GCIH Practice Questions: Network and Log Investigations Domain

Published: August 7, 2025 | 20 min read

Test your GCIH knowledge with 10 practice questions from the Network and Log Investigations domain. Includes detailed explanations and answers.

GCIH Practice Questions

Master the Network and Log Investigations Domain

Test your knowledge in the Network and Log Investigations domain with these 10 practice questions. Each question is designed to help you prepare for the GCIH certification exam with detailed explanations to reinforce your learning.

Question 1

An organization suspects a malware infection spreading through its network. What is the best first step for an incident handler to take?

A) Use Wireshark to capture packets and identify the malware signature.

B) Run a network-wide antivirus scan to detect and quarantine the malware.

C) Analyze DNS logs to identify unusual domain queries.

D) Conduct a full system restore from backups.

Show Answer & Explanation

Correct Answer: C

Explanation: Analyzing DNS logs to identify unusual domain queries is the best first step, as it can quickly reveal if the malware is communicating with external command and control servers. Using Wireshark (A) is more appropriate for detailed analysis after initial identification. A network-wide antivirus scan (B) might not catch all malware types and is time-consuming. Conducting a full system restore (D) is premature without understanding the infection scope.

Question 2

An analyst needs to determine if a specific server has been communicating with any blacklisted IP addresses. What is the best first step?

A) Check the server's DNS cache for any blacklisted domains.

B) Review the server's firewall logs for connections to blacklisted IPs.

C) Perform a reverse DNS lookup on all recent connections from the server.

D) Conduct a port scan to identify open connections on the server.

Show Answer & Explanation

Correct Answer: B

Explanation: Reviewing the server's firewall logs for connections to blacklisted IPs is the best first step. Firewall logs provide a clear record of outgoing connections, making it easier to spot communications with blacklisted IPs. Checking the DNS cache (option A) may not directly indicate communication with blacklisted IPs. Reverse DNS lookups (option C) and port scans (option D) do not directly address the issue of identifying communications with blacklisted IPs.

Question 3

An incident handler receives an alert about potential data exfiltration. What should be the first step in the investigation process?

A) Conduct a full forensic disk analysis on all potentially affected systems.

B) Review outbound traffic logs for unusual data transfers.

C) Isolate the suspected systems from the network immediately.

D) Run an antivirus scan on the affected systems.

Show Answer & Explanation

Correct Answer: B

Explanation: The first step should be to review outbound traffic logs for unusual data transfers to quickly confirm whether data exfiltration is occurring. Conducting a full forensic disk analysis (A) is too time-consuming for an initial step. Isolating systems (C) might be necessary later but is disruptive if done prematurely. Running antivirus (D) is not directly related to confirming data exfiltration.

Question 4

While investigating a suspected breach, you receive a list of suspicious domains. What is the best first step to determine if these domains are involved in malicious activities?

A) Conduct a WHOIS lookup for each domain.

B) Perform a DNS query to see if the domains resolve.

C) Check the domains against threat intelligence feeds.

D) Ping each domain to test connectivity.

Show Answer & Explanation

Correct Answer: C

Explanation: The best first step is to check the domains against threat intelligence feeds. This can quickly identify if the domains are known for malicious activities. Option A, conducting a WHOIS lookup, provides ownership information but not threat status. Option B, performing a DNS query, only checks if the domains resolve, not their threat level. Option D, pinging the domains, tests connectivity but does not provide information on malicious activity.

Question 5

What TCP flag combination indicates a SYN flood attack in network traffic analysis?

A) Multiple SYN packets with ACK responses

B) Multiple SYN packets without corresponding ACK responses

C) Multiple RST packets from the same source

D) Multiple FIN packets without prior connections

Show Answer & Explanation

Correct Answer: B

Explanation: A SYN flood attack is characterized by multiple SYN packets sent to a target without the attacker responding to the SYN-ACK replies. This exhausts the target's connection table by leaving many half-open connections.

Question 6

During an incident response, you suspect that a particular device on your network is communicating with a known malicious IP address. What is the most effective initial action you should take to confirm this suspicion?

A) Use Wireshark to capture and analyze live network traffic from the suspected device.

B) Run a full Nmap scan on the suspected device to identify open ports.

C) Check the firewall logs for any entries related to the known malicious IP address.

D) Immediately isolate the suspected device from the network.

Show Answer & Explanation

Correct Answer: C

Explanation: Checking the firewall logs for entries related to the known malicious IP address is the most effective initial action. This provides quick visibility into any past or ongoing communications between the device and the malicious IP without disrupting the network. Using Wireshark (option A) is more time-consuming and may not be feasible immediately. Running a full Nmap scan (option B) does not directly address the suspicion of communication with a specific IP. Isolating the device (option D) is premature without confirmation of malicious activity.

Question 7

An incident handler is tasked with identifying lateral movement within the network. Which log file should be prioritized for analysis?

A) Web server access logs

B) Active Directory event logs

C) Email server logs

D) DHCP server logs

Show Answer & Explanation

Correct Answer: B

Explanation: Active Directory event logs should be prioritized for analysis to identify lateral movement. These logs can reveal authentication attempts and access patterns across network resources. Web server, email server, and DHCP server logs are less likely to provide direct insights into lateral movement within a network.

Question 8

You are investigating a potential breach and need to quickly determine if any unauthorized access attempts were made to a critical server. Which log should you check first?

A) Web server access logs

B) Application logs

C) System event logs

D) Authentication logs

Show Answer & Explanation

Correct Answer: D

Explanation: Authentication logs should be checked first to quickly determine if there have been any unauthorized access attempts. These logs typically contain records of successful and failed login attempts, which are crucial for identifying unauthorized access. Web server access logs (option A) and application logs (option B) may not provide direct information about login attempts. System event logs (option C) could be useful but are broader and less focused on authentication.

Question 9

During a network forensic investigation, you are tasked with analyzing traffic logs to identify potential covert communications. You suspect that an attacker is using Netcat to establish a reverse shell on port 443, masquerading as HTTPS traffic. Which of the following techniques would best help you confirm the presence of this covert channel?

A) Use Wireshark to filter and analyze traffic on port 443 for unusual patterns or non-SSL/TLS payloads.

B) Deploy a honeypot on the network to capture and analyze all incoming traffic on port 443.

C) Perform a DNS query log analysis to detect any suspicious domain resolutions.

D) Use a SIEM tool to correlate firewall logs with DNS logs for potential data exfiltration events.

Show Answer & Explanation

Correct Answer: A

Explanation: Wireshark can be used to capture and analyze network traffic. By filtering traffic on port 443, you can examine whether the payloads are consistent with SSL/TLS or if they contain unusual patterns indicative of a Netcat reverse shell. Options B, C, and D are less effective for directly identifying covert channels on a specific port.

Question 10

An alert indicates possible malware communication with a Command and Control (C2) server. What is the best initial tool to use to verify this communication?

A) Wireshark

B) Nmap

C) Exiftool

D) Metasploit

Show Answer & Explanation

Correct Answer: A

Explanation: Wireshark is the best initial tool to verify communication with a C2 server as it allows you to capture and analyze network traffic in real-time. Nmap is used for network scanning, Exiftool is for metadata analysis, and Metasploit is a penetration testing framework, none of which are directly suitable for initial verification of network communications.

Ready to Accelerate Your GCIH Preparation?

Join thousands of professionals who are advancing their careers through expert certification preparation with FlashGenius.

✅ Unlimited practice questions across all GCIH domains
✅ Full-length exam simulations with real-time scoring
✅ AI-powered performance tracking and weak area identification
✅ Personalized study plans with adaptive learning
✅ Mobile-friendly platform for studying anywhere, anytime
✅ Expert explanations and study resources

Start Free Practice Now

Already have an account? Sign in here

About GCIH Certification

The GCIH certification validates your expertise in network and log investigations and other critical domains. Our comprehensive practice questions are carefully crafted to mirror the actual exam experience and help you identify knowledge gaps before test day.