Archive for December, 2015

Starting study plan for GSE 2-day lab

I’ve slacked off the past two weeks after the written test. Between end of semester and taking the GSE written I felt like I had earned some time off. I may not get started this weekend, but I do want to formulate my plan of attack for the lab in March.

I have Kali 1.0, but needed Fedora 20 (torrent link HERE:

I’ve started trolling through the giac-study Google group e-mails I’ve collected for GSE lab tips and tricks – there is some good (dated, but good) stuff in there. A notable quote: “If you don’t do IR as a day job , then continuous hands-on practice is the only way to pass the two day exam. Practice all the hands-on labs until you can do them without the books”. Another suggests making sure you are especially familiar with Wireshark (including extended features, analysis and extraction abilities), Metasploit (including the tasks performed in the lab sessions of GCIH), and command line tools. Suggestions for practice from various sources; the below is mostly packet analysis/network forensics based, the topic I feel weakest on:



A big list of pcap files to look at/ analyze from CTF events, honeypots, etc:


Cheat sheets:


additional education training/videos:


additional challenges, including walkthroughs (not free, don’t know much about this other than they run a contest at DefCon):



My first order of business is to improve my packet analysis skills. I can do some generic BPF filtering, but the additional features of wireshark and tshark I’m still fuzzy on. . . I also need to get SiLK and BRO better in my head – specifically when, where, and how to use them.

Passed SANS GSE written!

Just got back from taking the test. Scored a 94.6% with 20 min left. Test was 150 questions with a 3-ish hour time limit (I forget if it was 3 or 3.5 hr). The study plan was to get a 91%, so I’m pleasantly surprised. The minimum passing score is somewhere in the mid 70’s, but I wanted plenty of wiggle room with the lab portion of the exam, and what GSE would want to pass with the bare minimum? The first half hour of the test was the most stressful. After that, I hit my stride and methodically worked through it, checking my time remaining at every checkpoint to make sure I wasn’t taking too long looking up items to verify my answers. If you have ever taken a GIAC test, you know that you get checkpoint scores every so often. . .

At any rate, you now know the materials I used to study, what I brought with me and how I created my index for the written portion of the SANS GSE.  Good luck to you!

Now the real preparation begins – for the GSE lab, hopefully in March 🙂


Return top