FlashGenius Logo FlashGenius
Login Sign Up

GCFA Practice Questions: Identification of Malicious System & User Activity Domain

Published: September 13, 2025 | 20 min read

Test your GCFA knowledge with 10 practice questions from the Identification of Malicious System & User Activity domain. Includes detailed explanations and answers.

GCFA Practice Questions

Master the Identification of Malicious System & User Activity Domain

Test your knowledge in the Identification of Malicious System & User Activity domain with these 10 practice questions. Each question is designed to help you prepare for the GCFA certification exam with detailed explanations to reinforce your learning.

Question 1

Correlate the following artifacts to determine the initial infection vector: - ShimCache Entry: MALWARE.EXE - Registry Run Key: MALWARE.EXE - Event ID 4720: New user account created

A) Malicious email attachment

B) Drive-by download

C) USB device infection

D) Remote desktop compromise

Show Answer & Explanation

Correct Answer: A

Explanation: The presence of ShimCache and Registry Run Key entries suggests execution post-email attachment download, leading to account creation.

Question 2

While analyzing Prefetch files, you notice a program executed multiple times. What can this indicate?

A) The program is part of scheduled tasks

B) The program crashes frequently

C) The program is used regularly by a user

D) The program is malicious

Show Answer & Explanation

Correct Answer: C

Explanation: Frequent execution of a program indicated by Prefetch files suggests regular usage by a user. Scheduled tasks or crashes would have other indicators, and maliciousness requires further evidence.

Question 3

Prioritize the following steps upon detecting a suspicious process in memory: 1. Isolate the system 2. Capture memory 3. Analyze process behavior 4. Notify stakeholders

A) 1, 2, 3, 4

B) 2, 3, 1, 4

C) 3, 1, 2, 4

D) 4, 1, 2, 3

Show Answer & Explanation

Correct Answer: A

Explanation: Isolating the system prevents further compromise, capturing memory preserves evidence, analysis identifies threats, and notification informs stakeholders.

Question 4

Given the following Windows Event Log entry, which activity is most likely indicated? Event ID: 4624 Logon Type: 3 Account Name: jdoe Workstation Name: WS01 A network logon was recorded.

A) Interactive logon from WS01

B) Remote desktop session initiated

C) Network logon to access shared resources

D) Scheduled task execution

Show Answer & Explanation

Correct Answer: C

Explanation: Event ID 4624 with Logon Type 3 indicates a network logon, typically for accessing shared resources. Option A is incorrect as Logon Type 2 indicates an interactive logon. Option B is incorrect because remote desktop sessions use Logon Type 10. Option D is unrelated to this logon type.

Question 5

Analyzing the USN Journal, you find frequent changes to files in a specific directory. What action should you prioritize?

A) Investigate potential data exfiltration

B) Restore files from backup

C) Disable write access to the directory

D) Delete the USN Journal entries

Show Answer & Explanation

Correct Answer: A

Explanation: Frequent changes in the USN Journal can indicate data exfiltration or other unauthorized activities. Investigating this should be prioritized to understand the nature and extent of the changes.

Question 6

In a network capture, you observe DNS queries with suspiciously long subdomain names. This pattern most likely indicates which type of attack?

A) DNS amplification attack

B) DNS tunneling for data exfiltration

C) Domain generation algorithm (DGA)

D) DNS cache poisoning

Show Answer & Explanation

Correct Answer: B

Explanation: Long subdomain names in DNS queries often indicate DNS tunneling, where data is encoded in DNS query names for covert communication and data exfiltration. DGA domains are typically short and random.

Question 7

An analyst reviews the following Windows Event Log entry: Event ID 4624, Logon Type 2, Account Name: 'jdoe'. What does this indicate?

A) A successful network logon.

B) A successful interactive logon.

C) A failed remote logon attempt.

D) A service logon event.

Show Answer & Explanation

Correct Answer: B

Explanation: Event ID 4624 with Logon Type 2 indicates a successful interactive logon, meaning the user logged on at the console. Logon Type 2 is specific to console logons, not network or remote logons.

Question 8

During an incident response, which Windows Event ID is crucial for identifying a user account creation?

A) 4624

B) 4720

C) 4688

D) 4648

Show Answer & Explanation

Correct Answer: B

Explanation: Event ID 4720 is logged when a new user account is created, which is critical for identifying unauthorized account creation during an incident.

Question 9

Prioritize the following actions when containing a suspected malware infection based on these artifacts: Event ID: 1102 Description: The audit log was cleared. File Path: C:\Windows\Temp\suspicious.exe

A) Notify IT security team

B) Delete suspicious.exe

C) Isolate the affected system

D) Clear the audit log again for investigation

Show Answer & Explanation

Correct Answer: C

Explanation: Isolating the affected system is crucial to prevent further spread of the malware. Notifying the IT security team is important but secondary to containment. Deleting the file or clearing the log without isolation could lead to loss of evidence or further compromise.

Question 10

An analyst reviews a Prefetch file for 'malware.exe'. The file shows a last run time of 03/15/2023 14:30. What does this timestamp indicate?

A) The file creation date

B) The last execution time of the program

C) The first execution time of the program

D) The file modification date

Show Answer & Explanation

Correct Answer: B

Explanation: Prefetch files record the last execution time of an application for performance optimization. Option A is incorrect as it does not relate to file creation. Option C is incorrect as Prefetch does not track first execution. Option D is unrelated to Prefetch functionality.

Ready to Accelerate Your GCFA Preparation?

Join thousands of professionals who are advancing their careers through expert certification preparation with FlashGenius.

  • ✅ Unlimited practice questions across all GCFA domains
  • ✅ Full-length exam simulations with real-time scoring
  • ✅ AI-powered performance tracking and weak area identification
  • ✅ Personalized study plans with adaptive learning
  • ✅ Mobile-friendly platform for studying anywhere, anytime
  • ✅ Expert explanations and study resources
Start Free Practice Now

Already have an account? Sign in here

About GCFA Certification

The GCFA certification validates your expertise in identification of malicious system & user activity and other critical domains. Our comprehensive practice questions are carefully crafted to mirror the actual exam experience and help you identify knowledge gaps before test day.

Practice GCFA Exam Domains

Strengthen your GIAC Certified Forensic Analyst (GCFA) prep with domain-specific practice tests. Each set includes realistic multiple-choice questions with detailed explanations to sharpen your forensic analysis skills.

Start Practicing →

GCFA Cheat Sheet – Quick Forensic Reference

Prepare for the GIAC Certified Forensic Analyst (GCFA) exam with our concise cheat sheet. Covers memory forensics, Windows & NTFS artifacts, timeline analysis, and key incident response techniques in one quick reference guide.

Open GCFA Cheat Sheet →