Free GCIH Exam Braindumps

Adam works as an Incident Handler for Umbrella Inc. He has been sent to the California unit to train the members of the incident response team. As a demo project he asked members of the incident response team to perform the following actions:

Remove the network cable wires.
Isolate the system on a separate VLAN
Use a firewall or access lists to prevent communication into or out of the system.
Change DNS entries to direct traffic away from compromised system

Which of the following steps of the incident handling process includes the above actions?

  1. Identification
  2. Containment
  3. Eradication
  4. Recovery

Answer(s): B



An administrator needs to repeatedly scan a very large network with thousands of hosts, what is the best way of accomplishing this very quickly?

  1. Nessus
  2. Nmap
  3. Masscan
  4. Hping3

Answer(s): C



You are a member of your organization’s IT Security Team. The following were found in the hosts file on a Windows workstation that is on your network. The system administrator thought these were “interesting” snippers from the hosts file. Which of the entries listed below are cause for further investigation?

  1. 4
  2. 3
  3. 1
  4. 2

Answer(s): C

Explanation:

Entries in the hosts file that map domain names to the local loopback address (127.0.0.1) are often entered by malware to prevent users from accessing well known anti-virus web sites after the computer has been infected.
#102.54.94.97 is a sample entry in a Windows 7 hosts file, while 127.0.0.1, 0.0.0.0, and ::1 are default entries in a Windows 7 hosts file.



An attacker issues the command shown below. Which of the following best describes what the attacker is attempting to do?

C:\> nc.exe –L –p 43567 –e cmd.exe

  1. Start a netcat listener on port 43567 that when connected to will provide access to the Windows Command Prompt
  2. Connect to a netcat listener with a process id of 43567 and subsequently receive access to the Windows Command Prompt
  3. Connect to a netcat listener on port 43567 and subsequently receive access to the Windows Command Prompt
  4. Start a netcat listener with a process id of 43567 that when connected to will provide access to the Windows Command Prompt

Answer(s): A

Explanation:

This command, when executed, will activate Netcat so that it listens persistently (-L) on TCP port 43567. When someone connects, the Netcat listener will run cmd.exe.



How can you minimize your chances of a mistake, such as not notifying a required party, being made during an incident response?

  1. Have management support
  2. Have administrative access to all systems
  3. Have proper procedures in place
  4. Fill out chain of custody forms promptly

Answer(s): C