What does the GCIH Network & Log Investigations domain cover?

GCIH Network & Log Investigations covers network and log investigations — Wireshark, Zeek, NetFlow, SIEM correlation, Windows event logs, and Sysmon analysis. Expect scenario-based questions on Wireshark / tcpdump, Zeek (Bro) Logs, NetFlow Analysis, SIEM Correlation, Windows Event Logs, Sysmon.

How many Network & Log Investigations practice questions are on this page?

This free practice set includes 6 GCIH Network & Log Investigations questions with detailed explanations. Premium members get unlimited access to the full GCIH question bank with 590+ questions across all 14 GIAC domains.

Is this GCIH Network & Log Investigations practice test free?

Yes. The practice test is completely free with no signup required. Instant scoring and detailed explanations on every question.

Free GCIH Network & Log Investigations Practice Test 2026 — GIAC Incident Handler Questions

This free GCIH Network & Log Investigations practice test covers network and log investigations — Wireshark, Zeek, NetFlow, SIEM correlation, Windows event logs, and Sysmon analysis. Each question includes a detailed explanation — perfect for GIAC Certified Incident Handler / SANS SEC504 exam prep.

Key Topics in GCIH Network & Log Investigations

Wireshark / tcpdump
Zeek (Bro) Logs
NetFlow Analysis
SIEM Correlation
Windows Event Logs
Sysmon

6 Free GCIH Network & Log Investigations Practice Questions with Answers

Sample Question 1 — Network and Log Investigations

What TCP flag combination indicates a SYN flood attack in network traffic analysis?

A. Multiple SYN packets with ACK responses
B. Multiple SYN packets without corresponding ACK responses (Correct answer)
C. Multiple RST packets from the same source
D. Multiple FIN packets without prior connections

Correct answer: B

Explanation: A SYN flood attack is characterized by multiple SYN packets sent to a target without the attacker responding to the SYN-ACK replies. This exhausts the target's connection table by leaving many half-open connections.

Sample Question 2 — Network and Log Investigations

During a network forensic investigation, you are tasked with analyzing traffic logs to identify potential covert communications. You suspect that an attacker is using Netcat to establish a reverse shell on port 443, masquerading as HTTPS traffic. Which of the following techniques would best help you confirm the presence of this covert channel?

A. Use Wireshark to filter and analyze traffic on port 443 for unusual patterns or non-SSL/TLS payloads. (Correct answer)
B. Deploy a honeypot on the network to capture and analyze all incoming traffic on port 443.
C. Perform a DNS query log analysis to detect any suspicious domain resolutions.
D. Use a SIEM tool to correlate firewall logs with DNS logs for potential data exfiltration events.

Correct answer: A

Explanation: Wireshark can be used to capture and analyze network traffic. By filtering traffic on port 443, you can examine whether the payloads are consistent with SSL/TLS or if they contain unusual patterns indicative of a Netcat reverse shell. Options B, C, and D are less effective for directly identifying covert channels on a specific port.

Sample Question 3 — Network and Log Investigations

While investigating a potential security breach, you find that log files from a critical server have been altered, and some entries are missing. Which of the following steps should you take to ensure the integrity of your investigation and gather evidence of log manipulation?

A. Immediately restore the server from the last known good backup to recover the logs.
B. Use a file integrity monitoring tool to check for unauthorized changes to the log files.
C. Correlate the altered logs with network traffic logs and other system logs to identify discrepancies. (Correct answer)
D. Shut down the server to prevent further log manipulation and preserve the current state of the system.

Correct answer: C

Explanation: Correlating the altered logs with network traffic logs and other system logs can help identify discrepancies and provide evidence of log manipulation. This approach allows you to piece together missing information and verify the timeline of events. Options A and D could result in loss of volatile data, and option B is useful for prevention but not for investigating already altered logs.

Sample Question 4 — Network and Log Investigations

During an incident response, you receive an alert indicating unusual outbound traffic from a server within your network. As the first responder, what is the most effective initial action to take?

A. Perform a full packet capture on the network segment.
B. Analyze the server's outbound traffic using Wireshark.
C. Isolate the server from the network to prevent further data exfiltration. (Correct answer)
D. Review the server's firewall logs for any anomalies.

Correct answer: C

Explanation: In the context of incident response, the most effective initial action is to contain the threat and prevent further damage. Isolating the server from the network (Option C) achieves this by stopping any ongoing data exfiltration. While analyzing traffic with Wireshark (Option B) or reviewing firewall logs (Option D) are important steps in understanding the incident, they do not prevent further data loss. Performing a full packet capture (Option A) is a time-consuming process and not the immediate priority when containment is necessary.

Sample Question 5 — Network and Log Investigations

During a network incident involving suspicious outbound traffic, what is the most effective initial action an incident handler should take to identify the source of the traffic?

A. Immediately block the IP address at the firewall.
B. Capture a packet trace using Wireshark for detailed analysis.
C. Review recent changes in firewall rules.
D. Check network logs to identify the device responsible for the traffic. (Correct answer)

Correct answer: D

Explanation: The most effective initial action is to check network logs to quickly identify the device responsible for the suspicious traffic. This allows for a targeted response. Blocking the IP (A) is premature without understanding the context. Capturing a packet trace (B) is useful but time-consuming as a first step. Reviewing firewall changes (C) might not directly reveal the source of traffic.

Sample Question 6 — Network and Log Investigations

An incident handler receives an alert about potential data exfiltration. What should be the first step in the investigation process?

A. Conduct a full forensic disk analysis on all potentially affected systems.
B. Review outbound traffic logs for unusual data transfers. (Correct answer)
C. Isolate the suspected systems from the network immediately.
D. Run an antivirus scan on the affected systems.

Correct answer: B

Explanation: The first step should be to review outbound traffic logs for unusual data transfers to quickly confirm whether data exfiltration is occurring. Conducting a full forensic disk analysis (A) is too time-consuming for an initial step. Isolating systems (C) might be necessary later but is disruptive if done prematurely. Running antivirus (D) is not directly related to confirming data exfiltration.

About the GCIH Exam

Questions: 106 multiple choice
Time: 4 hours
Passing score: 70%
Provider: GIAC (SANS Institute)
Aligned with: SANS SEC504
Total domains: 14

Other GCIH Practice Domains

Start the free GCIH Network & Log Investigations practice test now | 10-question quick start | All GCIH domains