GCIH Practice Questions: Memory and Malware Investigation Domain
Test your GCIH knowledge with 10 practice questions from the Memory and Malware Investigation domain. Includes detailed explanations and answers.
GCIH Practice Questions
Master the Memory and Malware Investigation Domain
Test your knowledge in the Memory and Malware Investigation domain with these 10 practice questions. Each question is designed to help you prepare for the GCIH certification exam with detailed explanations to reinforce your learning.
Question 1
An incident responder needs to quickly determine if a running process on a Windows machine is malicious. What is the best first step?
Show Answer & Explanation
Correct Answer: B
Explanation: Looking up the process name and path in an online threat intelligence database is the best first step. It provides quick insights into whether the process is known to be associated with malware. Terminating the process may be premature and could destroy evidence. Memory analysis and full system scans are more time-consuming and should follow initial triage steps.
Question 2
An incident handler needs to triage a suspected ransomware attack. What is the first step they should take to preserve evidence and understand the impact?
Show Answer & Explanation
Correct Answer: B
Explanation: Capturing a memory image is the first step to preserve volatile data, which can include ransomware processes and encryption keys. Shutting down the system (option A) can result in loss of volatile evidence. Running a decryption tool (option C) is premature and not part of initial triage. Notifying management (option D) is important but should not delay immediate evidence preservation actions.
Question 3
While investigating a suspicious process on a Linux server, you need to determine if it has any hidden modules loaded. Which command should you use first?
Show Answer & Explanation
Correct Answer: A
Explanation: The 'lsmod' command lists all currently loaded kernel modules, which is useful for identifying hidden or suspicious modules. 'netstat' is for network connections, 'strace' is for tracing system calls, and 'lsof' lists open files, none of which directly identify loaded kernel modules.
Question 4
During an incident response, you suspect a rootkit is hiding processes on a Windows system. What is the best initial tool to use for detecting hidden processes?
Show Answer & Explanation
Correct Answer: C
Explanation: The Volatility framework is the best initial tool for detecting hidden processes, as it can analyze memory dumps to uncover processes that are not visible through standard tools. Option A, Windows Task Manager, is not effective against rootkits. Option B, RootkitRevealer, is useful for detecting discrepancies but not specifically for hidden processes. Option D, Event Viewer, does not help in identifying hidden processes.
Question 5
An incident handler is tasked with identifying malicious processes on a system. What is the most effective initial action?
Show Answer & Explanation
Correct Answer: B
Explanation: Using Process Explorer to review running processes is the most effective initial action for identifying malicious activity. It provides detailed information about each process, helping to distinguish legitimate from suspicious ones. Terminating processes (option A) could alert the attacker or cause system instability. Disconnecting from the network (option C) is a containment step but doesn't help with initial identification. System restore (option D) might remove evidence and is not an investigation step.
Question 6
An analyst is responding to a malware incident and needs to determine the parent process of a suspicious executable on a Linux system. What is the most direct command to achieve this?
Show Answer & Explanation
Correct Answer: B
Explanation: The 'pstree -p | grep
Question 7
You are investigating a potential malware infection on a workstation. The user reported suspicious activity, and you suspect a malicious executable might be running. Using memory forensics, you want to identify any injected code within running processes. Which Volatility command should you use to detect code injection?
Show Answer & Explanation
Correct Answer: A
Explanation: The 'malfind' plugin in Volatility is specifically designed to identify injected code in process memory, which is a common technique used by malware. The 'psxview' plugin (option B) is used for detecting hidden processes. 'Hivelist' (option C) is used for registry hive enumeration, and 'connscan' (option D) is used for scanning for network connections, neither of which directly detects code injection.
Question 8
You need to quickly identify suspicious network connections on a compromised machine. Which tool would be most effective for this task?
Show Answer & Explanation
Correct Answer: C
Explanation: Netstat is the most effective tool for quickly identifying active network connections on a machine. It provides immediate visibility into open ports and established connections. Wireshark (option A) is powerful but can be overwhelming and requires capturing packets, which is more time-consuming. Nmap (option B) is used for scanning networks and hosts, not for viewing active connections on a local machine. Exiftool (option D) is irrelevant as it's used for examining metadata in files.
Question 9
An analyst needs to identify if a suspicious file on a Windows machine is currently in use by any processes. What is the most efficient initial step?
Show Answer & Explanation
Correct Answer: B
Explanation: Utilizing Process Explorer to check handles is the most efficient initial step. Process Explorer provides a detailed view of which processes have handles open to the file, allowing the analyst to determine if it is in use. The 'lsof' command is not applicable on Windows. A full antivirus scan and registry search are more time-consuming and less direct for this specific inquiry.
Question 10
You are investigating a potential malware infection and need to quickly identify any suspicious autorun entries. What is the best tool to use first?
Show Answer & Explanation
Correct Answer: B
Explanation: Sysinternals' Autoruns is the best tool to use first for quickly identifying suspicious autorun entries. It provides a comprehensive view of all programs configured to run at startup. Option A, Volatility with the autoruns plugin, is not as commonly used for this specific purpose. Option C, Task Scheduler, only shows scheduled tasks, not all autorun entries. Option D, Registry Editor, requires manual searching and is more time-consuming.
Ready to Accelerate Your GCIH Preparation?
Join thousands of professionals who are advancing their careers through expert certification preparation with FlashGenius.
- ✅ Unlimited practice questions across all GCIH domains
- ✅ Full-length exam simulations with real-time scoring
- ✅ AI-powered performance tracking and weak area identification
- ✅ Personalized study plans with adaptive learning
- ✅ Mobile-friendly platform for studying anywhere, anytime
- ✅ Expert explanations and study resources
Already have an account? Sign in here
About GCIH Certification
The GCIH certification validates your expertise in memory and malware investigation and other critical domains. Our comprehensive practice questions are carefully crafted to mirror the actual exam experience and help you identify knowledge gaps before test day.
🧠 More GCIH Practice Tests?
- GCIH Network and Log Investigations – Practice Questions
- GCIH Memory and Malware Investigation – Practice Questions
- GCIH Incident Response and Cyber Investigation – Practice Questions