AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

Preparing for a GIAC Test….This is not the CISSP

I’m late for the day! Largely because my cities “summer festival” was last night and was out with friends, so blame them…not me 🙂

This is a topic that has been touched on by others such as my good friend Lesley in her article in respects to making a good index for a GIAC exam. Lesley’s template is still something I use, only over the course of my cert attempts I’ve tweaked it ever so slightly to fit into my own study habits. So don’t get it wrong! I find her advice to be very fitting, I’m just giving you Tony’s template. Also, I get that certs like CEH or CISSP are still highly sought after within the field and employers. But I am also an advocate that brain dumping yourself at a test typically doesn’t help a person later in their careers after they’ve gotten a cert. Knowing how to do continue doing something is much more meaningful to me. Hence why I am a strong advocate for GIAC certs over some of the others. People think these tests are easy…but I can promise you (especially if you’re a manager or employer reading this and doubt them) they are not easy tests when you put the confines they have on it!

At the time of writing this, I have 7 GIAC certs (GCFA, GCIH, GPEN, GLEG, GMOB, GASF, GAWN) with hopefully another 3 or 4 coming this year. GI Bill is something that is amazing! I’ve TA’ed for the mobile courses (SEC575 and FOR585 here shortly) and the Legal course. I’ve sat for multiple instances for many of the courses offered as well.

Disclaimer: Don’t ask me for my Indexes or what material is covered in the exams. I should not have to explain why.

So what about the tests? If you have not taken the GIAC tests yet, I’ll give you a quick rundown. They are open book, open note, open text book. You cannot bring electronics into the testing facility and you cannot bring copies of the test or any renditions of the test. This means if you violated GIAC’s notice while take a practice test and took screenshots or anything of the test materials — you ain’t bringing that stuff with ya! The tests are going to range in length and time. I think GSEC is still the longest at 5 hours and the shortest being 2 hours for an assortment of specialty ones. I think the standard for the most popular certs though are usually in the 3 hour, 115 question range. You can always go to the GIAC website though and see exactly how long, how much time and most importantly, what you need percentage wise to pass the test. It changes based on how many are passing/failing, so keep an eye on it if you’re waiting to take the cert! It may change for better or for worse.

First, the books themselves: 

So you took a SANS course, whether live or distance learning, and you’re sitting here staring at your probably 5-6 books…now what?










This feels like a daunting task after you’ve just listened to an instructor talk for probably 46 hours about this material! And you’re still trying to remember that info too!! Take a deep breath, it is going to be okay! Yes, within your books you probably have about 1000+ slides with material on it. The worst part is, while you were listening to the instructor you probably didn’t really notice or read the notes portion to the material within the books.

But lets even talk about that for a minute. If you are attending in person, I would almost urge you to only use the books if you fully intend to take notes while the instructor is talking. Otherwise, honestly — you are probably not going to spend a lot of time staring into these things while they are talking. You will be more engrossed at what they have on the slide on a projector or their own stories of how running Metasploit on a customer resulted in crashing the whole web server down. But again, that is just me. To me the most important book while taking the class is the Workbook one that has the exercises in it. Don’t forget that one!

Now the course is over and you’re at home. You need to get three things before you start looking at the material:











These three things are going to be your best friend for about the next 2 weeks or so. Now, you are going to read all the notes sections to every single one of those slides. You are going to highlight any area within the slide that is defining out things like what a tool does, what an exploit does, what a concept or artifact is, etc. You are going to use the post-it flags to annotate things like Tools, Exploits, Artifacts, etc. Yes, this is tedious. Yes it will make your eyes hurt. But this is probably the most important thing that you can do. Even more than the index we will talk about here shortly. Remember, that the test is timed. In most cases you’ll average 90 seconds per question. If you are looking this stuff up feverishly, you will not have enough time. Period. Being able to use your memory is going to help out more than you know.

Average time to go through 5 books in a “one read and mark pass” will probably take you about 14 days to make sure you are fully absorbing the information and annotating properly. Take. Your. Time. It will be super important here shortly…

Do I need to know the Labs??

YES! You better know the in’s and out’s of the labs you are presented in the class. And no I’m not just talking looking at the answer portion of the labs and running through it quick. Know what the tools are and what you are looking at. Know what you are looking at. Know what it means. For example, if I were to give you a tcpdump output, could you determine what was going on just by looking at it? If not…you better go back to that portion of your class or do external research to have it understood. This will also come into play when we start talking about the index.

So what about this Index you keep talking about? I thought SANS provided one now? 

Yes, in almost every class you’ll get an index that SANS created. However, the reason the instructors and others push so hard for you to make your own is a 3-fold reason.

Reason 1: It gets you into the material so YOU know where it is
Reason 2: Do you really want to trust something that someone else made with how often the materials change for these courses?
Reason 3: SANS does not make the GIAC tests

So yes, make sure you do take theirs with you to the cert attempt, but do not rely on it to be your “end all, be all” index for this. It won’t be in your words and there is probably a good chance it isn’t 100% accurate for page numbers.

The Index:

Time to make the index. Here is going to be the thing before you start. You need to have a plan for this. Because it is going to be more than just what book and page something is going to be on. For the best way to do that, I would strongly urge you to use Lesley’s method of excel and then importing it into MS Word with the rest of my suggestions to your index. Her way is just the best way to do it so I’m not going to try and reinvent the wheel! You are going to break this thing down in sections. Just like a research paper. Remember what I said at the beginning of this post, the tests are open note. You have free reign with what you wish to put into this thing so long as it doesn’t violate the testing center or GIAC’s rules and code of conduct. 










That is an example of my Table of Contents from one of the courses. And no, that was not all the pages for that one either. It actually went to 60. Now there is a method to the madness for this thing. For starters, I barely even need to use an index when using the methodology because I’ve been so deep into the material I just KNOW where the subject is within the books. At this point, you should have already 1) taken the course, 2) read through it once, 3) done the labs 2 or 3 more times and 4) gone through the books again to start making this index.

Again, remember this is your words and this is open note! So with my example of tcpdump, if you are having a hard time remembering what the flags are within the output from the tool, take a screenshot for an example and make it up and put it in your index! You’ll always be able to refer to it this way. In fact, for classes that are command line heavy…I would say take a screenshot of the output of all those tools and have them in your index. You’ll find it MUCH quicker in this index than you will in the books. Remember most of these SANS books are between 150-250 pages. Your index is going to be between 30-60 pages. Which one is quicker to go through when you’re on the clock?

Also things to consider is to put things like definitions and anything specific artifact locations in an area within the index so it can be quickly referenced. Also, those cheat sheets they give ya (ya don’t forget those!) are typically online via the SANS portal and you can just import them into MS Word and have them included in your index! Easy Peasy! and you don’t have to worry about forgetting them on accident. Additionally, if you’re having issues remember what a tool does, go find the man page online and just add it to the index! I needed this for things like nmap where there are about 100 different options that can be done to get results. And yes, it came in handy!

Okay so you have Index Beta version completed, now what?

Now is when you take the first practice test that GIAC provides to you. And here is where my ideology differs from many….don’t use your books at all. The point of this first practice test is to see what you actually know from the course and the material. You may fail it. But it is a practice test. Don’t stress out about this. Make sure you click to see the answers regardless if you answer it right or wrong. If you end up guessing on a question, make sure you understand why you got it “lucky right” too. For whatever you get wrong, make sure you write a note about things to study. If you are seeing that your SQLi questions are always wrong, make a note that you may need to dig a little deeper into the material to understand it better. This will also help you get used to be under the timed test parameters too.

Once you’ve completed the test, screenshot the results that show you the stars indicating how well you did for each section of the syllabus and close out your browser. Now its time to compare the syllabus from the GIAC site and your results on areas you struggled  on. Go back into the materials and make sure you hit it even harder in your index for those sections. Index every dang word that looks to be important or that you can recall from the practice test. Put in new sections in your index on that material if you were getting something wrong because you couldn’t recall what you were looking at.

Practice Test 2: 

At this point your index should be pretty much shored up. Your books are annotated and highlighted. Now it is time to see how prepared you really are going to be. Take this practice test with all your books and Index. Keep it turned on to give you the answer regardless if it is right or wrong to help you understand why you got it wrong or why you got lucky right. Make notes on what you were deficient on. When the test is over depending on your score, will depend on what you need to do. If you’re scoring in the 80 percentile on the test, you are probably okay to relax a bit and just brush up on some areas. If you’re below that percentile, you’ll probably want to go back through the material and labs on those sections much more in depth to really shore you up. If you want to buy another practice test, you can for like $150 in your SANS portal. But I caution that practice as these are typically retired questions so the odds you’ll see them on your test are going to be pretty darn rare. Don’t memorize answers to this because it’ll only hurt you when you take it.

So you’ve taken both Tests and the Index is ready! Now what?

Do yourself a favor and don’t just print this thing out at home and bring it lose leaf to the testing center. If you’re in the states, go to UPS/FedEx/Kinkos or somewhere and have them actually bind it. I use UPS and it usually is about $20 to do a colored copy of the index. The reasoning for this is because it’ll make it easier to carry and not worry about losing something….and most importantly….you will always have a “quick reference” book at your work place that doesn’t require you to dig through your 6 SANS books every time you are looking for an answer for a real world situation.

And that is it folks! None of this is absolutely revolutionary, but it is something that I feel prepares you much better for these tests than just building an index and going in with that. You’ll understand the material so much better in my experience and it will make you so much stronger in your day jobs because of it. I wish you all the best of luck!

Related Posts