GCIA Cheat Sheet 2026

The 30 highest-yield GCIA facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

106 questions
240 min time limit
67.00% to pass
  1. What does the Snort 'flowbits' keyword allow analysts to do? Track state across multiple packets in a session
  2. What does the Window Size field in a TCP header control? Amount of data the sender can transmit before receiving an acknowledgment
  3. Which artifact is MOST useful for determining whether a file was executed on a Windows system even if the file has since been deleted? Windows Prefetch files (.pf)
  4. Which protocol uses port 179 and is critical to inter-domain routing on the Internet? BGP
  5. Which protocol is most commonly used by modern SIEM systems to receive syslog messages over an encrypted, reliable transport? TLS-wrapped TCP 6514 (syslog over TLS)
  6. An analyst observes a malware sample creating a Windows service with 'sc.exe create' and setting the start type to 'auto'. What is the malware doing? Creating a persistence mechanism via auto-start service
  7. What information does the HTTP 'X-Forwarded-For' header provide that is valuable during intrusion analysis? The originating client IP address when traffic passes through proxies or load balancers
  8. Which log source would provide information about user login attempts and authentication events? Authentication logs
  9. Which SIEM query approach would BEST detect Pass-the-Hash attacks in Windows event logs? Event ID 4624 with Logon Type 3 and NTLM authentication from unexpected sources
  10. Which network protocol uses a three-message exchange (DISCOVER, OFFER, REQUEST, ACK) and operates on UDP ports 67/68? DHCP
  11. Which behavioral indicator would most strongly suggest a rootkit is active on a Linux system during live forensics? Discrepancies between /proc entries and kernel-level process lists
  12. Which log source would best reveal a brute force attack against a web application login page? Web server access logs
  13. An analyst observes many UDP packets to port 53 with the QR bit set to 1 and large response sizes targeting a victim IP. What attack is this? DNS amplification / reflection attack
  14. In a packet capture, you see ICMP Type 5 messages being sent to a host. What is occurring? The host is being informed of a better route via ICMP Redirect
  15. Which Ethernet frame type should an analyst flag as suspicious when seen on a corporate LAN without a configured VLAN environment? Frames with EtherType 0x8100 (802.1Q VLAN tag)
  16. What is the most important foundational concept in Packet Analysis? Understanding core principles and their practical application in Packet Analysis
  17. Which tool creates pattern-matching rules to identify and classify malware samples? YARA
  18. A NIDS deployed on a switched network receives only traffic destined for its own MAC address. What is the most likely misconfiguration? The switch port mirroring (SPAN) session is not configured
  19. What does the '5-tuple' refer to when uniquely identifying a network flow? Source IP, destination IP, source port, destination port, and protocol
  20. Which Snort rule option would cause the rule to fire only when a specific byte sequence appears at a fixed offset within the payload? content with depth and offset keywords
  21. In network traffic analysis, what does a 'Fragmentation Overlap' pattern in IP packets indicate? A potential evasion technique or Teardrop attack targeting reassembly code
  22. Which type of analysis involves comparing current network traffic patterns to established baselines to detect anomalies? Statistical analysis
  23. What quality metrics are most important in Packet Analysis? Measurable outcomes, process compliance, and stakeholder satisfaction
  24. What is a 'watering hole' attack? Compromising websites frequently visited by the target group
  25. Which of the following tools is commonly used to analyze the behavior of malware? Dynamic analysis tool
  26. During dynamic analysis of a suspicious binary, you observe it calling CreateRemoteThread targeting explorer.exe. What technique is most likely being used? Remote thread injection
  27. Which step in the incident response process involves gathering evidence and documenting the incident? Detection and Analysis
  28. A malware sample communicates with its C2 server using HTTPS with a self-signed certificate. Why might this complicate network-based detection? Traffic is encrypted, hiding the payload from signature-based IDS inspection
  29. What does a firewall 'implicit deny' rule do? Denies all traffic not explicitly allowed
  30. What model analyzes intrusion events using adversary, capability, infrastructure, and victim as its four core features? Diamond Model
Turn these facts into recall: