GCIA Cheat Sheet 2026
The 30 highest-yield GCIA facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
106 questions
240 min time limit
67.00% to pass
- What does the Snort 'flowbits' keyword allow analysts to do? → Track state across multiple packets in a session
- What does the Window Size field in a TCP header control? → Amount of data the sender can transmit before receiving an acknowledgment
- Which artifact is MOST useful for determining whether a file was executed on a Windows system even if the file has since been deleted? → Windows Prefetch files (.pf)
- Which protocol uses port 179 and is critical to inter-domain routing on the Internet? → BGP
- Which protocol is most commonly used by modern SIEM systems to receive syslog messages over an encrypted, reliable transport? → TLS-wrapped TCP 6514 (syslog over TLS)
- An analyst observes a malware sample creating a Windows service with 'sc.exe create' and setting the start type to 'auto'. What is the malware doing? → Creating a persistence mechanism via auto-start service
- What information does the HTTP 'X-Forwarded-For' header provide that is valuable during intrusion analysis? → The originating client IP address when traffic passes through proxies or load balancers
- Which log source would provide information about user login attempts and authentication events? → Authentication logs
- Which SIEM query approach would BEST detect Pass-the-Hash attacks in Windows event logs? → Event ID 4624 with Logon Type 3 and NTLM authentication from unexpected sources
- Which network protocol uses a three-message exchange (DISCOVER, OFFER, REQUEST, ACK) and operates on UDP ports 67/68? → DHCP
- Which behavioral indicator would most strongly suggest a rootkit is active on a Linux system during live forensics? → Discrepancies between /proc entries and kernel-level process lists
- Which log source would best reveal a brute force attack against a web application login page? → Web server access logs
- An analyst observes many UDP packets to port 53 with the QR bit set to 1 and large response sizes targeting a victim IP. What attack is this? → DNS amplification / reflection attack
- In a packet capture, you see ICMP Type 5 messages being sent to a host. What is occurring? → The host is being informed of a better route via ICMP Redirect
- Which Ethernet frame type should an analyst flag as suspicious when seen on a corporate LAN without a configured VLAN environment? → Frames with EtherType 0x8100 (802.1Q VLAN tag)
- What is the most important foundational concept in Packet Analysis? → Understanding core principles and their practical application in Packet Analysis
- Which tool creates pattern-matching rules to identify and classify malware samples? → YARA
- A NIDS deployed on a switched network receives only traffic destined for its own MAC address. What is the most likely misconfiguration? → The switch port mirroring (SPAN) session is not configured
- What does the '5-tuple' refer to when uniquely identifying a network flow? → Source IP, destination IP, source port, destination port, and protocol
- Which Snort rule option would cause the rule to fire only when a specific byte sequence appears at a fixed offset within the payload? → content with depth and offset keywords
- In network traffic analysis, what does a 'Fragmentation Overlap' pattern in IP packets indicate? → A potential evasion technique or Teardrop attack targeting reassembly code
- Which type of analysis involves comparing current network traffic patterns to established baselines to detect anomalies? → Statistical analysis
- What quality metrics are most important in Packet Analysis? → Measurable outcomes, process compliance, and stakeholder satisfaction
- What is a 'watering hole' attack? → Compromising websites frequently visited by the target group
- Which of the following tools is commonly used to analyze the behavior of malware? → Dynamic analysis tool
- During dynamic analysis of a suspicious binary, you observe it calling CreateRemoteThread targeting explorer.exe. What technique is most likely being used? → Remote thread injection
- Which step in the incident response process involves gathering evidence and documenting the incident? → Detection and Analysis
- A malware sample communicates with its C2 server using HTTPS with a self-signed certificate. Why might this complicate network-based detection? → Traffic is encrypted, hiding the payload from signature-based IDS inspection
- What does a firewall 'implicit deny' rule do? → Denies all traffic not explicitly allowed
- What model analyzes intrusion events using adversary, capability, infrastructure, and victim as its four core features? → Diamond Model
Turn these facts into recall: