200+ Free GCIH Practice Questions

Pass your GIAC GCIH Certified Incident Handler exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~70% Pass Rate

200+ Questions

100% Free

1 / 200

Question 1

Score: 0/0

Which phase of the PICERL incident response framework involves determining whether an event constitutes a security incident?

Preparation

Identification

Containment

Recovery

to track

2026 Statistics

Key Facts: GCIH Exam

~70%

Pass Rate

With SEC504 training

69%

Passing Score

GIAC

106

Questions

GIAC

4 hours

Duration

GIAC

$999

Exam Fee

GIAC

DoD 8570

CSSP-IR

DoD Approved

GIAC GCIH (Certified Incident Handler) validates practical incident response skills including attack detection, forensic analysis, malware analysis, and recovery procedures. The exam has 106 questions in 4 hours with a 69% passing score. GCIH covers incident handling frameworks (PICERL/DAIR), hacker tools and techniques, web attacks, password attacks, and covert communications. It includes CyberLive practical testing and is DoD 8570 approved for IAT Level II and GCIH positions. GIAC certifications require renewal every 4 years.

Sample GCIH Practice Questions

Try these sample questions to test your GCIH exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 200+ question experience with AI tutoring.

1Which phase of the PICERL incident response framework involves determining whether an event constitutes a security incident?

A.Preparation

B.Identification

C.Containment

D.Recovery

Explanation: The Identification phase of PICERL (Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned) is where analysts assess events to determine if they represent actual security incidents. This phase involves analyzing alerts, logs, and other indicators to confirm whether an incident has occurred. Preparation involves setting up tools and procedures beforehand. Containment follows identification to limit damage. Recovery is about restoring systems to normal operation.

2In the DAIR incident response framework, what does the "A" represent?

A.Assess

B.Analyze

C.Act

D.Audit

Explanation: DAIR stands for Defend, Analyze, Respond, Evolve. The "A" represents the Analyze phase, where security teams examine detected events to understand the scope, nature, and impact of potential security incidents. This phase focuses on gathering and interpreting evidence to make informed decisions about response actions. Defend is about protection, Respond involves taking action against confirmed threats, and Evolve focuses on continuous improvement.

3During an incident response, which action should be taken FIRST when an active malware infection is discovered on a critical production server?

A.Immediately disconnect the server from the network

B.Collect memory dump for forensic analysis

C.Document the incident in the ticketing system

D.Run a full antivirus scan on the system

Explanation: When facing an active malware infection, immediate network isolation (containment) is the first priority to prevent lateral movement and further damage. While documentation and evidence collection are important, stopping the immediate threat takes precedence in an active incident. Antivirus scans can be run after containment is established. However, be aware that some malware may have persistence mechanisms that activate upon reconnection or have already spread to other systems.

4What is the primary purpose of the chain of custody documentation in digital forensics?

A.To track the chronological history of evidence handling

B.To prove the evidence was obtained legally

C.To determine the severity of the security incident

D.To identify the attacker responsible for the breach

Explanation: Chain of custody documentation creates a chronological record of who collected, handled, analyzed, and stored digital evidence. This ensures the evidence can be authenticated and admitted in legal proceedings. While legal acquisition is important (covered by search warrants and authorization), the chain of custody specifically tracks the evidence's handling history. It does not determine incident severity or identify attackers directly.

5Which of the following is the MOST appropriate method for preserving evidence from a compromised Windows workstation?

A.Create a forensic disk image using a write blocker

B.Copy critical files to a USB drive for analysis

C.Perform a system restore to a known good state

D.Take screenshots of suspicious files and registry entries

Explanation: A forensic disk image created with a write blocker is the gold standard for evidence preservation. Write blockers prevent any modification of the original evidence, and disk images capture the entire system state including deleted files, slack space, and unallocated space. Simply copying files misses metadata and deleted data. System restore modifies the system and destroys evidence. Screenshots capture only visual information and miss crucial forensic artifacts.

6An organization has completed incident containment and eradication. What is the NEXT phase in the PICERL framework?

A.Lessons Learned

B.Recovery

C.Identification

D.Preparation

Explanation: In the PICERL framework, Recovery follows Eradication. The Recovery phase involves restoring systems to normal operation, which may include rebuilding from clean backups, applying patches, validating system integrity, and gradually reconnecting systems to the network. Lessons Learned comes after Recovery. Identification is the second phase (already completed), and Preparation is the first phase (done before incidents occur).

7A security analyst is investigating a potential data breach. Which volatile data source should be collected FIRST before system shutdown?

A.System registry hives

B.Running processes and network connections

C.Browser history files

D.Event log files

Explanation: Volatile data including running processes, active network connections, memory contents, and logged-on users should be collected first because it is lost when the system is powered off. This data can reveal active malware, command and control connections, and attacker activities in real-time. Non-volatile data like registry hives, browser history, and event logs persist after shutdown and can be collected later.

8Which type of containment strategy involves disconnecting an affected system from the network while allowing it to continue running?

A.Short-term containment

B.Long-term containment

C.System isolation

D.Sandbox containment

Explanation: Short-term containment (also called isolation) involves disconnecting a system from the network while keeping it powered on. This prevents further spread of malware or exfiltration of data while preserving volatile evidence like running processes and active connections in memory. Long-term containment involves more permanent measures. System isolation is a general term, and sandbox containment refers to running systems in isolated environments for analysis.

9What is the primary goal of the Eradication phase in incident response?

A.Remove all traces of the incident and attacker artifacts

B.Document lessons learned from the incident

C.Restore systems to normal operation

D.Prevent future similar incidents

Explanation: Eradication focuses on completely removing the threat from the environment, including malware, backdoors, compromised accounts, and other attacker artifacts. This phase ensures the attacker no longer has access and cannot return. Documentation of lessons learned happens in the Lessons Learned phase. System restoration occurs during Recovery. Prevention of future incidents is the goal of implementing improvements based on lessons learned.

10During the Lessons Learned phase, which activity is MOST important for improving future incident response capabilities?

A.Assigning blame to responsible parties

B.Documenting what worked well and areas for improvement

C.Calculating the financial cost of the incident

D.Notifying regulatory authorities of the breach

Explanation: The Lessons Learned phase focuses on identifying what worked well and what could be improved to enhance future incident response capabilities. This involves conducting post-incident reviews with all stakeholders, documenting findings, and implementing changes to processes, tools, and procedures. Assigning blame creates a negative culture. Financial calculation is important for reporting but not for improving response. Regulatory notification is a compliance requirement but separate from lessons learned.

About the GCIH Exam

The GIAC GCIH validates hands-on incident handling skills including attack detection, forensic analysis, malware analysis, and response procedures. Based on SANS SEC504 course, it emphasizes practical abilities through CyberLive hands-on testing.

Questions

106 scored questions

Time Limit

4 hours

Passing Score

69%

Exam Fee

$999 (GIAC (Global Information Assurance Certification))

GCIH Exam Content Outline

15%

Incident Handling Process & Frameworks

PICERL framework (Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned), DAIR framework, incident response planning, evidence handling, chain of custody, and documentation

12%

Scanning, Enumeration & Reconnaissance

Network scanning techniques, port scanning with Nmap, OS fingerprinting, service enumeration, vulnerability scanning, and reconnaissance detection

12%

Password Attacks & Authentication

Brute force attacks, dictionary attacks, rainbow tables, credential stuffing, pass-the-hash, NTLM relay, Kerberos attacks, and password defenses

12%

Web Application Attacks

SQL injection, XSS (cross-site scripting), CSRF, command injection, directory traversal, web shells, drive-by downloads, and web app defenses

12%

Exploitation & Post-Exploitation

Metasploit framework, Meterpreter usage, pivoting, lateral movement, persistence mechanisms, privilege escalation, backdoors, and covering tracks

12%

Malware Analysis & Memory Forensics

Static and dynamic malware analysis, memory analysis with Volatility, process injection, rootkits, packers/obfuscation, and YARA rules

10%

Covert Communications & C2

Command and control infrastructure, DNS tunneling, ICMP tunneling, protocol tunneling, beaconing detection, DGA techniques, and fast-flux networks

10%

Defensive Strategies & Detection

SIEM usage, log analysis, network traffic analysis, threat hunting, EDR systems, deception technology, and living-off-the-land detection

Advanced Persistent Threats

APT characteristics, lifecycle, TTPs, supply chain attacks, and defense strategies including assume breach mindset

How to Pass the GCIH Exam

What You Need to Know

Passing score: 69%
Exam length: 106 questions
Time limit: 4 hours
Exam fee: $999

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

GCIH Study Tips from Top Performers

1Master the PICERL and DAIR frameworks — understand each phase thoroughly

2Practice hands-on with Nmap, Metasploit, and other attack tools to understand attacker techniques

3Study password attacks including brute force, rainbow tables, and Kerberos attacks

4Understand web application vulnerabilities including SQL injection, XSS, and CSRF

5Learn malware analysis techniques including static analysis, dynamic analysis, and memory forensics

6Practice network traffic analysis with Wireshark to identify malicious activity

7Study covert channels and C2 techniques including DNS tunneling and beaconing

8Understand Windows forensics including registry analysis, event logs, and prefetch files

9Review incident response procedures and evidence handling requirements

10Take all 200 practice questions and review explanations thoroughly, especially for incorrect answers

Frequently Asked Questions

What is the GIAC GCIH exam format?

The GCIH exam consists of 106 questions with a 4-hour time limit. The exam includes multiple-choice questions and CyberLive hands-on practical components that require performing real-world incident handling tasks. The passing score is 69%. Exams are proctored via ProctorU (remote) or Pearson VUE (onsite).

What is CyberLive testing in GCIH?

CyberLive is GIAC's hands-on testing technology used in GCIH exams. Candidates perform real-world incident handling tasks using actual tools, code, and virtual machines. This validates practical skills in detection, analysis, and response. CyberLive questions may include analyzing memory dumps, examining malware, reviewing logs, or investigating network traffic.

How does GCIH compare to other incident response certifications?

GCIH is highly practical and focuses specifically on incident handling skills. Compared to CompTIA CySA+, GCIH goes deeper into hands-on response and forensics. Compared to GCFA (GIAC), GCIH is broader while GCFA focuses more on advanced forensics. GCIH is unique in its comprehensive coverage of attack techniques and defensive countermeasures.

What are the GCIH renewal requirements?

GIAC certifications are valid for 4 years. Renewal requires earning 36 Continuing Professional Education (CPE) credits or retaking the current exam. A renewal fee of $429 is also required. CPEs can be earned through SANS training, incident response exercises, publishing security articles, or other approved activities.

Is GCIH DoD 8570 approved?

Yes, GIAC GCIH is approved under DoD Directive 8570/8140 for IAT Level II and CSSP Incident Responder positions. This makes it required for many government and defense contractor incident response positions. GIAC certifications are widely recognized in government, defense, and enterprise security environments.

How long should I study for GCIH?

Plan for 80-120 hours of study over 6-10 weeks. The SANS SEC504 course (6 days or OnDemand) is the official training and highly recommended. Focus on hands-on practice with incident handling tools, forensic analysis, malware investigation, and attack techniques. Complete all 200 practice questions and review explanations thoroughly. Candidates without incident response experience may need additional preparation time.

What jobs can I get with GCIH certification?

GCIH qualifies you for incident response and security operations roles: Incident Response Analyst ($80,000-120,000), SOC Analyst Tier 2/3 ($85,000-125,000), Cybersecurity Analyst ($80,000-115,000), Threat Hunter ($90,000-135,000), Forensic Analyst ($85,000-130,000), and Security Consultant ($95,000-140,000). GCIH demonstrates practical incident handling competency to employers.