How to Prepare for the Applied Knowledge Exams

Applied Knowledge Exam Readiness

GIAC Applied Knowledge Test Readiness

Are your cybersecurity skills more advanced than your peers? When considering the Applied Knowledge Certification exams, it is important to recognize that the advanced hands-on difficulty in these exams is not for everyone. Applied knowledge exams are designed to test an individual's ability to apply what they have learned in real-world situations. These exams are very challenging and separate those that are truly the best from the rest of the crowd.

Study Guide Infographic

Be Prepared!

There are many components to preparing for an Applied Knowledge Certification exam. Hands on experience in addition to text book knowledge are both important.

Demo Question Set

The Demo Question Set provides a way to experience the intensity of the Applied Knowledge exam. If the question set is purchased multiple times for the same certification exam, some duplicate questions will be received. These questions are not meant to be a study tool or to determine if you are prepared for the exam.


Exam Extensions

Get extra time to prepare for your GIAC Applied Knowledge Exam.


Exam Day Tips

Make sure to have your index, textbooks, and any other printed materials you might need with you whether you’re testing remotely or at an in-person center. Find out more about scheduling and exam day policies.

FAQs GIAC Applied Knowledge Exam Preparation

  • When purchasing a demo question set, three questions are included. Retaking the same demo will result in repeat questions being seen.

    When purchasing an Applied Knowledge Certification attempt, no demo questions are included.

  • You can purchase demo questions here. Three questions are provided at a cost of $39. If more than 1 demo question set is purchased, some questions will be repetitive.

  • Once purchased, Demo Questions can be accessed in the Assessments section of your GIAC Certifications Portal.

  • Demo Questions are available in your account for 10 weeks after purchase.

  • Demo Question purchases are non-refundable and non-transferable.

  • The best path forward is to mentally review your exam. Spend more time preparing in areas where you struggled before you schedule a retake. Review the retake policy.

  • The available demo questions for the GX-CS exam are as follows:

    1) According to an organization's DLP log, an employee's Windows SAM file was exported from her computer to an external network. The IT department has provided you with the Windows Defender Windows Event Log from her computer. The file is here: C:\Users\Candidate\Desktop\saddle-399340\felicia.txt. What time did Windows Defender first detect the tool that was most likely used to collect the SAM file?

    2) For your reference, the information below is in C:\Users\Candidate\Desktop\freeman-401700. What is the user name for the account whose SID is S-1-5-21-3427320942-3493994598-3580344411-1003?

    3) The directory /home/giac/PasswordCracking/Addnumbers has a Linux passwd file, shadow file, and a wordlist, sqlmap.txt. Use hashcat with the wordlist to crack the passwords in the shadow file. What is the number resulting from of adding the last digit of each of the eleven crackable passwords together?Use pw-inspector to reduce the wordlist to only passwords with 12 characters that use numbers, lowercase, and uppercase letters. The passwords do not contain characters from the special or printable character sets.

    4) The file ~/capture.pcap was captured from a corporate network environment. What version of python is supporting the second web server running on

    5) Examine the processes created by the open applications on the workstation. A pirated DLL injector was run on the the machine that employed signed dlls renamed to words beginning with the letter "b". Be sure to open Process Hacker 2 as admin using username: giac and password: giac. What is the original filename of the dll injected into mspaint.exe from the attacker's file folder?Note: You are performing an initial examination of the workstation as is - try not to disrupt any processes as you perform your investigation.

    During the demo exam you will be provided with the VMs to interact with and answer options to help you verify if you can fully do the work needed to solve the questions.

  • The available demo questions for the GX-IA exam are as follows:

    1) The file named top-secret.png was uploaded to the site and the traffic was captured in the PCAP file GSE-HTTP-topsecret.pcap. The web server changed only the name of the file when returning the file to the host during the data transmission. What is the new name of the file provided in the URL download link returned by the web server after the file was uploaded to the web site?

    2) Which packet number in /home/giac/artifacts/elves.pcap is evidence that the attempted shellshock exploit was successful?

    3) Navigate to ~/artifacts/ and use the .log file to decrypt TLS in encryptedStuff.pcapng. How many streams ( were decrypted using the provided keys?

    4) Using the file, /home/giac/monterey/, which is the daily byte count on 10/11/2018 for email activity on the network?

    5) Using the files located in the /home/giac/springdale/zeeklogs and /home/giac/springdale/zeeklogs/extract_files directories, what data is being displayed in the mindclone.php upload? 48991 80 POST /upload.php 48992 80 GET /uploads/team10.jpg 48993 80 POST /upload.php 48994 80 GET /uploads/inoshikacho.txt 48995 80 POST /upload.php 48996 80 GET /uploads/expansion.php 48997 80 GET /upload.htm 48998 80 POST /upload.php 48999 80 GET /uploads/ 49000 80 POST /upload.php

    During the demo exam you will be provided with the VMs to interact with and answer options to help you verify if you can fully do the work needed to solve the questions.

  • 1) An attacker has compressed and encoded a picture in a file called "secret".

    Inspect the contents of the file /root/offbeat-398660/secret to determine how the attacker encoded it, and extract the image. The tool used to compress the image can also extract the image.

    What letter is shown in the image?

    Note: To view the image once you have extracted it, open it with xdg-open or a browser.

    2) For your reference, the URL and schema below are in /giac/cold-402215. A PHP webpage that is vulnerable to SQL injection and is located at http://GSE-SQLTarget/badphp2.php?id=10001. A partial map of the schema for the database is below. How many records in the database have the first name Elliott?

    3) The server at hosts the website and has recently been scanned for vulnerabilities. A list of several findings is provided in the file C:\Users\Candidate\Desktop\thejeffs_scan_2.txt. The Windows host has a variety of tools installed for scanning and the WSL bash subsystem to help with identification confirmation tasks. Which of the following findings still exists on the server?

    4) Access Another attacker previously compromised it and tried to establish persistence. What site did they use? Hint: The wordlist on the Desktop may be helpful.

    5) Log on to the Debian host with username "root" and password "root". Edit the iptables firewall rule script /root/giac/ to block inbound FTP, TCP port 21, on the local host ( the rule has been written, run the script then launch netcat to connect to the host on TCP port 8081. Which color is returned in the netcat session? Enter the color name in the text box.

  • 1) According to the evidence located in the E:\Sunflower directory, an executable with the same name as a legitimate Windows binary was run, but it was not in its expected path. What is the file size in bytes of the executable?

    2) Which method was used by the attacker to gain access to the j3Games Win10_1 host on 2023-03-01 at approximately 11:10AM PST (UTC -8)? Folders containing the disk image files, KAPE triage collection, timeline and memory files are located in E:\j3Games and can be accessed using the WSL bash shell in the /mnt/e/j3Games.

    3) What drive letter was assigned to the successful remote network share connection established between Win10_1 and Win10_2?
    Windows file location: E:\j3Games
    Windows WSL bash file location: /mnt/e/j3Games

    4) A Meterpreter session was running on the Win10_3 host during time the memory was collected. What is the destination port for the connection?
    Provide the answer in numerical format only, for example 12345.
    The artifacts are in the folder E:\Win10_3.
    Volatility 2 (  and Volatility 3 ( can be executed directly from the Windows command line.

    5) Examine the data collected from the J3Games Win10_2 host. A program was run by cfinch at 18:25:24 on 2023-03-01. Which DLL was referenced by this program at runtime?
    Folders containing the disk image files, KAPE triage collection, timeline and memory files are located in E:\j3Games and can be accessed using the WSL bash shell in the /mnt/e/j3Games.