GIAC CERTIFIED INCIDENT HANDLER (GCIH) –QUESTIONS AND CORRECT
ANSWERS (VERIFIED ANSWERS) PLUS RATIONALES 2026 Q&A | INSTANT
DOWNLOAD PDF.
Core Domains:
- Incident Handling and Digital Forensics Foundations
- Cyber Defence and Intelligence Analysis
- Computer Crime and Digital Investigations
- Memory Forensics and Malware Analysis
- Network Protocols and Traffic Analysis
- Host-Based Creative Security and Logging
- Cloud Incident Response and Security Architecture
- Covering Legal, Regulatory, and Ethical Standards
Introduction:
The GIAC Certified Incident Handler certification assessment validates a practitioner's
ability to detect, respond to, and resolve computer security incidents utilizing a structured
and comprehensive framework. This examination evaluates critical competencies across
the incident handling lifecycle, including preparation, identification, containment,
eradication, recovery, and lessons learned. Through a combination of foundational
conceptual problems and complex, scenario-based questions, candidates must
demonstrate an advanced understanding of exploit mechanics, defensive engineering,
and digital forensics. This guide emphasizes real-world application, technical decision-
,making, regulatory compliance, and strict ethical standards required to protect enterprise
infrastructure from modern threat actors.
Section One: Questions 1–100
Question 1
An incident responder discovers an ongoing exfiltration attempt via Domain Name
System (DNS) tunneling. The attacker is mapping data into subdomains of a malicious
authoritative domain. Which of the following containment actions stops the exfiltration
immediately while preserving the most forensic data on the local infrastructure?
A. Clear the local DNS resolver cache on all corporate workstations.
B. Implement a temporary block on outbound UDP and TCP port 53 at the perimeter
firewall for all internal hosts.
C. Configure the internal DNS forwarders to sinkhole queries resolving to the malicious
domain.
D. Shut down the authoritative active directory domain controllers serving the internal
network.
🟢 C. Configure the internal DNS forwarders to sinkhole queries resolving to the
malicious domain.
🔴 RATIONALE: Sinkholing the specific malicious domain at the internal DNS forwarder
level drops or redirects the traffic without disrupting the entire organization's internet
access, which would happen if port 53 were blocked globally. It preserves local host logs,
,endpoint artifacts, and prevents active alert flags from tipping off the attacker, unlike
broad network shutdowns.
Question 2
During an active investigation, an incident response analyst discovers that a system
administrator shared access credentials over an unencrypted chat channel, violating
internal security policies and industry best practices. Which component of the incident
handling process governs how this discovery should be addressed?
A. Identification
B. Eradication
C. Containment
D. Lessons Learned
🟢 D. Lessons Learned
🔴 RATIONALE: Discovering policy violations, systemic gaps, or procedural errors
during or after an incident is addressed within the Lessons Learned phase. This phase
focuses on developing remediation strategies, updating security controls, and training
staff to prevent future occurrences, rather than the active technical containment or
eradication of the current threat.
Question 3
Under the General Data Protection Regulation (GDPR), what is the maximum
, permissible timeframe for an organization to notify the relevant supervisory authority after
becoming aware of a personal data breach?
A. 24 hours
B. 48 hours
C. 72 hours
D. 96 hours
🟢 C. 72 hours
🔴 RATIONALE: Article 33 of the GDPR dictates that in the case of a personal data
breach, the data controller shall without undue delay and, where feasible, not later than
72 hours after having become aware of it, notify the personal data breach to the
supervisory authority competent in accordance with Article 55.
Question 4
A security analyst runs a netstat -anob command on a suspected Windows server and
observes an unknown process listening on TCP port 4444. This port is highly
characteristic of which default framework component?
A. PsExec remote execution utility
B. Metasploit Framework default Reverse TCP payload
C. Windows Remote Management service
D. Netcat basic listener mode
ANSWERS (VERIFIED ANSWERS) PLUS RATIONALES 2026 Q&A | INSTANT
DOWNLOAD PDF.
Core Domains:
- Incident Handling and Digital Forensics Foundations
- Cyber Defence and Intelligence Analysis
- Computer Crime and Digital Investigations
- Memory Forensics and Malware Analysis
- Network Protocols and Traffic Analysis
- Host-Based Creative Security and Logging
- Cloud Incident Response and Security Architecture
- Covering Legal, Regulatory, and Ethical Standards
Introduction:
The GIAC Certified Incident Handler certification assessment validates a practitioner's
ability to detect, respond to, and resolve computer security incidents utilizing a structured
and comprehensive framework. This examination evaluates critical competencies across
the incident handling lifecycle, including preparation, identification, containment,
eradication, recovery, and lessons learned. Through a combination of foundational
conceptual problems and complex, scenario-based questions, candidates must
demonstrate an advanced understanding of exploit mechanics, defensive engineering,
and digital forensics. This guide emphasizes real-world application, technical decision-
,making, regulatory compliance, and strict ethical standards required to protect enterprise
infrastructure from modern threat actors.
Section One: Questions 1–100
Question 1
An incident responder discovers an ongoing exfiltration attempt via Domain Name
System (DNS) tunneling. The attacker is mapping data into subdomains of a malicious
authoritative domain. Which of the following containment actions stops the exfiltration
immediately while preserving the most forensic data on the local infrastructure?
A. Clear the local DNS resolver cache on all corporate workstations.
B. Implement a temporary block on outbound UDP and TCP port 53 at the perimeter
firewall for all internal hosts.
C. Configure the internal DNS forwarders to sinkhole queries resolving to the malicious
domain.
D. Shut down the authoritative active directory domain controllers serving the internal
network.
🟢 C. Configure the internal DNS forwarders to sinkhole queries resolving to the
malicious domain.
🔴 RATIONALE: Sinkholing the specific malicious domain at the internal DNS forwarder
level drops or redirects the traffic without disrupting the entire organization's internet
access, which would happen if port 53 were blocked globally. It preserves local host logs,
,endpoint artifacts, and prevents active alert flags from tipping off the attacker, unlike
broad network shutdowns.
Question 2
During an active investigation, an incident response analyst discovers that a system
administrator shared access credentials over an unencrypted chat channel, violating
internal security policies and industry best practices. Which component of the incident
handling process governs how this discovery should be addressed?
A. Identification
B. Eradication
C. Containment
D. Lessons Learned
🟢 D. Lessons Learned
🔴 RATIONALE: Discovering policy violations, systemic gaps, or procedural errors
during or after an incident is addressed within the Lessons Learned phase. This phase
focuses on developing remediation strategies, updating security controls, and training
staff to prevent future occurrences, rather than the active technical containment or
eradication of the current threat.
Question 3
Under the General Data Protection Regulation (GDPR), what is the maximum
, permissible timeframe for an organization to notify the relevant supervisory authority after
becoming aware of a personal data breach?
A. 24 hours
B. 48 hours
C. 72 hours
D. 96 hours
🟢 C. 72 hours
🔴 RATIONALE: Article 33 of the GDPR dictates that in the case of a personal data
breach, the data controller shall without undue delay and, where feasible, not later than
72 hours after having become aware of it, notify the personal data breach to the
supervisory authority competent in accordance with Article 55.
Question 4
A security analyst runs a netstat -anob command on a suspected Windows server and
observes an unknown process listening on TCP port 4444. This port is highly
characteristic of which default framework component?
A. PsExec remote execution utility
B. Metasploit Framework default Reverse TCP payload
C. Windows Remote Management service
D. Netcat basic listener mode