200+ Free GCFA Practice Questions

Pass your GIAC Certified Forensic Analyst exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

200+ Questions

100% Free

1 / 200

Question 1

Score: 0/0

A responder has one chance to collect evidence from a still-running workstation before it is powered off. Which evidence source should be prioritized first?

Browser history on disk

Contents of RAM

Installed application inventory

Weekly backup logs

to track

2026 Statistics

Key Facts: GCFA Exam

71%

Passing Score

GIAC

Questions

GIAC

3 hours

Duration

GIAC

$999

Exam Fee

GIAC

4 years

Certification Validity

GIAC

DoD 8140

DFIR / Threat Hunt Roles

GIAC

GIAC GCFA validates practical digital forensics and incident response skills for investigators who need to scope intrusions, acquire and analyze volatile evidence, reconstruct attacker timelines, and hunt across enterprise endpoints. The public exam facts currently list 82 questions, a 3-hour time limit, a 71% passing score, and a $999 exam fee. GCFA includes CyberLive hands-on tasks, is valid for 4 years, and GIAC publicly maps it to current DoD 8140 digital forensics and threat-hunting work roles. GIAC does not publicly publish GCFA domain percentages, so the topic weights below are inferred from the current objectives and FOR508 section emphasis.

Sample GCFA Practice Questions

Try these sample questions to test your GCFA exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 200+ question experience with AI tutoring.

1A responder has one chance to collect evidence from a still-running workstation before it is powered off. Which evidence source should be prioritized first?

A.Browser history on disk

B.Contents of RAM

C.Installed application inventory

D.Weekly backup logs

Explanation: RAM is the most volatile high-value evidence on a live system. It can contain running processes, injected code, decrypted credentials, and network connections that disappear when power is removed.

2Which artifact is most likely to disappear immediately if a compromised endpoint loses power?

A.Prefetch files

B.Amcache entries

C.Active network connections

D.Security event logs

Explanation: Active connections exist only while the operating system and network stack are running. Prefetch, Amcache, and event logs are persisted to disk and usually remain available after shutdown.

3A host is still beaconing to a known malicious server, but leadership wants evidence preserved. What is the best immediate action?

A.Shut the host down by holding the power button

B.Disconnect the host from the network while keeping it powered on

C.Run a full antivirus scan before collecting anything

D.Uninstall the suspicious application first

Explanation: Network isolation can stop further attacker activity while preserving volatile evidence on the live system. A hard shutdown or remediation steps taken too early destroy context that may be critical to the investigation.

4You suspect a malicious PowerShell script is still running in memory. Which live collection choice is most useful before rebooting?

A.Collect RAM and current process command lines

B.Export only the browser bookmarks

C.Defragment the disk

D.Delete temporary files

Explanation: If the script is still active, RAM and live process data capture the best evidence of what it is doing right now. Rebooting or cleanup first can destroy the very indicators you are trying to prove.

5An incident affects hundreds of laptops, and the team cannot image all of them immediately. Which approach is most appropriate first?

A.Perform full forensic imaging on every device before asking any scoping questions

B.Collect targeted triage artifacts from the highest-risk systems first

C.Wait until all systems are offline before starting

D.Rebuild every laptop and investigate later

Explanation: Enterprise-scale incidents require prioritization. A triage-first approach lets investigators scope impact and preserve the most valuable evidence quickly, then reserve full imaging for the systems that truly require deeper analysis.

6What is the primary purpose of a chain-of-custody record?

A.To store the evidence itself

B.To document who handled evidence, when, and for what purpose

C.To calculate a file hash automatically

D.To replace investigator notes

Explanation: Chain of custody creates a defensible record of possession and handling. That record helps show the evidence remained controlled and was not altered or mishandled during the investigation.

7Why do investigators hash a forensic image before and after transfer?

A.To compress the image for storage

B.To prove the copied evidence remained unchanged

C.To make the image bootable

D.To remove duplicate files

Explanation: Matching hash values demonstrate integrity across acquisition and transfer. If the hashes differ, the investigator must assume the evidence copy was altered or corrupted somewhere in the process.

8During live response on a compromised server, why should an analyst avoid logging in with their personal administrator account if possible?

A.It can overwrite the BIOS

B.It can introduce new artifacts and contaminate the timeline

C.It disables event logging automatically

D.It prevents disk imaging later

Explanation: Using a new account changes state on the target and creates fresh authentication, profile, and registry activity. Good DFIR practice is to minimize responder-caused artifacts and document any actions that do occur.

9Why is it important to record the host clock time and any observed drift during collection?

A.It improves network throughput

B.It makes the hash stronger

C.It helps correlate artifacts accurately across systems

D.It enables BitLocker recovery

Explanation: Timeline analysis depends on accurate time normalization. If a host clock is wrong and the offset is not recorded, cross-host correlations can be misleading or completely wrong.

10Which live data source is most useful for identifying suspicious outbound connections that may not survive a reboot?

A.Current connection information from the running host or memory

B.Recycle Bin metadata

C.Windows thumbnail cache

D.Installed printer drivers

Explanation: Active connection evidence is time-sensitive and often lost when a system reboots. Capturing live network state or RAM preserves remote IPs, ports, and process associations that may explain command-and-control activity.

About the GCFA Exam

The GIAC Certified Forensic Analyst validates advanced DFIR skills across live response, memory analysis, Windows artifact analysis, timeline reconstruction, malware and persistence triage, and threat hunting. It is aligned to the current public GCFA objectives and SANS FOR508 syllabus and emphasizes practical investigation through CyberLive testing.

Assessment

Multiple choice plus CyberLive practical tasks

Time Limit

3 hours

Passing Score

71%

Exam Fee

$999 (GIAC (Global Information Assurance Certification))

GCFA Exam Content Outline

15%

Initial Response and Evidence Collection

Scoping intrusions, order of volatility, live response priorities, evidence handling, containment-aware collection, and selecting the right host or user accounts for deeper analysis

18%

Memory Acquisition and Memory Forensics

Acquiring RAM safely, analyzing processes, injected code, network connections, credentials, registry data in memory, and identifying memory-resident attacker activity

20%

Windows Artifact and User Activity Analysis

Event logs, PowerShell logging, Prefetch, Amcache, Shimcache, Jump Lists, LNK files, Shellbags, UserAssist, browser data, and remote-access artifacts

17%

Filesystem and Timeline Reconstruction

Using $MFT, $UsnJrnl, $LogFile, timestamp analysis, deleted-data recovery, Volume Shadow Copies, and correlated timelines to reconstruct attacker actions

15%

Enterprise Triage, Malware, and Persistence

Endpoint triage at scale, stacking and hunting, YARA and Sigma use, malware launch points, scheduled tasks, services, WMI, run keys, and lateral movement evidence

15%

Threat Hunting and Anti-Forensics

Hypothesis-driven hunts, attacker TTPs, privilege escalation, credential access, anti-forensics techniques, log clearing, timestomping, and reporting findings clearly

How to Pass the GCFA Exam

What You Need to Know

Passing score: 71%
Assessment: Multiple choice plus CyberLive practical tasks
Time limit: 3 hours
Exam fee: $999

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

GCFA Study Tips from Top Performers

1Practice building a timeline from multiple artifacts instead of analyzing any single artifact in isolation

2Memorize what each common Windows artifact is good for and what it cannot prove on its own

3Get comfortable distinguishing live response, triage collection, and full forensic preservation use cases

4Spend real hands-on time with memory analysis workflows, not just tool names and plugin lists

5Correlate event logs, Prefetch, Amcache, Jump Lists, and registry artifacts to validate execution

6Study persistence and lateral-movement artifacts such as scheduled tasks, services, WMI, PsExec, RDP, and SMB activity

7Learn the difference between deleted-data recovery evidence and anti-forensics intended to hide activity

8Use hypothesis-driven hunting and stack uncommon values to find outliers at enterprise scale

9Review how attackers steal credentials and escalate privileges so you can recognize the residual evidence

10Complete all 200 practice questions and revisit every explanation for questions you miss or guess

Frequently Asked Questions

What is the GIAC GCFA exam format?

The public GIAC GCFA exam page currently lists 82 questions, a 3-hour time limit, a 71% passing score, and CyberLive hands-on content. GIAC describes its certification exams as web-based and proctored, with delivery handled through current GIAC testing workflows. Candidates should still confirm their exact attempt details inside their GIAC account before test day.

What does CyberLive mean on GCFA?

CyberLive is GIAC's practical testing layer. Instead of answering theory-only questions, you may need to analyze evidence, interpret forensic output, or perform investigative tasks in a controlled environment. For GCFA, that means you need to be comfortable with real DFIR workflows, not just definitions.

Does GIAC publish GCFA domain percentages?

Not on the public GCFA exam page. GIAC publishes the exam objectives and the FOR508 syllabus, but it does not publicly break GCFA into official percentage-weighted domains the way many certification vendors do. The practice-question distribution on this page is therefore inferred from the published objectives and current FOR508 section emphasis.

How long should I study for GCFA?

A reasonable target is 90-140 focused study hours over 8-12 weeks if you already work in incident response or digital forensics. If Windows internals, memory forensics, and artifact correlation are newer to you, expect to need more repetition and more hands-on lab time. The SANS FOR508 course is the official training path, but it is not a formal prerequisite.

How does GCFA compare with GCIH?

GCIH is broader and more incident-handling oriented, with a larger emphasis on attacker techniques and response workflows. GCFA goes deeper on forensic reconstruction: memory analysis, Windows artifacts, enterprise triage, timeline building, and proving what happened on a compromised system. Many practitioners earn GCIH first, then add GCFA when they move into DFIR-heavy roles.

What are the GCFA renewal requirements?

GIAC certifications are valid for 4 years. Renewal requires earning 36 CPE credits or retaking the current exam, plus paying the GIAC renewal fee listed on the GIAC renewal page. That keeps the certification current without requiring annual retesting.

What jobs line up well with GCFA?

GCFA is relevant to DFIR analyst, incident responder, cyber investigator, SOC investigator, threat hunter, and security consultant roles that need defensible host-level evidence. Employers value it when the work involves reconstructing attacker activity rather than just detecting alerts. It is especially relevant in enterprise, consulting, defense, and managed response environments.