The GIAC Linux Incident Responder (GLIR) is currently available for presale and can only be purchased in conjunction with an affiliated course purchase. The certification will be available for general purchase on May 17, 2025.
Areas Covered
- Linux Incident Response, Threat Hunting, and Intrusion Analysis
- Linux File Systems, System Triage, and Evidence Collection
- Linux User Data, Application, and Timeline Analysis
Who is GLIR for?
- Incident Response Team Members
- Threat Hunters
- SOC Analysts
- Experienced Digital Forensic Analysts
- Federal Agents and Law Enforcement
- Red Team Members, Penetration Testers, and Exploit Developers
GLIR With CyberLive
GIAC knows that cyber security professionals need:
- Discipline-specific certifications
- Practical testing that validates their knowledge and hands-on skills
In response to this industry-wide need, GIAC developed CyberLive - hands-on, real-world practical testing.
CyberLive testing creates a lab environment where cyber practitioners prove their knowledge, understanding, and skill using:
- Actual programs
- Actual code
- Virtual machines
Candidates are asked practical questions that require performance of real-world-like tasks that mimic specialized job roles.
Exam Format
- 1 proctored exam
- 82 questions
- 3 hours
Delivery
NOTE: All GIAC Certification exams are web-based and required to be proctored. There are two proctoring options: remote proctoring through ProctorU, and onsite proctoring through PearsonVUE. Click here for more information.
GIAC certification attempts will be activated in your GIAC account after your application has been approved and according to the terms of your purchase. Details on delivery will be provided along with your registration confirmation upon payment. You will receive an email notification when your certification attempt has been activated in your account. You will have 120 days from the date of activation to complete your certification attempt.
Exam Certification Objectives & Outcome Statements
- Analyzing Anti-Forensics Techniques The candidate will demonstrate an understanding of how to analyze common tactics employed by attackers to hide their track including recovering deleted files, and timestamp manipulation.
- Analyzing Linux Application Events The candidate will demonstrate an understanding of how to analyze common Linux application logs including webserver, database server, file sharing, and host firewall logs.
- Analyzing Linux Events The candidate will demonstrate an understanding of how to analyze common Linux events found in the audit log including offline audit logs as well as events found in the journal, through offline analysis, using journalctl, and manual analysis.
- Evidence Collection and Mounting The candidate will demonstrate an understanding of Linux memory management, kernel architecture, evidence collection including physical, virtual and volatile collection techniques. The candidate will also have an understanding of the tools used for collecting and mounting the evidence.
- Incident Response Triage The candidate will demonstrate an understanding of triage concepts to include triage workflows, collecting triage data, and triage collection scripts.
- Linux File System Artifacts The candidate will demonstrate an understanding of Linux threat hunting including recognizing common persistence mechanisms, file modification and within the password file structure.
- Linux File System Fundamentals and Analysis The candidate will demonstrate an understanding of using The Sleuth Kit to analyze a Linux file system artifacts including concepts, terminology, and file system layers.
- Linux Memory and Device Profiling Analysis The candidate will demonstrate an understanding of how to perform live memory analysis as well as performing device profiling including profiling priorities, network profiling and current running binaries.
- Linux OS Event Log Introduction The candidate will demonstrate an understanding of how Linux logs are gathered, analyzed, and managed, to include system, boot, authentication and authorization logs.
- Linux OS File System Structure The candidate will demonstrate an understanding of the Linux file system structure including boot files, libraries, binary files, devices and drivers.
- Linux OS Fundamentals The candidate will demonstrate an understanding of the Linux operating system structure, common distributions, command line basics, and regular expressions.
- Linux Threat Hunting and Incident Response The candidate will demonstrate an understanding of threat intelligence concepts and how to utilize that knowledge to perform threat hunting within a Linux environment. Additionally the candidate will demonstrate an understanding of the incident response process, creating and implementing playbooks, and response workflows.
- Linux Timeline Analysis The candidate will demonstrate an understanding of timeline concepts, types of timelines used, timeline analysis and potential issues specific to Linux operating systems.
Other Resources
- Training is available in a variety of modalities including live training and OnDemand
- Practical work experience can help ensure that you have mastered the skills necessary for certification
- College level courses or self paced study through another program or materials may meet the needs for mastery.
- Get information about the procedure to contest exam results.
Practice Tests
- These tests are a simulation of the real exam allowing you to become familiar with the test engine and style of questions.
- Practice exams are a gauge to determine if your preparation methods are sufficient.
- The practice bank questions are limited so you may encounter the same question on practice tests when multiple practice tests are purchased.
- Practice exams never include actual exam questions.
- GIAC recommends leveraging additional study methods for test preparation.
