Introduction
After passing the GIAC Experienced Forensics Analyst (GX-FA) exam back in September 2023, I was officially on the path to become GIAC Security Professional (GSP) certified and needed just one more GIAC Applied Knowledge certification to achieve this milestone. It was because of this that I opted to take a shot at the newly available GIAC Experienced Forensics Examiner (GX-FE) exam which was released to the public on September 13, 2024. After the rewarding experience I had taking the GX-FA exam, I knew I would revisit another GIAC Applied Knowledge certification exam in the near future and so this was the perfect exam for me to attempt to conquer.
GIAC Applied Knowledge Certification Recap
Before diving into the prep I took to pass this exam, let’s do a quick recap of the GIAC Applied Knowledge Certifications that GIAC introduced in 2023 for folks that still aren’t familiar with them. GIAC now has a total of six Applied Knowledge Certifications listed below:
- GIAC Experienced Forensics Examiner (GX-FE)
- GIAC Experienced Cybersecurity Specialist (GX-CS)
- GIAC Experienced Forensics Analyst (GX-FA)
- GIAC Experienced Intrusion Analyst (GX-IA)
- GIAC Experienced Incident Handler (GX-IH)
- GIAC Experienced Penetration Tester (GX-PT)
These certifications were designed for folks looking for a new challenge and taking their skills to the next level. Each of these certifications have a previous counterpart that are referred to as GIAC Practitioner Certifications listed below:
- GIAC Certified Forensic Examiner (GCFE)
- GIAC Security Essentials (GSEC)
- GIAC Certified Forensic Analyst (GCFA)
- GIAC Certified Intrusion Analyst (GCIA)
- GIAC Certified Incident Handler (GCIH)
- GIAC Penetration Tester (GPEN)
These are the certifications that folks are most familiar with and are highly recommended to take before considering taking any of the previously listed GIAC Applied Knowledge Certifications.
The prices are also different for the Applied Knowledge exams. Each exam is priced at $1299 USD and discounted to $499 USD if you have an active primary fit GIAC Practitioner Certification (i.e. you pay $499 USD for the GX-FA exam if you hold an active GCFA certification.) This differs from the GIAC Practitioner exams where each exam is typically priced at $979 USD. You can find the full list of the GIAC exam price breakdown that I have curated here.
GX-FE Exam Overview
As for the GX-FE exam itself, the exam is structured similarly to the GX-FA exam which consists of 25 CyberLive Questions (Lab Hands-On) and 4 hours to complete. As listed on the GIAC GX-FE page, the areas covered for the exam are as followed: Identifying Evidence of Application Execution, Proving Existence of Files and Recovering Deleted Artifacts, Cloud Storage Artifact Analysis, Profiling System Configurations, Investigating Network Activity and Tracking Physical Device Locations, Investigating File and Folder Interactions, Investigating Browser Activity, Profiling Account Usage, and Investigating External Device and USB Activity. As any GIAC exam that you have taken before, this exam is no different in that you are allowed to bring SANS books, posters, indexes, notes, etc. to the exam. You are also provided with a VM that has all of the tools you will need to successfully answer each question.
GX-FE Recommended Prerequisites
I previously covered in depth the big changes from the typical GIAC Practitioner Certification exams compared to the GIAC Applied Knowledge Certification exams in my blog GX-FA Exam: My Experience for those that want a refresher. Before taking this exam, it is highly recommended to take what SANS considers it’s “primary fit course” which is FOR500: Windows Forensic Analysis and aim to earn the GIAC Certified Forensic Examiner (GCFE) certification. This will provide you with the foundational knowledge you will need to realistically have a good chance in passing this exam, as the GCFE exam includes CyberLive questions that cover similar topics in the GX-FE exam.
In addition to taking FOR500, it is highly recommended to purchase Demo Questions to help you prepare for the GX-FE exam. These are somewhat similar to the Practice Questions that GIAC offers for the Practitioner Certification exams albeit a lot more affordable and a lot less questions. Keep in mind, these Demo Questions are not included with a purchase of the GX-FE exam. For the GX-FE Demo Questions, they consist of 3 CyberLive questions at a price of $39 USD. I purchased 2 sets of these demo questions which I feel gives you a better sample size of what questions to expect on the GX-FE exam, at an affordable price.
GX-FE Preparation
As for the preparation, outside of having previously taken FOR500 in August 2020, passing the GCFE exam in January 2021, and purchasing 2 sets of the demo questions for the GX-FE, I also took 13Cubed’s Investigating Windows Endpoints course back in 2023 and strongly recommend taking this course as this has a lot of key topics that are covered in the GX-FE exam. This course also provides a hands-on exercise so you can practice with a windows forensic image. If you want to practice with additional windows forensic images, I have curated a list of CTFs and Labs for your benefit here.
I took the first set of 3 Demo Questions on October 29, 2024. For that sitting, I had brought with me my FOR500 index, my FOR500 books (Books 1-3 and 2 workbooks), the SANS Windows Forensic Analysis poster, the 13Cubed Windows Event Log Cheat Sheet, the 13Cubed Windows Registry Cheat Sheet, and the 13Cubed Windows Browser Artifacts Cheat Sheet. I came out with a perfect 5 star rating on this attempt. Do note that the demo assessments do not provide a score and instead just provide the star rating.
I took my second set of 3 Demo Questions the next day on October 30, 2024 and once again produced a 5 star rating. My preparation heading into this attempt did not change and I brought the same materials to this sitting.
By scoring a 5 star rating on both demo question attempts, I felt very confident going into the day of the exam which I had scheduled for the next day on October 31, 2024. Nothing like taking an exam on Halloween! The day of the exam, I had brought the same materials with me that I brought to both demo assessments. I scheduled the exam once again with ProctorU online as this has been the only method I have used to take any GIAC exam as opposed to taking it in person at a testing center. During the exam, keep in mind time will be your biggest hurdle so aim to skip any question you do not have an immediate solution for. Because the exam consists of 25 CyberLive questions for 4 hours, you have an average of about 9.5 minutes to spend on each question. For this exam, I skipped 3 questions towards the beginning and did not take a break as I hit a very solid groove after skipping the 3 questions. By the time I had reached the skipped questions, I had about 45 minutes left to answer them, leaving me with 15 minutes to spend on each question which was more than enough time. I strongly recommend folks skip any question you can’t answer within 9.5 minutes to save more time at the end of the exam for the more difficult questions.
When the exam was over I was excited to see that I had passed and finally obtained the GSP certification moments after.
Conclusion
By taking the courses I have mentioned, purchasing the Demo Questions, practicing with windows forensic images, and with relevant DFIR work experience, folks will be able to pass this exam without issue. I hope this was a helpful breakdown for those looking to attempt the GX-FE exam and I wish best of luck to anyone who is looking to attempt it. If anyone has any additional questions on how to prepare for this exam please do not hesitate to reach out to me on LinkedIn or Twitter!
