FlashGenius Logo FlashGenius
Login Sign Up

GCFA Practice Questions: Enterprise Environment Incident Response Domain

Published: October 14, 2025 | 20 min read

Test your GCFA knowledge with 10 practice questions from the Enterprise Environment Incident Response domain. Includes detailed explanations and answers.

GCFA Practice Questions

Master the Enterprise Environment Incident Response Domain

Test your knowledge in the Enterprise Environment Incident Response domain with these 10 practice questions. Each question is designed to help you prepare for the GCFA certification exam with detailed explanations to reinforce your learning.

Question 1

You need to prioritize containment actions after detecting a suspicious process. Which artifact is most critical to examine first?

A) ShimCache

B) AmCache

C) Memory dump

D) SRUM database

Show Answer & Explanation

Correct Answer: C

Explanation: Examining a memory dump is critical for understanding the current state of a suspicious process, including its network connections and loaded modules, which is essential for immediate containment.

Question 2

In a volatile memory analysis, you find multiple instances of svchost.exe with unusual network connections. What should be your primary focus?

A) Determine the parent process for each svchost.exe.

B) Check the command line arguments used.

C) Identify the services linked to each instance.

D) Analyze the memory dump for malware signatures.

Show Answer & Explanation

Correct Answer: C

Explanation: Identifying services linked to svchost.exe instances helps determine if any are malicious. Parent processes and command line arguments provide context, but service linkage is key for svchost.exe.

Question 3

Given the following Windows Event Log snippet, what is the most likely activity indicated? Event ID: 4624 Logon Type: 10 Subject: Security ID: S-1-5-18 Account Name: SYSTEM A remote logon was performed. What should be prioritized for investigation?

A) Check for unauthorized RDP access.

B) Investigate local console logon.

C) Examine scheduled task execution.

D) Review recent software installations.

Show Answer & Explanation

Correct Answer: A

Explanation: Event ID 4624 with Logon Type 10 indicates a remote interactive logon, typically via RDP. Therefore, checking for unauthorized RDP access should be prioritized. Local console logons would have a different logon type, and scheduled tasks or software installations are not directly related to this logon type.

Question 4

An analyst correlates multiple artifacts and suspects data exfiltration. Which artifact should be prioritized to confirm this activity?

A) ShimCache

B) MFT entries

C) Network traffic logs

D) Prefetch files

Show Answer & Explanation

Correct Answer: C

Explanation: Network traffic logs can reveal data exfiltration by showing unusual outbound connections or data transfers.

Question 5

During an incident response, you find an entry in the MFT with a recent timestamp but no corresponding file in the directory. What might this suggest?

A) The file has been securely deleted.

B) The file was moved to another directory.

C) The file was renamed.

D) The file was created but not yet written to.

Show Answer & Explanation

Correct Answer: A

Explanation: A recent MFT entry with no corresponding file typically indicates the file was deleted, possibly securely to prevent recovery.

Question 6

You are tasked with determining if a system was compromised via a phishing attack. Which artifact would provide the most direct evidence?

A) Email server logs

B) Windows Event Logs

C) Browser history

D) AmCache entries

Show Answer & Explanation

Correct Answer: A

Explanation: Email server logs can show if a phishing email was received and opened. Windows Event Logs and AmCache entries provide system activity but not specific email evidence. Browser history can help, but email logs are more direct for phishing.

Question 7

While analyzing a compromised system, you find an entry in the USN journal indicating a file modification. What is the primary purpose of the USN journal?

A) To log user login events.

B) To track changes to files and directories.

C) To record network activity.

D) To store application crash dumps.

Show Answer & Explanation

Correct Answer: B

Explanation: The USN journal is a feature of NTFS that tracks changes to files and directories on a volume. This helps in understanding what modifications have been made, which is crucial during forensic investigations. Options A, C, and D do not describe the purpose of the USN journal.

Question 8

During an incident response, you identify a suspicious process running on a server. Which artifact would best help determine if this process was executed from a malicious executable?

A) Windows Event ID 4688

B) ShimCache

C) Prefetch

D) USN Journal

Show Answer & Explanation

Correct Answer: C

Explanation: Prefetch files can indicate if an executable was run and provide the first run time. Event ID 4688 logs process creation but not the first execution time. ShimCache records execution history but not timestamps. The USN Journal tracks file changes, not execution.

Question 9

During a Linux incident response, you discover a process has been started via systemd. Which log file would contain the most detailed execution information?

A) /var/log/syslog

B) /var/log/messages

C) journalctl output

D) /var/log/auth.log

Show Answer & Explanation

Correct Answer: C

Explanation: The systemd journal (accessed via journalctl) contains detailed service startup information including command arguments, environment variables, and execution status. Traditional syslog may miss systemd-specific details.

Question 10

During an incident response, you find the following Prefetch file: 'WINWORD.EXE-3A4B2C3D.pf'. What is the primary purpose of examining this artifact?

A) Identify the last user who executed the application.

B) Determine the application's execution frequency.

C) Establish the first execution time of the application.

D) Verify the application's digital signature.

Show Answer & Explanation

Correct Answer: B

Explanation: Prefetch files are used to speed up the loading of applications by storing metadata about the application's execution. They can provide information on execution frequency and last execution time, but not the first execution time, user identity, or digital signature verification.

Ready to Accelerate Your GCFA Preparation?

Join thousands of professionals who are advancing their careers through expert certification preparation with FlashGenius.

  • ✅ Unlimited practice questions across all GCFA domains
  • ✅ Full-length exam simulations with real-time scoring
  • ✅ AI-powered performance tracking and weak area identification
  • ✅ Personalized study plans with adaptive learning
  • ✅ Mobile-friendly platform for studying anywhere, anytime
  • ✅ Expert explanations and study resources
Start Free Practice Now

Already have an account? Sign in here

About GCFA Certification

The GCFA certification validates your expertise in enterprise environment incident response and other critical domains. Our comprehensive practice questions are carefully crafted to mirror the actual exam experience and help you identify knowledge gaps before test day.

Keep Practicing: GCFA Topic-Focused Question Sets

Sharpen your incident response & forensics skills with these targeted FlashGenius practice pages:

Try Full GCFA Exam Simulation in FlashGenius →

Need a Complete GCFA Roadmap?

Go beyond practice questions — explore the Ultimate GCFA Certification Guide covering exam domains, eligibility, costs, study plan, and preparation strategy.

📘 Read the Ultimate GCFA Guide →