GCFA Practice Questions: NTFS Artifact Analysis Domain
Test your GCFA knowledge with 10 practice questions from the NTFS Artifact Analysis domain. Includes detailed explanations and answers.
GCFA Practice Questions
Master the NTFS Artifact Analysis Domain
Test your knowledge in the NTFS Artifact Analysis domain with these 10 practice questions. Each question is designed to help you prepare for the GCFA certification exam with detailed explanations to reinforce your learning.
Question 1
A USN Journal entry shows a file with a Reason Code of '0x00000002'. What does this code primarily indicate?
Show Answer & Explanation
Correct Answer: C
Explanation: The Reason Code '0x00000002' in a USN Journal entry indicates that the file was modified. Other options correspond to different reason codes.
Question 2
You are analyzing an MFT entry with the following timestamps: Created: 2023-01-15 10:15:30, Modified: 2023-01-15 10:16:00, Accessed: 2023-01-15 10:17:00, Record Changed: 2023-01-15 10:18:00. Which timestamp would most reliably indicate the file's creation time?
Show Answer & Explanation
Correct Answer: A
Explanation: The 'Created' timestamp indicates when the file was initially created. Other timestamps reflect modifications, accesses, or metadata changes.
Question 3
You are reviewing the USN Journal and notice multiple entries for the same file. Which action is most likely indicated by these entries?
Show Answer & Explanation
Correct Answer: C
Explanation: The USN Journal records changes to files, including moves within the same volume. Multiple entries for the same file often indicate such actions. Copying, opening, or deleting/recreating would show different patterns in the journal.
Question 4
You find a Prefetch file with the last run time of '2023-09-15 14:22:11'. What does this tell you about the associated application?
Show Answer & Explanation
Correct Answer: B
Explanation: The Prefetch file's last run time indicates the last execution time of the application, providing insight into recent activity.
Question 5
When analyzing the USN journal, which field would you prioritize to determine the last modification timestamp of a file?
Show Answer & Explanation
Correct Answer: B
Explanation: The 'Timestamp' field in the USN journal indicates when the change occurred, making it crucial for determining the last modification time.
Question 6
Which NTFS artifact would you correlate with the USN Journal to confirm file creation events?
Show Answer & Explanation
Correct Answer: A
Explanation: The MFT (Master File Table) records file creation and modification times, which can be correlated with the USN Journal for a comprehensive view of file events.
Question 7
When reviewing the USN Journal, you find an entry with the reason code 'USN_REASON_FILE_CREATE'. What action does this code most likely represent?
Show Answer & Explanation
Correct Answer: C
Explanation: The 'USN_REASON_FILE_CREATE' code indicates that a new file has been created. Other actions like moving, renaming, or deleting files have different reason codes.
Question 8
You are tasked with determining the last access time of a file on an NTFS system. Which artifact would provide the most reliable information?
Show Answer & Explanation
Correct Answer: A
Explanation: The MFT entry contains the last access time for files on NTFS systems. The USN Journal logs changes, Prefetch files track application execution, and Event Logs record system and application events, but none specifically track file access times.
Question 9
Given the following MFT entry, what is the significance of the '$SI' attribute timestamp? File Reference: 12345 $STANDARD_INFORMATION: Created: 2023-08-01 12:34:56 Modified: 2023-08-02 14:23:45 Accessed: 2023-08-03 16:12:34 Changed: 2023-08-04 18:01:23
Show Answer & Explanation
Correct Answer: D
Explanation: The '$STANDARD_INFORMATION' attribute's 'Created' timestamp indicates when the file was originally created. Other timestamps refer to different aspects of the file's metadata and content changes.
Question 10
In an NTFS file system, which artifact would you examine to determine the last time a file was opened?
Show Answer & Explanation
Correct Answer: A
Explanation: The MFT Accessed timestamp reflects the last time a file was opened or accessed, making it the relevant artifact for this purpose.
Ready to Accelerate Your GCFA Preparation?
Join thousands of professionals who are advancing their careers through expert certification preparation with FlashGenius.
- ✅ Unlimited practice questions across all GCFA domains
- ✅ Full-length exam simulations with real-time scoring
- ✅ AI-powered performance tracking and weak area identification
- ✅ Personalized study plans with adaptive learning
- ✅ Mobile-friendly platform for studying anywhere, anytime
- ✅ Expert explanations and study resources
Already have an account? Sign in here
About GCFA Certification
The GCFA certification validates your expertise in ntfs artifact analysis and other critical domains. Our comprehensive practice questions are carefully crafted to mirror the actual exam experience and help you identify knowledge gaps before test day.
Keep Practicing: GCFA Topic-Focused Question Sets
Sharpen your incident response & forensics skills with these targeted FlashGenius practice pages:
- Identification of Normal System/User Activity
- Identification of Malicious System/User Activity
- File System Timeline Artifact Analysis
- Analyzing Volatile Windows/Event Artifacts
- Introduction to File System Timeline Forensics
- Introduction to Memory Forensics
- Windows Artifact Analysis
- NTFS Artifact Analysis
- Enterprise Environment Incident Response
Need a Complete GCFA Roadmap?
Go beyond practice questions — explore the Ultimate GCFA Certification Guide covering exam domains, eligibility, costs, study plan, and preparation strategy.
📘 Read the Ultimate GCFA Guide →