Introduction – GCIH GIAC Certified Incident Handler All-in-One Exam Guide


Everyone has a different mindset about taking exams. Some need the related certifications to progress in their careers or because their employers demand it. Others just want to attend associated courses to accumulate knowledge and don’t necessarily mind the exams or the certifications that come with them. Before you start reading this book, you need to decide what exactly you want to do. Do you want to just get some basic knowledge around incident response, or do you want to fully prepare for the GIAC Certified Incident Handler (GCIH) exam? Hopefully, you will be satisfied either way, but if you are aiming to take the exam, a more methodic approach will be warranted. If that’s the case, keep on reading.

The Exam Format

Before you read this section, a clarification needs to be provided. This book is not here to give you a shortcut to the exam or to provide any details that give unlawful insight into the exam itself. Everything mentioned here is public information that Global Information Assurance Certification (GIAC) has published to aid exam takers in preparing for the exam.

First of all, the good news: The exam is open book. Oh yes, that’s right. Now for some bad news: The exam is open book. This can easily make you have a false sense of confidence because you think you can answer all questions, since the answers are in this book or any other resources you bring in the room. However, if you don’t study hard, spending time understanding the material and practicing everything in the lab, you will undoubtedly find out the hard way how difficult an open-book exam can be. You really don’t want to go into that room underprepared.

All the information regarding the GCIH exam can be found in GIAC’s website: The number of questions is in the range of 100 to 150, while the duration is four hours, which should be plenty of time for you to go through all the questions. The passing mark is set at 73 percent.

GIAC also mentions some details about its CyberLive feature (, which is also incorporated in the exam. As of this writing, according to GIAC’s website, five exams use this feature, and GCIH is one of them. In plain English, this means that to answer some questions, you need to access a virtual environment and perform some practical activities to get the desired output. A lot of people dread this possibility, while others simply adore it. You don’t need to love it, but you do need to be prepared for it. One thing is for sure. You can’t try to answer a practical question just by searching around the virtualized environment and its tools for answers. To that end, you can review Chapter 1 and create your own virtual (or physical) lab to practice all the tools and techniques mentioned throughout the book. If that’s not enough, enrich that lab with more tools and machines. If that is still not enough to feel comfortable, you can always join an online “capture the flag” competition to get the necessary exposure and upskill before attempting the exam. Another option is a subscription to an online lab like HackTheBox (, which offers numerous machines you can attack using various methods and tools. In my humble opinion, CyberLive is a great feature because it helps the exam maintain its quality and respect among other exams in the industry, plus it ensures only people who possess a certain skill level are granted the incident handler certification. These people are going to be responsible for large-scale incidents and will need to provide a way to respond to them. This sometimes involves life-critical systems, so that responsibility and this exam shouldn’t be taken lightly. With regard to specific exam objectives, this is the list that GIAC provides on their website:

•   Incident Handling: Identification

•   Incident Handling: Overview and Preparation

•   Client Attacks

•   Covering Tracks: Networks

•   Covering Tracks: Systems

•   Denial of Service Attacks

•   Incident Handling: Containment

•   Incident Handling: Eradication, Recovery, and Lessons Learned

•   Network Attacks

•   Overflow Attacks

•   Password Attacks

•   Reconnaissance

•   Scanning: Discovery and Mapping

•   Scanning: Techniques and Defense

•   Session Hijacking and Cache Poisoning

•   Techniques for Maintaining Access

•   Web Application Attacks

•   Worms, Bots, and Bot Nets

Note that in order to take the exam, you need to register through a Pearson VUE test center. Although most centers are quite up-to-date with each exam, do ensure you print out a copy of the confirmation e-mail, which clearly states this is an open-book exam. The last thing you want is to not be allowed to carry a book or other materials in the room because the invigilator thought no such materials were allowed. This is not something that I just made up, as it has happened to some students of mine, although it’s very rare.

Preparing for the Exam

The best thing you can do to prepare for the exam is to study hard. Period. There are no shortcuts and no easy ways. Now, when I say this to students the first question I get is “How much time is required to prepare?” The answer really is “As long as it takes.” I am not trying to be cynical, but the required time actually depends on your skill level. If you are a beginner in security, then substantially more time will be required. If you are a seasoned individual with in-depth knowledge of the area, especially with experience in incident handling, this may be easier, but you will still need to study. Another question I get is “Do I have to attend a course or can I self-study for the exam?” That depends on your budget and desire, in addition to how you tend to learn better. Some people need an instructor to give lectures about how things work and want to be able to ask questions and interact throughout the learning process. In those cases, a course is really useful. GIAC recommends SANS courses for all its exams. In fact, although you may ask GIAC what resources you can use to self-study, they will directly tell you they only recommend SANS trainings for any of their exams. The course corresponding to this exam is SANS SEC 504: Hacker Tools, Techniques, Exploits, and Incident Handling ( GIAC’s preparation guidelines can be found at

As a side note, I wholeheartedly believe that SANS courses and instructors are the best the security industry has to offer. The people teaching those are constantly in the trenches, facing real incidents day in and day out. They create courses for SANS and teach those courses because they just love passing on their knowledge and giving back to the security community. I feel honored to have had the privilege of attending numerous SANS conferences throughout the years and can tell you it’s a valuable experience that I highly recommend. The only consideration is usually cost, especially if you need to travel to the event’s location and pay subsistence for a multiday course. Having said that, there are also options for you to attend courses remotely and on demand, which can be much more affordable.

If you aim to self-study for the exam, this book is a great resource. I have made every effort to provide you with enough details to cover the official objectives set out by GIAC. However, if you need to drill down more in some additional areas that closely relate to what is referenced in the book, then you should take the time to do just that. Don’t rush and definitely don’t skip things. To that purpose, I have added numerous references and resources at the end of each chapter. However, you need to be aware that this book needs to stay aligned with the exam’s objectives and discuss those in depth. That means there may be some other areas that are covered in less detail to account for that fact. For example, Linux and networking are not in the exam objectives. As such, if you lack Linux or networking skills, you might need to study a bit more before you start feeling at ease. However, the book offers enough insight to get you started and be able to keep up with the content, but it really isn’t about Linux or networking. In those cases where you need extensive information for a specific area, please feel free to supplement accordingly. The same principle applies to everything else in the book. This is also a crucial part of the learning process. One of the best professors I had in my undergraduate course once said, “You are not here to be taught everything. You are here to be taught how to research and then go away and conquer knowledge.” It took me several years to understand what he meant. But gradually, especially being in IT for long enough, I realized that whenever I don’t know or remember something, I just go and research it. That’s exactly the approach that is expected with these types of exams, which is another reason why it helps that the exam format is open book, since you aren’t limited in what you use.

Another crucial part of the preparation process is having a really good exam index that helps you speed things up. Appendix C has a short index template, which shows what structure can be very helpful during the exam. You can add various items from this book and any other books or sources you are using, in addition to commands (like the ones present in Appendix A) and tools (listed in Appendix B).

I have made every effort to include all tools and commands present in the book in Appendixes A and B. The command index includes the OS that the command works in, along with a short description of its use. The tools index has the tool names, a short description of their use, and a URL where you can download them from. Just keep in mind that URLs tend to change very frequently, and this book has almost 300 of them. I can assure you that at the time of writing all were functional, but some of them are bound to be moved or not working when you try them out. In those cases, use your favorite search engine, and you will easily identify a working download page. However, when you do that, take special care of where you are downloading tools from because not every source can be trusted. The same applies for any webpages that are mentioned in Appendix B and might be hosting malware in the future. Any resources like these are not owned or maintained by McGraw Hill, so there’s no way to ensure they remain secure. Please ensure you only access webpages when you feel comfortable doing so.

Appendix C provides an indicative index template that can be used to prepare your exam index. Think of it like a combination of Appendix A and Appendix B in addition to having a new section for the terms you encounter as you read this book or any other recourses you intend to use for the exam. You can use Excel to create different sheets (corresponding to parts 1, 2, and 3 of Appendix C) and then print them in sequence and bind them together. If you are using more resources than this book (which, of course, you are more than able to), you can always create a small entry at the end of your index and represent each resource with a number—for example, this book could be number 1 and another book you are using could be number 2, and so on. That will make navigating through your index really easy because in the “book” column you just specify 1 or 2 instead of long titles. The important thing to understand is that each index is personal, so tailor it to your needs. That means put the key terms you need in the index, along with what book and page they are in, and always add a short description. That saves you a lot of time because even if you don’t actually remember the term you mentioned in your index, you can use that description to refresh your memory without having to go back to each particular page that term is in. The goal is to save you the hassle of going back to the actual resources more times than you need to.

Cheat sheets can also help save you time, but you have to find a balance so you don’t have too many resources that may be confusing for you. Practice makes perfect. Which conveniently brings me to my next point: practice tests. This book has a collection of 300 online tester questions in addition to all the questions at the end of each chapter. Also note that when you register for the GCIH exam, GIAC provides you with two free practice tests. That’s really great because CyberLive questions are included, and that can go a long way in making you feel at ease with the exam environment.

Exam Preparation Hints

I have compiled the following list of hints that you need to consider as you’re answering the questions in this book, as well as when taking the actual exam:

•   Be aware of absolute statements. For example, if a question states, “Which of the following commands is never used in Windows” then you have to be absolutely sure that this command is really never used. However, the easiest way to tackle this is to identify a scenario that would make this statement false. So, if you manage to identify a situation where the command is actually used, then you automatically invalidate that statement and you know it’s not a correct answer.

•   When answering questions consider what you don’t know. It’s not enough to identify a question’s correct answer, and you really shouldn’t guess when preparing for the exam. Identifying why all the other options are wrong is equally important because an exam question might relate to those. In addition, always know the background of the answers. Don’t just identify the correct option and think you kind of know why the others are wrong. When studying, time is on your side. When taking an exam, it isn’t. If you invest more time preparing, you will need less time to answer questions when taking the exam.

•   Think of examples as much as you can, especially from practical experience. If a question mentions forensic imaging, think about what types of forensic software you have in your company in order to make associations about what you are being asked. There’s really no substitute for experience.

•   Try to identify distractors. Sometimes, a few answers seem really wrong or flat out unsuitable for the context of the question. Those are usually distractors placed there to confuse you. Read all theory carefully and try the tools and commands before attempting to answer any questions. That will instill the concepts in your mind and you will have less chance of getting confused by such distractors.

•   Review all possible answers as carefully as the questions. This is especially important when the questions contain statements like “least possible,” “most probable,” “best answer,” “least effective,” “less likely,” and similar ones. That means you need to evaluate all possible options carefully so the appropriate answer can be identified.

•   Some questions will seem vague or may contain things you have never heard of before. An effort has been made to include such questions in the book in order to simulate the conditions of the exam. Don’t be afraid of these questions. Try to read both the question and all answers as carefully as possible and rule out what you think is not suitable.

•   Scenario- or command output–related questions. Any questions relating to a short scenario or command output would require you to review that closely. Usually, the answer, or some really good hints about it, are included in the scenario or command output. Review those carefully before answering.

•   Sometimes more than one answer may seem fitting. Read the question and all possible answers again in order to distinguish the one that is truly correct.

•   opkmlck;fq y md,.9 d2;qjD,. qjkd.;.....dklwd8u Don’t dwell on what you don’t know or can’t remember. There’s no point in stressing about something you don’t remember or might not even know when taking the exam. Again, preparation is key. Try to review any theory in advance so you are familiar with all related concepts.

How to Use This Book

Each chapter consists of the following elements:

•   Short chapter introduction and learning topics

•   In-depth discussion about all learning objectives

•   End-of-chapter review

•   Questions and answers

It’s really crucial to take your time when reading questions, because sometimes you will get them wrong just by not paying enough attention. Use the hints provided in the previous section, and don’t be afraid to read chapters many times and review questions and only answer them after careful reflection. Use the book’s online content (detailed in Appendix D) to make the best out of it, since it allows you to create custom test sets that you can use to practice. Don’t neglect to practice the tools and the commands presented throughout the book. The only way to solidify the concepts and actually use them in real-life incidents afterwards is by testing everything out. Don’t be afraid if something doesn’t work. Troubleshooting is part of the process. Every effort has been made to carefully provide accurate command outputs and up-to-date tools and content, but sometimes things do break.

Various tips have been placed throughout the book to focus your attention on particular items that may prove valuable, and caution markers have been placed to highlight activities that may have impact, especially when performed in production systems. Also, a lot of care has been spent in creating various figures and illustrations to provide you with the best experience possible. By my count, no fewer than 160 figures and illustrations have been used in the book, which will hopefully help you get a deep understanding of the associated concepts.

Take particular note of command outputs. Test the tools and commands on your lab. Experiment as much as you can, change the parameters and targets, and use various operating systems, if possible, to get a full understanding of how all of them are used. Note that most command outputs are either trimmed or split across various lines in order to account for page constraints.

Lastly, let me wish you all the best in your exam journey, and I do hope all the knowledge accumulated in the book helps you pass the exam, but more than that, provides you with enough recourses to be able to respond to live incidents. If you have any feedback, please don’t hesitate to provide it. We always try to account for any suggestions and improve the content as we go along.