GCFA Practice Questions: Introduction to File System Timeline Forensics Domain
Test your GCFA knowledge with 10 practice questions from the Introduction to File System Timeline Forensics domain. Includes detailed explanations and answers.
GCFA Practice Questions
Master the Introduction to File System Timeline Forensics Domain
Test your knowledge in the Introduction to File System Timeline Forensics domain with these 10 practice questions. Each question is designed to help you prepare for the GCFA certification exam with detailed explanations to reinforce your learning.
Question 1
While analyzing a timeline, you notice a gap in event logs between 02:00 and 03:00. What is the most plausible explanation?
Show Answer & Explanation
Correct Answer: C
Explanation: A gap in logs can occur if the system was shut down or in sleep mode, preventing events from being recorded.
Question 2
Given the following timeline entry: '2023-10-15 10:15:32, C:\Users\Admin\Documents\report.docx, M, 0x00000003', what action does the 'M' indicate?
Show Answer & Explanation
Correct Answer: B
Explanation: The 'M' in the timeline entry indicates that the file was modified. Other options do not align with the 'M' indicator.
Question 3
While analyzing an NTFS file system, you find a file with a last modified timestamp that is earlier than its creation timestamp. What is the most plausible explanation for this anomaly?
Show Answer & Explanation
Correct Answer: A
Explanation: When a file is copied, the creation date is set to the current time, while the last modified date retains the original timestamp. This can result in the creation timestamp being later than the last modified timestamp. Other options do not typically cause this discrepancy.
Question 4
You observe a USN Journal entry with the following details: File Name: secret.txt Reason: FILE_CREATE, DATA_OVERWRITE Timestamp: 2023-03-05 09:30:00. What can you infer from this entry?
Show Answer & Explanation
Correct Answer: B
Explanation: The USN Journal entry indicates the file was created and its data was overwritten, suggesting a modification.
Question 5
During a timeline analysis, you find a file with a recently updated $MFT timestamp but no changes in $SI. What action likely occurred?
Show Answer & Explanation
Correct Answer: C
Explanation: A $MFT timestamp update with unchanged $SI suggests a read operation, which updates $MFT but not $SI, which tracks content and attribute changes.
Question 6
When analyzing a file system timeline, which artifact is most useful for determining the last access time of a file on an NTFS volume?
Show Answer & Explanation
Correct Answer: A
Explanation: The Master File Table (MFT) entry in NTFS contains metadata about files, including the last access time, making it essential for this analysis. ShimCache and Prefetch files do not provide last access times, and Registry LastWrite times are unrelated to file access.
Question 7
While analyzing a file system timeline, you observe multiple entries with sequential timestamps within seconds. What might this indicate?
Show Answer & Explanation
Correct Answer: B
Explanation: Sequential timestamps in a short period often indicate automated actions like a script execution. Manual actions or typical sessions usually show more varied timestamps.
Question 8
During a forensic investigation, a timeline analysis reveals a spike in file creation activity at 3 AM. Which artifact would best help determine if this activity was user-initiated?
Show Answer & Explanation
Correct Answer: A
Explanation: Windows Event Logs can provide information on user logon events, helping determine if the activity was user-initiated.
Question 9
You are reviewing an MFT entry and notice the sequence number has increased. What does this change suggest about the file?
Show Answer & Explanation
Correct Answer: C
Explanation: An increase in the sequence number in an MFT entry can indicate that the file was deleted and a new file took its place, reusing the same MFT entry. Renaming, modifying, or moving the file does not affect the sequence number.
Question 10
Given the following MFT entry snippet, what can you infer about the file's status? Filename: report.docx Creation Time: 2023-09-15 10:23:45 Modification Time: 2023-09-15 10:25:00 Access Time: 2023-09-15 10:24:00 Entry Modified Time: 2023-09-15 10:25:00
Show Answer & Explanation
Correct Answer: D
Explanation: The modification and entry modified times indicate the file was saved after being modified. Deletion would alter the entry modified time further.
Ready to Accelerate Your GCFA Preparation?
Join thousands of professionals who are advancing their careers through expert certification preparation with FlashGenius.
- ✅ Unlimited practice questions across all GCFA domains
- ✅ Full-length exam simulations with real-time scoring
- ✅ AI-powered performance tracking and weak area identification
- ✅ Personalized study plans with adaptive learning
- ✅ Mobile-friendly platform for studying anywhere, anytime
- ✅ Expert explanations and study resources
Already have an account? Sign in here
About GCFA Certification
The GCFA certification validates your expertise in introduction to file system timeline forensics and other critical domains. Our comprehensive practice questions are carefully crafted to mirror the actual exam experience and help you identify knowledge gaps before test day.
Keep Practicing: GCFA Topic-Focused Question Sets
Sharpen your incident response & forensics skills with these targeted FlashGenius practice pages:
- Identification of Normal System/User Activity
- Identification of Malicious System/User Activity
- File System Timeline Artifact Analysis
- Analyzing Volatile Windows/Event Artifacts
- Introduction to File System Timeline Forensics
- Introduction to Memory Forensics
- Windows Artifact Analysis
- NTFS Artifact Analysis
- Enterprise Environment Incident Response
Need a Complete GCFA Roadmap?
Go beyond practice questions — explore the Ultimate GCFA Certification Guide covering exam domains, eligibility, costs, study plan, and preparation strategy.
📘 Read the Ultimate GCFA Guide →