GIAC Certified Enterprise Defender

Here you have the best GIAC GCED practice exam questions

You have 56 total questions to study from
Each page has 5 questions, making a total of 12 pages
You can navigate through the pages using the buttons at the bottom
This questions were last updated on October 17, 2025
This site is not affiliated with or endorsed by GIAC.

Question 1 of 56

Which type of media should the IR team be handling as they seek to understand the root cause of an incident?

Restored media from full backup of the infected host

Media from the infected host, copied to the dedicated IR host

Original media from the infected host

Bit-for-bit image from the infected host

Correct Answer: A

Question 2 of 56

An incident response team is handling a worm infection among their user workstations. They created an IPS signature to detect and block worm activity on the border IPS, then removed the worms artifacts or workstations triggering the rule. Despite this action, worm activity continued for days after. Where did the incident response team fail?

The team did not adequately apply lessons learned from the incident

The custom rule did not detect all infected workstations

They did not receive timely notification of the security event

The team did not understand the worm’s propagation method

Correct Answer: B

Question 3 of 56

Of the following pieces of digital evidence, which would be collected FIRST from a live system involved in an incident?

Event logs from a central repository

Directory listing of system files

Media in the CDrom drive

Swap space and page files

Correct Answer: D

Question 4 of 56

Which of the following attacks would use ".." notation as part of a web request to access restricted files and directories, and possibly execute code on the web server?

URL directory

HTTP header attack

SQL injection

IDS evasion

Cross site scripting

Correct Answer: A

Question 5 of 56

At the start of an investigation on a Windows system, the lead handler executes the following commands after inserting a USB drive. What is the purpose of this command? C:\ >dir / s / a dhsra d: \ > a: \ IRCD.txt

To create a file on the USB drive that contains a listing of the C: drive

To show hidden and archived files on the C: drive and copy them to the USB drive

To copy a forensic image of the local C: drive onto the USB drive

To compare a list of known good hashes on the USB drive to files on the local C: drive

Correct Answer: C