows:

    1) According to an organization's DLP log, an employee's Windows SAM file was exported from her computer to an external network. The IT department has provided you with the Windows Defender Windows Event Log from her computer. The file is here: C:\Users\Candidate\Desktop\saddle-399340\felicia.txt. What time did Windows Defender first detect the tool that was most likely used to collect the SAM file?

    2) For your reference, the information below is in C:\Users\Candidate\Desktop\freeman-401700. What is the user name for the account whose SID is S-1-5-21-3427320942-3493994598-3580344411-1003?

    3) The directory /home/giac/PasswordCracking/Addnumbers has a Linux passwd file, shadow file, and a wordlist, sqlmap.txt. Use hashcat with the wordlist to crack the passwords in the shadow file. What is the number resulting from of adding the last digit of each of the eleven crackable passwords together?Use pw-inspector to reduce the wordlist to only passwords with 12 characters that use numbers, lowercase, and uppercase letters. The passwords do not contain characters from the special or printable character sets.

    4) The file ~/capture.pcap was captured from a corporate network environment. What version of python is supporting the second web server running on 192.168.26.146?

    5) Examine the processes created by the open applications on the workstation. A pirated DLL injector was run on the the machine that employed signed dlls renamed to words beginning with the letter "b". Be sure to open Process Hacker 2 as admin using username: giac and password: giac. What is the original filename of the dll injected into mspaint.exe from the attacker's file folder?Note: You are performing an initial examination of the workstation as is - try not to disrupt any processes as you perform your investigation.

    During the demo exam you will be provided with the VMs to interact with and answer options to help you verify if you can fully do the work needed to solve the questions.

  • The available demo questions for the GX-IA exam are as follows:

    1) The file named top-secret.png was uploaded to the site http://tinypic.com and the traffic was captured in the PCAP file GSE-HTTP-topsecret.pcap. The web server changed only the name of the file when returning the file to the host during the data transmission. What is the new name of the file provided in the URL download link returned by the web server after the file was uploaded to the web site?

    2) Which packet number in /home/giac/artifacts/elves.pcap is evidence that the attempted shellshock exploit was successful?

    3) Navigate to ~/artifacts/ and use the .log file to decrypt TLS in encryptedStuff.pcapng. How many streams (tcp.stream udp.stream) were decrypted using the provided keys?

    4) Using the file, /home/giac/monterey/email.silk, which is the daily byte count on 10/11/2018 for email activity on the 192.168.2.0/24 network?

    5) Using the files located in the /home/giac/springdale/zeeklogs and /home/giac/springdale/zeeklogs/extract_files directories, what data is being displayed in the mindclone.php upload?

    114.165.143.153 48991 10.10.10.5 80 POST /upload.php

    114.165.143.153 48992 10.10.10.5 80 GET /uploads/team10.jpg

    114.165.143.153 48993 10.10.10.5 80 POST /upload.php

    114.165.143.153 48994 10.10.10.5 80 GET /uploads/inoshikacho.txt

    114.165.143.153 48995 10.10.10.5 80 POST /upload.php

    114.165.143.153 48996 10.10.10.5 80 GET /uploads/expansion.php

    114.165.143.153 48997 10.10.10.5 80 GET /upload.htm

    114.165.143.153 48998 10.10.10.5 80 POST /upload.php

    114.165.143.153 48999 10.10.10.5 80 GET /uploads/mindclone.ph

    114.165.143.153 49000 10.10.10.5 80 POST /upload.php

    During the demo exam you will be provided with the VMs to interact with and answer options to help you verify if you can fully do the work needed to solve the questions.

  • 1) An attacker has compressed and encoded a picture in a file called "secret".

    Inspect the contents of the file /root/offbeat-398660/secret to determine how the attacker encoded it, and extract the image. The tool used to compress the image can also extract the image.

    What letter is shown in the image?

    Note: To view the image once you have extracted it, open it with xdg-open or a browser.

    2) For your reference, the URL and schema below are in /giac/cold-402215. A PHP webpage that is vulnerable to SQL injection and is located at http://GSE-SQLTarget/badphp2.php?id=10001. A partial map of the schema for the database is below. How many records in the database have the first name Elliott?

    3) The server at 192.168.1.12 hosts the website http://thejeffs.org and has recently been scanned for vulnerabilities. A list of several findings is provided in the file C:\Users\Candidate\Desktop\thejeffs_scan_2.txt. The Windows host has a variety of tools installed for scanning and the WSL bash subsystem to help with identification confirmation tasks. Which of the following findings still exists on the server?

    4) Access 192.168.1.101. Another attacker previously compromised it and tried to establish persistence. What site did they use? Hint: The wordlist on the Desktop may be helpful.

    5) Log on to the Debian host with username "root" and password "root". Edit the iptables firewall rule script /root/giac/ip_fw.sh to block inbound FTP, TCP port 21, on the local host (192.168.101.100).Once the rule has been written, run the ip_fw.sh script then launch netcat to connect to the host 192.168.101.200 on TCP port 8081. Which color is returned in the netcat session? Enter the color name in the text box.

More FAQs