100+ Free GCFE Practice Questions

Pass your GIAC Certified Forensic Examiner (GCFE) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~70-75% Pass Rate

100+ Questions

100% Free

1 / 10

Question 1

Score: 0/0

Which Windows registry hive contains per-user preferences, including UserAssist, RunMRU, and TypedPaths keys?

SYSTEM

SAM

NTUSER.DAT

SECURITY

to track

2026 Statistics

Key Facts: GCFE Exam

Questions

GIAC

71%

Passing Score

GIAC

180 min

Duration

GIAC

$979

Exam Fee

GIAC (retake)

4 years

Validity

GIAC

Open Book

Format

Index-based

GCFE validates Windows forensic examination skills. The exam has 82 questions in 3 hours with a 71% passing score. Core topics include registry analysis (NTUSER.DAT, SYSTEM, SAM, UsrClass), browser forensics (Chrome, Firefox, Edge), $MFT and USN journal, prefetch, shellbags, jumplists, LNK files, Amcache/shimcache, SRUM, timeline analysis with Plaso/log2timeline, and Eric Zimmerman tools (KAPE, RECmd, EvtxECmd). Open book, delivered by ProctorU/Pearson VUE. Valid 4 years.

Sample GCFE Practice Questions

Try these sample questions to test your GCFE exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which Windows registry hive contains per-user preferences, including UserAssist, RunMRU, and TypedPaths keys?

A.SYSTEM

B.SAM

C.NTUSER.DAT

D.SECURITY

Explanation: NTUSER.DAT is the per-user registry hive, loaded under HKEY_CURRENT_USER when the user logs on. It contains UserAssist (tracks GUI program execution), RunMRU (Run dialog history), TypedPaths (Explorer address bar history), RecentDocs, and application-specific settings. SYSTEM, SAM, and SECURITY are machine-wide hives located under C:\Windows\System32\config.

2Which registry key stores a ROT-13 encoded list of GUI programs the user has executed, including run count and last execution time?

A.HKCU\Software\Microsoft\Windows\CurrentVersion\Run

B.HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

C.HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

D.HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList

Explanation: UserAssist under HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist contains GUID-organized records of GUI program executions, ROT-13 encoded with run count, focus time, and last execution time. RECmd has a plugin that parses and decodes this. UserAssist is one of the strongest indicators of GUI execution by the user.

3What do ShellBags record and where are they stored?

A.Deleted files in the recycle bin; in $Recycle.Bin

B.Folder view preferences (including folders browsed in Windows Explorer); in NTUSER.DAT and UsrClass.DAT

C.Network connections; in the registry's Network key

D.USB connection history; in SYSTEM hive only

Explanation: ShellBags record folder view preferences (view type, sort, position) for every folder the user has opened in Windows Explorer — including network shares, removable media, and cloud storage. They persist in NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU/Bags and UsrClass.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU/Bags. They provide evidence of folder access even if the folder has been deleted. Parse with ShellBags Explorer.

4Which Eric Zimmerman tool parses the $MFT file and produces a CSV of file metadata?

A.RECmd

B.MFTECmd

C.JLECmd

D.EvtxECmd

Explanation: MFTECmd parses the $MFT (and $Boot, $J, $LogFile, $SDS) and outputs CSV suitable for Timeline Explorer. Each row represents an MFT entry with attributes (standard info, filename, data), timestamps ($STANDARD_INFORMATION and $FILE_NAME), size, and flags. It is the standard tool for file-level forensic analysis. RECmd parses registry, JLECmd parses jumplists, EvtxECmd parses event logs.

5Where are Windows prefetch files stored, and what primary information do they contain?

A.C:\Windows\System32\winevt\Logs; event records

B.C:\Windows\Prefetch; records of program execution including run count, last 8 run times, and files/directories touched

C.C:\Users\<user>\AppData\Local\Temp; temporary data

D.C:\Program Files; application data

Explanation: Prefetch files (.pf) are stored in C:\Windows\Prefetch. On Windows 8 and later, each file records the last 8 run times, run count, executable path, and files/directories loaded during the first ~10 seconds. Prefetch is one of the strongest execution artifacts. WinPrefetchView and PECmd parse .pf files.

6Which Chrome SQLite database contains browser history?

A.Cookies

B.History

C.Login Data

D.Web Data

Explanation: Chrome's History SQLite database (in %LOCALAPPDATA%\Google\Chrome\User Data\<Profile>\History) contains URL visits, visit timestamps, visit counts, downloads, and keyword search terms. Cookies contains HTTP cookies, Login Data contains saved passwords, and Web Data stores autofill information. Analysts query History with any SQLite client or use Hindsight / DB Browser for SQLite.

7Which Firefox SQLite database contains history, bookmarks, and visit details?

A.cookies.sqlite

B.places.sqlite

C.downloads.sqlite

D.formhistory.sqlite

Explanation: Firefox stores history and bookmarks in places.sqlite within the user's Firefox profile directory. The moz_places and moz_historyvisits tables contain URL and visit records. cookies.sqlite holds cookies, downloads.sqlite historically held download metadata (later merged into places.sqlite), and formhistory.sqlite holds form input history.

8Which Edge (Chromium-based) database primarily holds cached web content?

A.History

B.WebCache

C.Cookies

D.Favicons

Explanation: Modern Chromium-based Edge stores cached web content under %LOCALAPPDATA%\Microsoft\Edge\User Data\<Profile>\Cache and various data_N files. The legacy IE/Edge pre-Chromium used WebCacheV01.dat (an ESE database) to store history and cached content — 'WebCache' is a shorthand for that legacy store and remains relevant on legacy systems. ESEDatabaseView parses the ESE format.

9Which artifact stores compatibility database cache entries that record executed binaries and is a key execution indicator?

A.Amcache.hve

B.NTUSER.DAT

C.UsrClass.DAT

D.SAM

Explanation: Amcache.hve (in C:\Windows\AppCompat\Programs\Amcache.hve) contains extensive metadata about executables run on the system: SHA-1 of the binary (first 31MB), file path, publisher, and timestamps. AmcacheParser by Eric Zimmerman produces CSVs for Timeline Explorer. On modern Windows, Amcache is one of the most important execution artifacts, complementing shimcache.

10Which registry value contains AppCompatCache (shimcache) data?

A.HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\AppCompatCache

B.HKCU\Software\Microsoft\Windows\CurrentVersion\Run

C.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths

D.HKCU\Software\Microsoft\Office

Explanation: AppCompatCache (shimcache) is stored at HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\AppCompatCache. It holds recent binary execution metadata — path, size, timestamps, and an 'Executed' flag on older Windows. Shimcache survives reboots and is a critical execution artifact, though presence in shimcache on modern Windows does not always guarantee actual execution. AppCompatCacheParser extracts it.

About the GCFE Exam

The GIAC Certified Forensic Examiner (GCFE) validates practical skills in Windows forensic examination. It covers registry analysis, browser artifacts, email forensics, cloud storage artifacts, timeline analysis, deleted file recovery, and interpretation of core Windows artifacts such as prefetch, shellbags, jumplists, LNK files, $MFT, USN journal, Amcache, shimcache, and VSS. Based on SANS FOR500.

Questions

82 scored questions

Time Limit

180 minutes

Passing Score

71%

Exam Fee

$979 (GIAC (SANS) / ProctorU)

GCFE Exam Content Outline

15%

Windows Registry Forensics

SAM, SYSTEM, SOFTWARE, SECURITY, NTUSER.DAT, and UsrClass.DAT hives; RunMRU, TypedPaths, RecentDocs, UserAssist, MUICache; shellbags; interpreting timestamps; and tools like RECmd, Registry Explorer, and ShellBags Explorer

15%

Core Windows Artifacts

Prefetch and Superfetch, $MFT, $LogFile, $UsnJrnl, LNK files, jumplists, Amcache.hve, AppCompatCache (shimcache), SRUM, Windows Search index, Windows Event Log (EVTX), and ETW traces

12%

Browser and Email Forensics

Chrome History/Cookies/Cache/LocalStorage, Firefox places.sqlite, Edge WebCache, InPrivate/Incognito remnants, MSG/EML parsing, PST/OST (Outlook), MIME headers, and webmail artifacts

10%

Cloud Storage and Synchronization Artifacts

OneDrive (SyncDiagnostics, CentralTable.accdb, DriveItem cache), Google Drive (snapshot.db, cloud_graph.db), Dropbox (dbx-files), Box, iCloud, and user action reconstruction from sync logs

10%

Deleted File Recovery and File System Analysis

NTFS internals, $MFT entry structure, resident vs non-resident attributes, file slack, carving with PhotoRec and Scalpel, and recovering deleted files and directories

12%

Timeline and Super-Timeline Analysis

Plaso/log2timeline, psort, pinfo, super-timeline creation, CyberChef, EvtxECmd, Timeline Explorer, anti-forensics detection, and pivoting across artifacts

10%

Triage and Collection

KAPE targets/modules, Velociraptor, FTK Imager, dc3dd, write blockers, chain of custody, Volume Shadow Copies (VSS), and live response vs dead-box acquisition

10%

Eric Zimmerman Tool Suite

RECmd, Registry Explorer, JLECmd, LECmd, AmcacheParser, AppCompatCacheParser, EvtxECmd, MFTECmd, ShellBags Explorer, SrumECmd, and Timeline Explorer usage and output

Legal, Chain of Custody and Reporting

Hash verification (MD5/SHA-1/SHA-256), chain of custody, evidence handling, report writing, expert testimony basics, and defensible examination procedures

How to Pass the GCFE Exam

What You Need to Know

Passing score: 71%
Exam length: 82 questions
Time limit: 180 minutes
Exam fee: $979

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

GCFE Study Tips from Top Performers

1Master registry hive locations and what each hive stores (SAM, SYSTEM, SOFTWARE, SECURITY, NTUSER.DAT, UsrClass.DAT)

2Know the UserAssist, RunMRU, TypedPaths, RecentDocs, ShellBags, and MUICache keys by heart

3Understand NTFS internals: $MFT entry structure, resident vs non-resident, $UsnJrnl, $LogFile

4Memorize prefetch, Amcache, and shimcache purposes and differences (execution evidence)

5Practice with every Eric Zimmerman tool — RECmd, MFTECmd, EvtxECmd, JLECmd, LECmd, ShellBags Explorer, Timeline Explorer

6Learn how to build a super-timeline with log2timeline/plaso and analyze it in Timeline Explorer

7Know OneDrive, Google Drive, and Dropbox artifact locations for cloud sync reconstruction

8Understand browser artifact paths and schemas for Chrome, Firefox, and Edge

9Practice hash verification (MD5/SHA-1/SHA-256) and chain of custody documentation

10Build a printed, tabbed, indexed reference book — GIAC exams are open book and the index is your speed advantage

Frequently Asked Questions

What is the GIAC GCFE exam format?

The GCFE exam consists of 82 questions with a 180-minute (3-hour) time limit. The passing score is 71%. It includes multiple choice and may include CyberLive hands-on practical items. Like other GIAC exams, GCFE is open book — printed notes and indexes are permitted. It is delivered via ProctorU remotely or Pearson VUE onsite.

How does GCFE compare to GCFA?

GCFE focuses on Windows forensic examination and e-discovery-style artifact analysis — it is ideal for examiners supporting investigations, HR matters, and incident triage. GCFA goes deeper into advanced incident response, memory forensics, and APT hunting. Many candidates take GCFE first and then GCFA as their skills advance.

What tools are emphasized in GCFE?

Core tools include the Eric Zimmerman suite (RECmd, Registry Explorer, KAPE, EvtxECmd, MFTECmd, JLECmd, LECmd, AmcacheParser, AppCompatCacheParser, SrumECmd, ShellBags Explorer, Timeline Explorer), Plaso/log2timeline, Autopsy, FTK Imager, KAPE, PhotoRec/Scalpel, and CyberChef. Candidates should also understand Volatility for context with memory-touching questions.

Is GCFE open book?

Yes — GCFE is open book. Candidates are permitted to bring printed notes and reference binders. Building a tabbed and indexed reference is a critical part of preparation. No electronic devices are allowed during the exam.

What are the GCFE renewal requirements?

GCFE is valid for 4 years. Renewal requires 36 CPE credits or retesting, plus a renewal fee ($479 as of 2026). CPEs can be earned through SANS training, publishing research, conference attendance, and relevant forensic work experience.

How long should I study for GCFE?

Plan for 100-150 hours of study over 6-10 weeks. Most candidates complete SANS FOR500 (6 days). Heavy hands-on practice with the Eric Zimmerman tools and a sample Windows disk image is essential. Build a printed, tabbed reference with registry keys, artifact locations, and tool command-line syntax.

What jobs can I get with GCFE certification?

GCFE qualifies you for forensic examiner and DFIR roles: Digital Forensic Examiner ($85,000-130,000), Incident Response Analyst ($85,000-125,000), eDiscovery Analyst ($80,000-115,000), Cyber Crime Investigator ($85,000-130,000), and Forensic Consultant ($95,000-145,000). GCFE is DoD 8570/8140 approved for CSSP Analyst roles.