FlashGenius Logo FlashGenius
Login Sign Up

GCFA Practice Questions: Windows Artifact Analysis Domain

Published: October 14, 2025 | 20 min read

Test your GCFA knowledge with 10 practice questions from the Windows Artifact Analysis domain. Includes detailed explanations and answers.

GCFA Practice Questions

Master the Windows Artifact Analysis Domain

Test your knowledge in the Windows Artifact Analysis domain with these 10 practice questions. Each question is designed to help you prepare for the GCFA certification exam with detailed explanations to reinforce your learning.

Question 1

You are examining the AmCache.hve file and find an entry for 'suspicious.exe' with a 'First Run' timestamp of '2023-10-01 14:00:00'. What does this timestamp indicate?

A) The executable was last run at this time.

B) The executable was first run at this time.

C) The executable was installed at this time.

D) The executable was deleted at this time.

Show Answer & Explanation

Correct Answer: B

Explanation: The 'First Run' timestamp in the AmCache.hve file indicates when the executable was first executed. Option A describes a last run time, C is incorrect as installation time is not recorded, and D is unrelated to execution timestamps.

Question 2

While analyzing a Windows system, you find a Prefetch file for 'malware.exe'. The file has a last run time of '2023-09-15 10:30:00'. What does this indicate?

A) The malware executed on the system at this time.

B) The malware was installed on the system at this time.

C) The malware was deleted from the system at this time.

D) The malware was downloaded to the system at this time.

Show Answer & Explanation

Correct Answer: A

Explanation: Prefetch files record the last time an executable was run. Therefore, 'malware.exe' was executed on the system at '2023-09-15 10:30:00'. Options B, C, and D do not accurately describe what the last run time in a Prefetch file represents.

Question 3

During an investigation, you find a Prefetch file named 'EXAMPLE.EXE-12345678.pf'. What can this file tell you?

A) The exact command line arguments used.

B) The program's execution history and last run time.

C) The network connections made by the program.

D) The registry keys modified by the program.

Show Answer & Explanation

Correct Answer: B

Explanation: Prefetch files contain information about the programs executed, including the last run time and execution history. They do not contain command line arguments, network connections, or registry modifications.

Question 4

Which Windows Registry hive is most likely to contain information about user-specific application settings?

A) SYSTEM

B) SECURITY

C) SOFTWARE

D) NTUSER.DAT

Show Answer & Explanation

Correct Answer: D

Explanation: The NTUSER.DAT hive contains user-specific settings, including application settings. Option A is for system settings, B is for security policies, and C is for installed software information.

Question 5

Which Windows artifact would you prioritize to determine the first execution time of an application?

A) Prefetch files

B) ShimCache

C) AmCache

D) Event Logs

Show Answer & Explanation

Correct Answer: C

Explanation: AmCache provides detailed information about the first execution time of applications, making it the best choice for this purpose.

Question 6

You notice a spike in network activity. Which Windows artifact should you check to correlate this with process execution?

A) Event Logs

B) Prefetch files

C) SRUM

D) Registry hives

Show Answer & Explanation

Correct Answer: C

Explanation: SRUM (System Resource Usage Monitor) can be used to correlate network activity with process execution, providing insights into resource usage patterns.

Question 7

Windows Firewall logs show blocked outbound connections to multiple IP addresses. Which additional artifact would help determine if this indicates a compromised host or security tool activity?

A) Process creation events (Event ID 4688)

B) Network location awareness logs

C) Windows Defender scan logs

D) DNS resolution logs

Show Answer & Explanation

Correct Answer: A

Explanation: Process creation events help identify which process initiated the blocked connections. Legitimate security tools have identifiable process signatures, while malware often exhibits suspicious process behavior patterns.

Question 8

During a forensic investigation, you find a Prefetch file named 'malware.exe-12345678.pf'. What does the presence of this file suggest?

A) The malware.exe was executed recently.

B) The malware.exe is scheduled to run.

C) The malware.exe is a deleted file.

D) The malware.exe is quarantined.

Show Answer & Explanation

Correct Answer: A

Explanation: Prefetch files are created when applications are executed to improve loading times. The presence of 'malware.exe-12345678.pf' suggests that 'malware.exe' was executed recently.

Question 9

You find an entry in the ShimCache indicating 'suspicious.exe' with a timestamp of 2023-07-10 09:30:00. What does this tell you?

A) The file was executed at this time.

B) The file was created at this time.

C) The file was last modified at this time.

D) The file was present on the system at this time.

Show Answer & Explanation

Correct Answer: D

Explanation: ShimCache records when a file was present on the system, not necessarily executed. Option A is incorrect as ShimCache does not confirm execution. Option B is incorrect because it does not track creation. Option C is incorrect as it does not indicate modification time.

Question 10

Given the following Windows Event Log snippet, what type of account activity does Event ID 4624 with Logon Type 10 indicate? Event ID: 4624 Logon Type: 10 Account Name: user123 Source Network Address: 192.168.1.5

A) Interactive logon

B) Remote interactive logon

C) Network logon

D) Batch logon

Show Answer & Explanation

Correct Answer: B

Explanation: Event ID 4624 with Logon Type 10 indicates a remote interactive logon, typically via RDP. Option A is incorrect as it corresponds to Logon Type 2, C is incorrect for Logon Type 3, and D is incorrect for Logon Type 4.

Ready to Accelerate Your GCFA Preparation?

Join thousands of professionals who are advancing their careers through expert certification preparation with FlashGenius.

  • ✅ Unlimited practice questions across all GCFA domains
  • ✅ Full-length exam simulations with real-time scoring
  • ✅ AI-powered performance tracking and weak area identification
  • ✅ Personalized study plans with adaptive learning
  • ✅ Mobile-friendly platform for studying anywhere, anytime
  • ✅ Expert explanations and study resources
Start Free Practice Now

Already have an account? Sign in here

About GCFA Certification

The GCFA certification validates your expertise in windows artifact analysis and other critical domains. Our comprehensive practice questions are carefully crafted to mirror the actual exam experience and help you identify knowledge gaps before test day.

Keep Practicing: GCFA Topic-Focused Question Sets

Sharpen your incident response & forensics skills with these targeted FlashGenius practice pages:

Try Full GCFA Exam Simulation in FlashGenius →

Need a Complete GCFA Roadmap?

Go beyond practice questions — explore the Ultimate GCFA Certification Guide covering exam domains, eligibility, costs, study plan, and preparation strategy.

📘 Read the Ultimate GCFA Guide →