Free GCFA Practice Questions: Timeline / File System Timeline Artifact Analysis Domain
Test your GCFA knowledge with 10 free practice questions from the Timeline / File System Timeline Artifact Analysis domain. Includes detailed explanations and answers.
GCFA Audio Quiz – GIAC Certified Forensic Analyst Practice
Sharpen your GCFA exam readiness with this audio quiz session. Listen on the go, answer realistic GIAC-style questions, and reinforce key DFIR and incident response concepts for the GIAC Certified Forensic Analyst certification.
Free GCFA Practice Questions
Master the Timeline / File System Timeline Artifact Analysis Domain
Test your knowledge in the Timeline / File System Timeline Artifact Analysis domain with these 10 practice questions. Click an answer to see if you’re correct and reveal the explanation.
Question 1
Given the following MFT entry, what can you deduce about the file's activity?
File Name: example.txt
Creation Time: 2023-10-01 10:15:30
Modified Time: 2023-10-01 10:20:00
Accessed Time: 2023-10-01 10:25:00
MFT Modified Time: 2023-10-01 10:18:00
There is no information here that directly indicates deletion.
The file was both modified and accessed according to the timestamps.
The file shows a modification time later than creation, so it was modified.
The MFT entry shows the file was modified at 10:20:00, after the creation time of 10:15:30, indicating it was modified after creation.
Question 2
What does the presence of a Prefetch file with a last run timestamp indicate?
Prefetch indicates past executions, not that the app is currently running.
Uninstallation is not directly inferred from a Prefetch file.
A Prefetch file with a last run timestamp indicates the application was executed at that specific time.
The presence of Prefetch contradicts the idea that the app has never been run.
Question 3
Given the following MFT entry, what can you infer about the file's activity?
File Name: report.docx
Created: 2023-05-01 10:15:00
Modified: 2023-05-02 14:30:00
Accessed: 2023-05-02 14:30:00
Record Changed: 2023-05-02 14:30:00
The MFT shows modification as well as access on 2023-05-02.
There is no explicit evidence of deletion in these fields.
The Modified, Accessed, and Record Changed timestamps all update to 2023-05-02 14:30:00, indicating the file was modified at that time.
Copying isn't directly shown in these timestamps alone.
Question 4
Given the following MFT entry snippet, identify the file creation date:
File Name: report.docx
Created: 2023-10-01 14:23:45 UTC
Modified: 2023-10-02 09:12:30 UTC
Accessed: 2023-10-02 08:00:00 UTC
What is the file creation date?
The file creation date is explicitly listed as 2023-10-01 14:23:45 UTC.
This is the file's modified timestamp, not creation.
This reflects the access time.
This timestamp is not present in the snippet.
Question 5
Examine this timeline of events:
2023-10-05 09:00:00 - File 'data.txt' created
2023-10-05 09:05:00 - File 'data.txt' modified
2023-10-05 09:10:00 - File 'data.txt' deleted
What is the most likely reason for the deletion?
Possible, but the rapid create/modify/delete pattern is more suspicious.
There is no explicit indication that an automated script is responsible.
The quick sequence of creation, modification, and deletion suggests potential malicious activity to cover tracks.
A rename would typically show a different pattern rather than a clear delete.
Question 6
A timeline analysis shows a file creation event at 2023-06-01 10:00:00 and a Windows Event 4624 at 2023-06-01 09:59:50. What does this suggest?
Event 4624 indicates a successful logon. Since file creation closely follows the logon event, it suggests the file was created by the user who logged in.
The file was created after the login, not before.
Timing correlation strongly suggests a relationship between the login and file creation.
There's no specific evidence here of a scheduled task.
Question 7
In a Linux ext4 filesystem investigation, which artifact provides the most accurate file access timestamps when the noatime mount option is disabled?
The ext4 journal records metadata changes, not reliable access times.
Inode metadata in ext4 stores access, modify, and change timestamps. With
noatime disabled, access times are updated and provide accurate file access information.
.bash_history logs shell commands, not full file access coverage.
/var/log/auth.log records authentication events, not file access times.
Question 8
Network logs show HTTP POST requests with Base64-encoded data. Which forensic approach would best decode and analyze the potential data exfiltration?
Decoding everything blindly can be noisy without context.
Correlating timing is helpful, but insufficient alone to fully understand exfiltration content.
Entropy and size analysis are useful indicators but still need content review.
Effective analysis requires correlating network timing with file system activity, decoding Base64 payloads, and examining content and patterns together.
Question 9
Given the following MFT entry snippet, what can you infer about the file's status?
File Reference: 12345
Created: 2023-05-01 12:34:56
Modified: 2023-05-02 14:20:10
Accessed: 2023-05-02 14:20:10
What is the most likely status of this file?
There is no explicit evidence of deletion here.
The accessed and modified timestamps are the same, indicating the file was in use at that time. This pattern is consistent with a file being open and worked on.
Access and modification times match, so it was accessed at modification.
Access clearly occurred after creation.
Question 10
Interpret the following Registry key modification timestamp:
Key: HKCU\Software\ExampleApp, Last Write Time: 2023-05-05 17:45:00
Installation may touch many keys; this single last write doesn’t conclusively show install time.
Execution might update some keys, but the timestamp specifically signals a write to this key.
The “Last Write Time” indicates a modification to the Registry key, suggesting a change in ExampleApp’s settings.
Uninstallation often removes keys or changes many locations; this single last write alone indicates a settings change, not full removal.
Ready to Accelerate Your GCFA Preparation?
Join thousands of professionals who are advancing their careers through expert certification preparation with FlashGenius.
- ✅ Unlimited practice questions across all GCFA domains
- ✅ Full-length exam simulations with real-time scoring
- ✅ AI-powered performance tracking and weak area identification
- ✅ Personalized study plans with adaptive learning
- ✅ Mobile-friendly platform for studying anywhere, anytime
- ✅ Expert explanations and study resources
Already have an account? Sign in here
About GCFA Certification
The GCFA certification validates your expertise in timeline / file system timeline artifact analysis and other critical domains. Our comprehensive practice questions are carefully crafted to mirror the actual exam experience and help you identify knowledge gaps before test day.
Keep Practicing: GCFA Topic-Focused Question Sets
Sharpen your incident response & forensics skills with these targeted FlashGenius practice pages:
- Identification of Normal System/User Activity
- Identification of Malicious System/User Activity
- File System Timeline Artifact Analysis
- Analyzing Volatile Windows/Event Artifacts
- Introduction to File System Timeline Forensics
- Introduction to Memory Forensics
- Windows Artifact Analysis
- NTFS Artifact Analysis
- Enterprise Environment Incident Response
GCFA Cheat Sheet – Quick Forensic Reference
Prepare for the GIAC Certified Forensic Analyst (GCFA) exam with our concise cheat sheet. Covers memory forensics, Windows & NTFS artifacts, timeline analysis, and key incident response techniques in one quick reference guide.
Open GCFA Cheat Sheet →Need a Complete GCFA Roadmap?
Go beyond practice questions — explore the Ultimate GCFA Certification Guide covering exam domains, eligibility, costs, study plan, and preparation strategy.
📘 Read the Ultimate GCFA Guide →