Free GCIH Practice Test 2026 — GIAC Certified Incident Handler Exam Questions

Master the GIAC Certified Incident Handler (GCIH) exam — aligned with SANS SEC504 — with 590+ free practice questions across all 14 GIAC exam domains. Each question includes a detailed explanation grounded in real-world incident response and offensive techniques. No signup required.

GCIH Exam Overview

Practice by GIAC Exam Domain (14 domains)

Incident Response & Cyber Investigation

Practice this domain → IR Lifecycle (PICERL) · Evidence Handling & Chain of Custody · Containment Strategies

Detecting Covert Communications

Practice this domain → DNS Tunneling · ICMP Tunneling · HTTPS C2 Channels

Detecting Evasive Techniques

Practice this domain → AV / EDR Evasion · Code Obfuscation · Fileless Malware

Detecting Exploitation Tools

Practice this domain → Metasploit Indicators · Cobalt Strike Artifacts · Empire / PowerShell Empire

Drive-By Attacks

Practice this domain → Malicious Websites · Browser Exploits · Watering Hole Attacks

Endpoint Attack & Pivoting

Practice this domain → Lateral Movement (RDP/WMI/PsExec) · Pass-the-Hash · Pass-the-Ticket

Memory & Malware Investigation

Practice this domain → Volatility Framework · Memory Acquisition · Process Tree Analysis

Network & Log Investigations

Practice this domain → Wireshark / tcpdump · Zeek (Bro) Logs · NetFlow Analysis

Networked Environment Attack

Practice this domain → ARP Spoofing · Man-in-the-Middle (MITM) · DHCP Attacks

Password Attacks

Practice this domain → Brute Force Attacks · Dictionary Attacks · Rainbow Tables

Post-Exploitation Attacks

Practice this domain → Privilege Escalation · Persistence Mechanisms · Credential Dumping (Mimikatz)

SMB Security

Practice this domain → SMB Enumeration · EternalBlue (MS17-010) · NTLM Relay Attacks

Scanning & Mapping

Practice this domain → Nmap Scan Types · Masscan · Service / Version Detection

Web App Attacks

Practice this domain → SQL Injection · Cross-Site Scripting (XSS) · CSRF

10 Free GCIH Sample Questions with Answers

Each question below includes 4 answer options, the correct answer, and a detailed explanation.

Sample Question 1 — Detecting Covert Communications

You are investigating a suspected covert communication channel on a compromised server. You notice an unusual amount of traffic on port 443, but the traffic pattern does not match typical HTTPS traffic. You suspect the use of a tool like Netcat for tunneling. Which of the following command outputs would confirm that Netcat is being used for covert communications over port 443?

  1. A. The output shows a continuous stream of encrypted data packets with a valid SSL handshake.
  2. B. The output shows a series of SYN and ACK packets with no payload data, indicating a port scan.
  3. C. The output displays repeated 'GET' and 'POST' HTTP requests with malformed headers.
  4. D. The output shows a steady stream of unencrypted data with no SSL handshake, indicating a raw data transfer. (Correct answer)

Correct answer: D

Explanation: Option D is correct because Netcat can be used to transfer raw data over a port without encryption or a formal handshake like SSL, which is typical for HTTPS traffic on port 443. Option A is incorrect because it describes legitimate HTTPS traffic. Option B is incorrect as it indicates a port scan, not data transfer. Option C is incorrect because malformed HTTP requests suggest a different type of attack, such as a web application attack, not covert communication using Netcat.

Sample Question 2 — Detecting Evasive Techniques

During an incident investigation, you suspect that an attacker has used a rootkit to hide their presence on a compromised server. Which of the following tools would be most effective in detecting a rootkit that manipulates kernel-level processes?

  1. A. Wireshark
  2. B. Volatility (Correct answer)
  3. C. Metasploit
  4. D. Nmap

Correct answer: B

Explanation: Volatility is a memory forensics tool that can be used to analyze memory dumps and detect rootkits that operate at the kernel level by examining the memory structures that these rootkits manipulate. Wireshark is used for network traffic analysis, Metasploit is a penetration testing framework, and Nmap is used for network scanning, none of which are specifically designed for detecting rootkits in memory.

Sample Question 3 — Detecting Exploitation Tools

During an incident response investigation, you suspect that an attacker has used the Metasploit Framework to exploit a known vulnerability on a server. Which Metasploit command would you use to search for available exploits related to a specific CVE identifier?

  1. A. search cve:2021-1234 (Correct answer)
  2. B. exploit -c CVE-2021-1234
  3. C. find CVE-2021-1234
  4. D. lookup CVE-2021-1234

Correct answer: A

Explanation: The 'search cve:2021-1234' command in Metasploit Framework is used to search for modules related to a specific CVE identifier. This allows incident handlers to quickly identify potential exploits that may have been used by attackers. The other options are incorrect because they do not represent valid Metasploit commands for searching exploits by CVE.

Sample Question 4 — Drive-By Attacks

During an incident response investigation, you discover that several users within your organization were compromised through a drive-by attack. The attack leveraged a known vulnerability in a popular web browser, which was exploited using an exploit kit. What is the most effective immediate action to prevent further exploitation of this vulnerability?

  1. A. Instruct users to avoid using the affected browser until a patch is released.
  2. B. Deploy a firewall rule to block traffic to the exploit kit's known IP addresses.
  3. C. Apply the latest security patches to all instances of the affected web browser across the organization. (Correct answer)
  4. D. Implement network segmentation to isolate compromised systems.

Correct answer: C

Explanation: Applying the latest security patches to the affected web browser is the most effective immediate action to prevent further exploitation. This directly addresses the root cause by fixing the vulnerability that the exploit kit targets. While instructing users to avoid the browser (A) or blocking known IPs (B) can help, they are not comprehensive solutions. Network segmentation (D) is useful for containment but does not address the vulnerability itself.

Sample Question 5 — Endpoint Attack and Pivoting

During an incident response, you discover that an attacker has gained access to a workstation within your network and is attempting to move laterally to other systems. Which of the following PowerShell commands could the attacker use to gather information about other computers in the network to facilitate lateral movement?

  1. A. Get-NetIPAddress
  2. B. Get-Process
  3. C. Get-NetNeighbor
  4. D. Get-ADComputer -Filter * (Correct answer)

Correct answer: D

Explanation: The 'Get-ADComputer -Filter *' PowerShell command is used to query Active Directory for a list of computers. This can provide attackers with information about other systems in the network, which is useful for lateral movement. 'Get-NetIPAddress' retrieves IP configuration information for the local machine, 'Get-Process' lists processes on the local machine, and 'Get-NetNeighbor' displays information about neighboring network devices, but does not provide the same level of detail about other computers in the domain as 'Get-ADComputer' does.

Sample Question 6 — Incident Response and Cyber Investigation

During an incident response, what is the correct order of steps in the PICERL methodology?

  1. A. Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned (Correct answer)
  2. B. Identification, Preparation, Containment, Eradication, Recovery, Lessons Learned
  3. C. Preparation, Containment, Identification, Eradication, Recovery, Lessons Learned
  4. D. Identification, Containment, Preparation, Eradication, Recovery, Lessons Learned

Correct answer: A

Explanation: PICERL stands for Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. This is the standard incident response methodology used by security teams to systematically handle cybersecurity incidents.

Sample Question 7 — Memory and Malware Investigation

Which Volatility plugin would you use to identify running processes in a Windows memory dump?

  1. A. psxview
  2. B. pslist (Correct answer)
  3. C. psscan
  4. D. psverify

Correct answer: B

Explanation: The pslist plugin displays a list of running processes by following the doubly-linked list pointed to by PsActiveProcessHead. While psscan and psxview provide additional verification capabilities, pslist is the primary plugin for viewing running processes.

Sample Question 8 — Network and Log Investigations

What TCP flag combination indicates a SYN flood attack in network traffic analysis?

  1. A. Multiple SYN packets with ACK responses
  2. B. Multiple SYN packets without corresponding ACK responses (Correct answer)
  3. C. Multiple RST packets from the same source
  4. D. Multiple FIN packets without prior connections

Correct answer: B

Explanation: A SYN flood attack is characterized by multiple SYN packets sent to a target without the attacker responding to the SYN-ACK replies. This exhausts the target's connection table by leaving many half-open connections.

Sample Question 9 — Networked Environment Attack

During an incident response, you suspect that an attacker is performing a Man-in-the-Middle (MitM) attack on your network. You decide to use Wireshark to analyze the network traffic. Which of the following indicators in the packet capture would most likely confirm the presence of a MitM attack?

  1. A. Numerous ARP requests and replies with conflicting IP and MAC addresses. (Correct answer)
  2. B. A high number of HTTP 404 errors in web traffic.
  3. C. Unusually large DNS query responses.
  4. D. Consistent TCP retransmissions and out-of-order packets.

Correct answer: A

Explanation: Option A is correct because ARP spoofing is a common technique used in MitM attacks, which can be detected by observing conflicting IP and MAC addresses in ARP requests and replies. Option B (HTTP 404 errors) can indicate broken links or misconfigurations but is not specific to MitM attacks. Option C (large DNS responses) might suggest DNS amplification attacks, not MitM. Option D (TCP retransmissions) could indicate network congestion or packet loss, not necessarily a MitM attack.

Sample Question 10 — Password Attacks

When using John the Ripper for password cracking, what does the "--incremental" mode do?

  1. A. Performs dictionary attacks only
  2. B. Generates passwords using character combinations (Correct answer)
  3. C. Uses rainbow tables for hash lookups
  4. D. Performs brute-force attacks with patterns

Correct answer: B

Explanation: The --incremental mode in John the Ripper generates passwords by trying different character combinations based on character frequency analysis. This is more efficient than pure brute-force as it tries more likely combinations first.

Quick 10-Question GCIH Practice Test

Take a free 10-question GCIH quick-start practice test mixing all 14 GIAC exam domains. Get instant scoring with detailed explanations.

Start the free GCIH quick-start practice test now | Get premium GCIH question bank