GCIH Practice Questions: Scanning and Mapping Domain

Published: August 7, 2025 | 10 min read

Test your GCIH knowledge with 5 practice questions from the Scanning and Mapping domain. Includes detailed explanations and answers.

GCIH Practice Questions

Master the Scanning and Mapping Domain

Test your knowledge in the Scanning and Mapping domain with these 5 practice questions. Each question is designed to help you prepare for the GCIH certification exam with detailed explanations to reinforce your learning.

Question 1

An incident handler is tasked with mapping the network topology of a compromised environment. What is the most effective initial tool to use?

A) Wireshark

B) Nmap

C) Exiftool

D) Metasploit

Show Answer & Explanation

Correct Answer: B

Explanation: Nmap is the most effective initial tool for mapping the network topology. It can scan for hosts and services, providing a clear picture of the network layout. Wireshark is for analyzing traffic, Exiftool is for file metadata, and Metasploit is for exploitation.

Question 2

After receiving an alert about suspicious activity, you need to determine if there are any unauthorized open ports on a critical server. What is the most effective initial action?

A) Perform a SYN scan using Nmap to detect open ports quickly.

B) Initiate a deep packet inspection using Wireshark to analyze all traffic.

C) Run an Exiftool analysis on server logs to find metadata anomalies.

D) Conduct a full TCP connect scan using Nmap for comprehensive results.

Show Answer & Explanation

Correct Answer: A

Explanation: The most effective initial action is to perform a SYN scan using Nmap (Option A) to quickly detect open ports on the server. This method is fast and provides a good balance between stealth and information gathering. Option B, deep packet inspection with Wireshark, is too detailed and time-consuming for an initial port check. Option C, using Exiftool, is not applicable to port scanning. Option D, a full TCP connect scan, is more intrusive and slower than a SYN scan.

Question 3

An incident handler is tasked with identifying unauthorized devices on the network. Which tool and approach would be the most effective first step?

A) Use Nmap to perform a ping sweep across the network.

B) Deploy Metasploit to exploit potential vulnerabilities.

C) Analyze network traffic with Wireshark for unknown MAC addresses.

D) Run a full vulnerability scan with Nessus.

Show Answer & Explanation

Correct Answer: A

Explanation: Using Nmap to perform a ping sweep is the most effective first step to identify unauthorized devices. It quickly provides a list of active devices on the network by sending ICMP echo requests. While Wireshark can identify unknown MAC addresses, it is more suited for detailed traffic analysis rather than initial device discovery. Metasploit is not appropriate for this task, and a full vulnerability scan with Nessus is too time-consuming for an initial response.

Question 4

During an incident response, you suspect an unauthorized device has been connected to your network. What is the best first step to identify this device using scanning and mapping techniques?

A) Perform a full network scan using Nmap to identify all devices and their open ports.

B) Use Wireshark to capture and analyze all network traffic to find the unauthorized device.

C) Run a quick ARP scan to identify new devices on the local subnet.

D) Deploy Exiftool to analyze metadata of files shared across the network.

Show Answer & Explanation

Correct Answer: C

Explanation: The best first step is to run a quick ARP scan (Option C) to identify new devices on the local subnet. This provides immediate visibility into any unauthorized devices that have recently connected to the network without the need for more time-consuming analysis. Option A, a full network scan with Nmap, would take longer and is more intrusive. Option B, using Wireshark, is too detailed and not focused on device identification. Option D, using Exiftool, is not relevant to identifying network devices.

Question 5

During an incident response, you suspect that unauthorized scanning is occurring on your network. What is the FIRST step you should take to identify the source of the scanning activity?

A) Run a full network scan using Nmap to identify all active devices.

B) Use Wireshark to capture and analyze network traffic for suspicious activity.

C) Check recent firewall logs for unusual connection attempts.

D) Deploy Exiftool to analyze metadata of files on the network.

Show Answer & Explanation

Correct Answer: C

Explanation: The correct answer is C. Checking recent firewall logs for unusual connection attempts is the most effective initial action because it allows you to quickly identify any unauthorized access patterns or anomalies. This step is practical and provides immediate insights into the source of the scanning. Option A, running a full network scan, could be intrusive and might not directly pinpoint the source of the scanning. Option B, using Wireshark, is technically valid but may take longer to analyze and isn't the most immediate step for identifying the source. Option D, deploying Exiftool, is unrelated to network scanning and focuses on file metadata, making it irrelevant in this context.

Ready to Accelerate Your GCIH Preparation?

Join thousands of professionals who are advancing their careers through expert certification preparation with FlashGenius.

✅ Unlimited practice questions across all GCIH domains
✅ Full-length exam simulations with real-time scoring
✅ AI-powered performance tracking and weak area identification
✅ Personalized study plans with adaptive learning
✅ Mobile-friendly platform for studying anywhere, anytime
✅ Expert explanations and study resources

Start Free Practice Now

Already have an account? Sign in here

About GCIH Certification

The GCIH certification validates your expertise in scanning and mapping and other critical domains. Our comprehensive practice questions are carefully crafted to mirror the actual exam experience and help you identify knowledge gaps before test day.