Do you have any technique advice for the practical exams?
This is quite a subjective question but there are certain pieces of advice that have been generally repeated by CREST
members many times:
- Know how your tools work. You will not have time during the examination to learn how a tool works or debug it, so ensure that you are familiar with the operation and nuances of tooling that you use. It is useful to be familiar with multiple methods of performing the same task so that, in the event of an unexpected problem with one tool suite, there is an immediate alternative available.
- Keep your tools up to date, but do not do your first major update the day before the exam. The exams are designed to ensure currency of knowledge, so new techniques and technologies will likely be included. However, performing a major operating system upgrade the day before your exam may cause problems with dependencies and broken tooling.
- Do not depend on the internet. Most CREST practical examinations are open book, in that any reference material (including from the internet) can be used. However, it is faster to have local copies of notes available so that you can quickly refer to them. Having organised notes helps too.
- Ensure you are familiar with your laptop build. A surprising number of candidates have had issues with their operating system; regular examples include manually setting IP addresses or correctly configuring the networking between virtual machines and the base operating system. The exams are built on the assumption that all candidates will be confident in administering their own laptop, and any time spent debugging laptop problems will be at the expense of completing the questions or performing tasks during the exam. Some candidates attempt practical examinations on unfamiliar laptops or platforms which is hugely disadvantageous to them. This is also unrepresentative of the real world. Candidates who are employed in the security industry would not usually deliver client work on a platform that they are completely unfamiliar with.
- Time management. The exams are designed to assess efficiency and experience in addition to technical capability; spending half an hour on a five-mark question will more than likely result in you running out of time. Unless the exam paper tells you otherwise, aim for roughly one minute per mark and avoid getting fixated on one question at the expense of others.
- Read the full question. A number of candidates answer a question which is slightly different to the one being asked. For example, no marks will be awarded if a candidate writes an IP address down when the question asks for a hostname. All practical exams include a period of time for candidates to familiarise themselves with the examination paper; this should be used wisely. Some candidates use a highlighter to draw their attention to the key elements of the more complex questions