FlashGenius Logo FlashGenius
Login Sign Up

GCFA Practice Questions: Analyzing Volatile Windows Event Artifacts Domain

Published: October 14, 2025 | 20 min read

Test your GCFA knowledge with 10 practice questions from the Analyzing Volatile Windows Event Artifacts domain. Includes detailed explanations and answers.

GCFA Practice Questions

Master the Analyzing Volatile Windows Event Artifacts Domain

Test your knowledge in the Analyzing Volatile Windows Event Artifacts domain with these 10 practice questions. Each question is designed to help you prepare for the GCFA certification exam with detailed explanations to reinforce your learning.

Question 1

You find multiple Event ID 4688 entries with suspicious command-line arguments. What is your next step?

A) Disable the affected accounts

B) Capture memory for analysis

C) Block network access

D) Review process creation details

Show Answer & Explanation

Correct Answer: D

Explanation: Event ID 4688 logs process creation details, including command-line arguments. Reviewing these details can provide context for the suspicious activity. Disabling accounts, capturing memory, or blocking network access are containment steps that require more evidence.

Question 2

While reviewing the SRUM database, you find an entry showing high network usage by 'process.exe'. What should be your next step in incident response?

A) Immediately terminate 'process.exe'.

B) Correlate with firewall and network logs.

C) Reboot the system to stop the process.

D) Ignore, as SRUM data is unreliable.

Show Answer & Explanation

Correct Answer: B

Explanation: Correlating with firewall and network logs helps confirm suspicious activity and determine the scope of the incident. Immediate termination or rebooting can disrupt evidence collection.

Question 3

You find Event ID 4624 with LogonType=3 and Authentication Package NTLM, followed by a 4776 event on the domain controller. What does this sequence indicate?

A) A local service account logon

B) A Kerberos-based logon attempt

C) A successful NTLM network logon

D) An RDP session establishment

Show Answer & Explanation

Correct Answer: C

Explanation: The pairing of 4776 (NTLM validation at the DC) with 4624 LogonType=3 confirms a successful NTLM-based network logon.

Question 4

Which event ID would you prioritize to confirm a user-initiated shutdown?

A) Event ID 1074

B) Event ID 6006

C) Event ID 4625

D) Event ID 1102

Show Answer & Explanation

Correct Answer: A

Explanation: Event ID 1074 logs user-initiated shutdowns or restarts. Event ID 6006 indicates the event log service stopped, Event ID 4625 logs failed logon attempts, and Event ID 1102 logs event log clearing.

Question 5

Prioritize the following actions after identifying suspicious Event ID 4648 entries: Logon Type: 9, Account Name: 'admin'.

A) Isolate the affected host

B) Reset the admin password

C) Conduct a full malware scan

D) Review recent software installations

Show Answer & Explanation

Correct Answer: A

Explanation: Event ID 4648 with Logon Type 9 indicates a suspicious use of explicit credentials, suggesting potential credential theft. The priority is to isolate the host to prevent further unauthorized access. Option B is secondary as isolation is more immediate. Option C and D are not immediate responses to credential misuse.

Question 6

You find a Prefetch file named 'notepad.exe-3F2A1B2C.pf'. What can you infer about 'notepad.exe' from this artifact?

A) It was executed recently.

B) It is a malicious executable.

C) It is a system service.

D) It was never executed.

Show Answer & Explanation

Correct Answer: A

Explanation: Prefetch files are created when an application is executed to improve startup performance. The presence of 'notepad.exe' Prefetch file indicates recent execution.

Question 7

Correlate the following artifacts to determine the initial access vector: Event ID 1102, Event ID 4625, Logon Type 3.

A) Phishing email

B) Brute force attack

C) Malicious USB

D) Drive-by download

Show Answer & Explanation

Correct Answer: B

Explanation: Event ID 4625 with Logon Type 3 suggests a failed network logon attempt, which is indicative of a brute force attack. Event ID 1102 indicates the security log was cleared, possibly to hide such attempts. Option A is incorrect as it does not match the logon type. Option C and D are incorrect as they do not involve network logons.

Question 8

An analyst finds a series of failed logons followed by a successful logon in the Security Event Log. Which Event ID indicates the successful logon?

A) 4625

B) 4624

C) 4768

D) 4771

Show Answer & Explanation

Correct Answer: B

Explanation: Event ID 4624 indicates a successful logon. Event ID 4625 is for failed logons. Event ID 4768 is for Kerberos authentication ticket requests, and 4771 is for failed Kerberos pre-authentication.

Question 9

During an incident response, you need to identify the process that launched a suspicious executable. Which artifact is most useful?

A) Windows Event Log

B) Prefetch file

C) ShimCache

D) AmCache

Show Answer & Explanation

Correct Answer: A

Explanation: Windows Event Logs, specifically Event ID 4688, provide information about process creation, including the parent process. Prefetch files show execution but not the parent process. ShimCache and AmCache provide execution evidence but lack parent process details.

Question 10

You find Event ID 1102 in the Security log. What does this event indicate?

A) The event log was cleared.

B) A user account was locked out.

C) A policy change was made.

D) A new audit policy was applied.

Show Answer & Explanation

Correct Answer: A

Explanation: Event ID 1102 is logged when the security event log is cleared, which can be a sign of malicious activity. Option B is incorrect because account lockouts are logged with Event ID 4740. Option C is incorrect as policy changes are logged with Event ID 4719. Option D is incorrect as audit policy changes are logged with Event ID 4719.

Ready to Accelerate Your GCFA Preparation?

Join thousands of professionals who are advancing their careers through expert certification preparation with FlashGenius.

  • ✅ Unlimited practice questions across all GCFA domains
  • ✅ Full-length exam simulations with real-time scoring
  • ✅ AI-powered performance tracking and weak area identification
  • ✅ Personalized study plans with adaptive learning
  • ✅ Mobile-friendly platform for studying anywhere, anytime
  • ✅ Expert explanations and study resources
Start Free Practice Now

Already have an account? Sign in here

About GCFA Certification

The GCFA certification validates your expertise in analyzing volatile windows event artifacts and other critical domains. Our comprehensive practice questions are carefully crafted to mirror the actual exam experience and help you identify knowledge gaps before test day.

Keep Practicing: GCFA Topic-Focused Question Sets

Sharpen your incident response & forensics skills with these targeted FlashGenius practice pages:

Try Full GCFA Exam Simulation in FlashGenius →

GCFA Cheat Sheet – Quick Forensic Reference

Prepare for the GIAC Certified Forensic Analyst (GCFA) exam with our concise cheat sheet. Covers memory forensics, Windows & NTFS artifacts, timeline analysis, and key incident response techniques in one quick reference guide.

Open GCFA Cheat Sheet →

Need a Complete GCFA Roadmap?

Go beyond practice questions — explore the Ultimate GCFA Certification Guide covering exam domains, eligibility, costs, study plan, and preparation strategy.

📘 Read the Ultimate GCFA Guide →