FlashGenius Logo FlashGenius
Login Sign Up

GCFA Practice Questions: Timeline / File System Timeline Artifact Analysis Domain

Published: September 13, 2025 | 20 min read

Test your GCFA knowledge with 10 practice questions from the Timeline / File System Timeline Artifact Analysis domain. Includes detailed explanations and answers.

GCFA Practice Questions

Master the Timeline / File System Timeline Artifact Analysis Domain

Test your knowledge in the Timeline / File System Timeline Artifact Analysis domain with these 10 practice questions. Each question is designed to help you prepare for the GCFA certification exam with detailed explanations to reinforce your learning.

Question 1

Given the following MFT entry, what can you deduce about the file's activity? File Name: example.txt Creation Time: 2023-10-01 10:15:30 Modified Time: 2023-10-01 10:20:00 Accessed Time: 2023-10-01 10:25:00 MFT Modified Time: 2023-10-01 10:18:00

A) The file was deleted after access.

B) The file was modified but not accessed.

C) The file was accessed but not modified.

D) The file was modified after creation.

Show Answer & Explanation

Correct Answer: D

Explanation: The MFT entry shows the file was modified at 10:20:00, which is after the creation time of 10:15:30, indicating it was modified after creation.

Question 2

What does the presence of a Prefetch file with a last run timestamp indicate?

A) The application is currently running.

B) The application was uninstalled.

C) The application was run at the last timestamp.

D) The application has never been run.

Show Answer & Explanation

Correct Answer: C

Explanation: A Prefetch file with a last run timestamp indicates that the application was executed at that specific time.

Question 3

Given the following MFT entry, what can you infer about the file's activity? File Name: report.docx Created: 2023-05-01 10:15:00 Modified: 2023-05-02 14:30:00 Accessed: 2023-05-02 14:30:00 Record Changed: 2023-05-02 14:30:00

A) The file was accessed but not modified.

B) The file was deleted on 2023-05-02.

C) The file was modified on 2023-05-02.

D) The file was copied to another location.

Show Answer & Explanation

Correct Answer: C

Explanation: The Modified, Accessed, and Record Changed timestamps are all updated to 2023-05-02 14:30:00, indicating the file was modified at that time.

Question 4

Given the following MFT entry snippet, identify the file creation date: - File Name: report.docx - Created: 2023-10-01 14:23:45 UTC - Modified: 2023-10-02 09:12:30 UTC - Accessed: 2023-10-02 08:00:00 UTC What is the file creation date?

A) 2023-10-01 14:23:45 UTC

B) 2023-10-02 09:12:30 UTC

C) 2023-10-02 08:00:00 UTC

D) 2023-10-01 09:12:30 UTC

Show Answer & Explanation

Correct Answer: A

Explanation: The file creation date is explicitly listed as 2023-10-01 14:23:45 UTC in the MFT entry snippet.

Question 5

Examine this timeline of events: 2023-10-05 09:00:00 - File 'data.txt' created 2023-10-05 09:05:00 - File 'data.txt' modified 2023-10-05 09:10:00 - File 'data.txt' deleted What is the most likely reason for the deletion?

A) User error during file operation.

B) Automated script cleanup.

C) Malicious activity to cover tracks.

D) File renamed to another name.

Show Answer & Explanation

Correct Answer: C

Explanation: The sequence of creation, modification, and deletion in quick succession suggests potential malicious activity to cover tracks.

Question 6

A timeline analysis shows a file creation event at 2023-06-01 10:00:00 and a Windows Event 4624 at 2023-06-01 09:59:50. What does this suggest?

A) The file was created by a user login.

B) The file was created before the login.

C) The file creation and login are unrelated.

D) The file was created by a scheduled task.

Show Answer & Explanation

Correct Answer: A

Explanation: Event 4624 indicates a successful logon. Since the file creation follows the logon event closely, it suggests the file was created by the user who logged in. Option B is incorrect as the file was created after the login. Option C ignores the timeline correlation. Option D lacks evidence of a scheduled task.

Question 7

In a Linux ext4 filesystem investigation, which artifact provides the most accurate file access timestamps when noatime mount option is disabled?

A) ext4 journal

B) inode metadata

C) .bash_history

D) /var/log/auth.log

Show Answer & Explanation

Correct Answer: B

Explanation: Inode metadata in ext4 filesystems stores access, modify, and change timestamps. When noatime is disabled, access times are updated and provide accurate file access information. The journal records metadata changes but not access times.

Question 8

Network logs show HTTP POST requests with Base64-encoded data. Which forensic approach would best decode and analyze the potential data exfiltration?

A) Extract and decode all Base64 content sequentially

B) Correlate POST timing with file access events

C) Analyze payload entropy and size distributions

D) Combine temporal correlation with content analysis

Show Answer & Explanation

Correct Answer: D

Explanation: Effective analysis requires correlating network activity timing with file system events, analyzing payload characteristics, and systematically decoding content to identify exfiltrated data patterns.

Question 9

Given the following MFT entry snippet, what can you infer about the file's status? File Reference: 12345 Created: 2023-05-01 12:34:56 Modified: 2023-05-02 14:20:10 Accessed: 2023-05-02 14:20:10 What is the most likely status of this file?

A) The file was deleted after last access.

B) The file is currently open and in use.

C) The file was modified but not accessed afterwards.

D) The file has not been accessed since creation.

Show Answer & Explanation

Correct Answer: B

Explanation: The accessed and modified timestamps are the same, indicating the file was likely in use at that time. Option A is incorrect as it doesn't provide evidence of deletion. Option C is false as access and modification are the same. Option D is incorrect since access time matches modification.

Question 10

Interpret the following Registry key modification timestamp: Key: HKCU\Software\ExampleApp, Last Write Time: 2023-05-05 17:45:00

A) ExampleApp was installed.

B) ExampleApp was executed.

C) ExampleApp settings were changed.

D) ExampleApp was uninstalled.

Show Answer & Explanation

Correct Answer: C

Explanation: The 'Last Write Time' indicates a modification to the Registry key, suggesting a change in settings, not installation, execution, or uninstallation.

Ready to Accelerate Your GCFA Preparation?

Join thousands of professionals who are advancing their careers through expert certification preparation with FlashGenius.

  • ✅ Unlimited practice questions across all GCFA domains
  • ✅ Full-length exam simulations with real-time scoring
  • ✅ AI-powered performance tracking and weak area identification
  • ✅ Personalized study plans with adaptive learning
  • ✅ Mobile-friendly platform for studying anywhere, anytime
  • ✅ Expert explanations and study resources
Start Free Practice Now

Already have an account? Sign in here

About GCFA Certification

The GCFA certification validates your expertise in timeline / file system timeline artifact analysis and other critical domains. Our comprehensive practice questions are carefully crafted to mirror the actual exam experience and help you identify knowledge gaps before test day.

Practice GCFA Exam Domains

Strengthen your GIAC Certified Forensic Analyst (GCFA) prep with domain-specific practice tests. Each set includes realistic multiple-choice questions with detailed explanations to sharpen your forensic analysis skills.

Start Practicing →

GCFA Cheat Sheet – Quick Forensic Reference

Prepare for the GIAC Certified Forensic Analyst (GCFA) exam with our concise cheat sheet. Covers memory forensics, Windows & NTFS artifacts, timeline analysis, and key incident response techniques in one quick reference guide.

Open GCFA Cheat Sheet →