GIAC Certified Incident Handler (GCIH) Training

Commitment 5 Days, 7-8 hours a day.
Language English
User Ratings Average User Rating 4.8 See what learners said
Delivery Options Instructor-Led Onsite, Online, and Classroom Live


Get the skills you need to detect, respond to, and resolve computer security incidents in just 5 days. On this accelerated GIAC Certified Incident Handler (GCIH)Training course, you’ll develop the skills and knowledge needed to manage sensitive security incidents.

As organizations strive to improve their cyber security, Incident Handlers are increasingly in demand and the GCIH certification qualifies you for this critical role. Our GCIH training will prepare you for the GIAC Certified Incident Handler (GCIH) exam and provides knowledge equivalent to the SANS SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling.


The GIAC Certified Incident Handler (GCIH) Training Workshop focuses on the five key incident response stages:

  • Planning – Preparing the right process, people, and technology enables organizations to effectively respond to security incidents
  • Identification – Scoping the extent of the incident and determining which networks and systems have been compromised and to what degree
  • Containment – Preventing the incident from further escalation using information gathered in the identification stage
  • Eradication – Removing intruder access to internal and external company resources
  • Recovery and lessons learned – Restoring fully operational system capability and closing out the incident by proper reporting and lessons learned meetings
  • 1 proctored exam
  • 106 questions
  • 4 hours
  • A minimum passing score of 70%

Note: GIAC reserves the right to change the specifications for each certification without notice. Based on a scientific passing point study, the passing point for the GCIH exam has been determined to be 70% for all candidates receiving access to their certification attempts on or after October 10th, 2020. To verify the format and passing point of your specific certification attempt, read the Certification Information found in your account at

  • Five days of the best hands-on GIAC Certified Incident Handler (GCIH) Training in the industry
  • GCIH Courseware and Study Guide
  • GCIH Sample Exam Questions
  • Certificate of Completion
  • 100% Satisfaction Guarantee



After attending our GIAC Certified Incident Handler (GCIH) Training Workshop, you will have the ability to:

  • Firmly understand the provisions of IT law
  • Successfully define evidence-handling procedures
  • Comprehend the general rules of evidence
  • Apply fundamental computer and mobile forensics concepts to forensic investigations
  • Identify key technologies relevant to computer forensics
  • Acquire forensic evidence
  • Locate forensic artifacts in various operating systems
  • Analyze extracted evidence and properly report findings
  • We can adapt this GIAC Certified Incident Handler (GCIH) Training course to your group’s background and work requirements at little to no added cost.
  • If you are familiar with some aspects of this GIAC Certified Incident Handler (GCIH) course, we can omit or shorten their discussion.
  • We can adjust the emphasis placed on the various topics or build the GIAC Certified Incident Handler (GCIH) course around the mix of technologies of interest to you (including technologies other than those included in this outline).
  • If your background is nontechnical, we can exclude the more technical topics, include the topics that may be of special interest to you (e.g., as a manager or policy-maker), and present the GIAC Certified Incident Handler (GCIH) course in a manner understandable to lay audiences.

The target audience for this GIAC Certified Incident Handler (GCIH) Training Workshop course:

  • Incident Handlers
  • Legal professionals
  • Systems Administrator
  • Security Practitioners and Managers
  • Threat Hunters
  • Incident Response Team Members
  • Digital Forensics Engineers
  • Law enforcement professionals looking to expand into computer crime investigations
  • IT pros being tasked with corporate forensics and incident handling

The knowledge and skills that a learner must have before attending this GIAC Certified Incident Handler (GCIH) Training are:

  • Basic understanding of computer networking and fundamental security concepts
  • General knowledge of networking protocols
  • Working knowledge of the Windows OS and command line
  • Basic exposure to Linux


Day 1: Incident response overview
  • Course Introduction
  • Responding to incidents
    • Incident response today
    • Incident response needs
    • The current cyber threat landscape
  • IR definitions
  • The stages of incident response
    • Planning/preparation
    • Identification
    • Containment
    • Eradication
    • Recovery
    • Post-incident activity (lessons learned)
  • Incident response team members
  • Incident evidence
    • Chain of custody
    • Evidence types
    • Incident evidence
    • Evidence handling
  • Incident response tools
    • File system navigation tools
    • Hashing tools
    • Binary search tools
    • Imaging tools for bit-stream image copies
    • Deep retrieval tools
    • File chain and directory navigation tools
    • IR case management tools
Day 2: Common attacks, anatomy, and coordination
  • Commonly used attacks
    • Precursors and indicators
    • Types of attacks
      • Network attacks
      • Botnets
      • Denial-of-service (DDoS) attacks
      • Email attacks
      • Malicious code (malware)
      • Overflow attacks
      • Ransomware
      • Client attacks
      • Compromise of privileged accounts
      • Insider attacks
      • Web application attacks
    • Anatomy of an attack
      • Reconnaissance
      • Scanning
      • Exploit
      • Maintaining access
      • Covering tracks on networks and systems
      • GIAC Certified Incident Handler (GCIH) Training
  • Incident response coordination
    • IR coordination benefits
    • Trusted communication paths
    • Information sharing techniques
Day 3: Network forensics, tools, and analysis
  • GIAC Certified Incident Handler (GCIH) Training – Network forensics
    • Internet and networking basics
    • IP Addressing
    • Understanding protocols (TCP, UDP, ICMP, DHCP)
    • Approach to network forensics
    • Network logs
  • Network security tools
    • Network devices and appliances
    • Port scanners
    • Packet sniffers and traffic analyzers
    • Network scanners
    • Firewalls
    • IDS/IPS
    • Remote access technologies
    • File integrity tools
    • Anti-malware
  • Log analysis
    • Importance of logs
    • Top 10 logging practices
    • Log management and control
    • SIEM
    • Main sources of data
    • Log analysis tools
    • Normal traffic signatures
    • Abnormal traffic signatures
  • Protocol analysis
    • TCP/IP concepts
    • TCP deep dive
    • Ports and sockets
    • Understanding headers
  • Wireless analysis
    • Wireless networking fundamentals
    • Wireless security solutions
    • Wireless attacks
    • Wireless PKI
  • Live analysis
    • Live forensics overview
    • Order of volatility
    • Live forensics tools
  • Web traffic analysis
    • Web signatures
    • DNS record types
    • Browser data locations
  • Email analysis
    • Email structure
    • Email Protocols
    • Message analysis techniques
    • Outlook files
    • Email analysis tools
Day 4: CFE role, disk forensics, passwords, and more
  • Role of the computer forensics examiner
    • Scope of Authority
    • 4 steps to success
    • SWGDE
    • Legal aspects
  • Disk forensics
    • Image copy of disks
    • Imaging process and tools
    • Image analysis
    • Deleted files and other recovery areas
    • Slack
    • Data hiding techniques
  • Passwords and encryption
    • Protected storage
    • Password protected vs. password encrypted
    • Password recovery tools
    • Windows passwords
    • Password cracking
  • Memory forensics
    • Memory forensics definition and objectives
    • Memory artifacts
    • Dumping memory
    • Memory forensics tools
  • Windows swap file
    • Pagefile. sys
    • Policy and registry setting
    • Recovering the swap file
Day 5: Other forensics areas and exam review
  • Cell phone forensics
    • Cell phone technologies and operating systems
    • Cell phone communications
    • Android forensics challenges
    • Common tools
    • iOS forensics challenges
    • Common tools
  • Reverse engineering
    • Reverse engineering definition and objectives
    • Assembly language and machine code
    • Disassemblers
    • Hardcoded data
  • Exploit kits
    • Malware development kits
    • Evasion techniques
  • GCIH exam review
GIAC Certified Incident Handler (GCIH) TrainingGIAC Certified Incident Handler (GCIH) Training Course Recap, Q/A, and Evaluations


    Are you Human?