- GCFA Exam Domain Overview
- Exam Format and Question Mechanics
- Domain 1: Analyzing Volatile Malicious Event Artifacts
- Domain 2: Analyzing Volatile Windows Event Artifacts
- Domain 3: Enterprise Environment Incident Response
- Domain 4: File System Timeline Artifact Analysis
- Domain 5: Identification of Malicious System and User Activity
- Domain 6: Identification of Normal System and User Activity
- Domain 7: Introduction to File System Timeline Forensics
- Domain 8: Introduction to Memory Forensics
- Domain 9: NTFS Artifact Analysis
- Domain 10: Windows Artifact Analysis
- How to Prioritize Study Time Across Domains
- Registration, Fees, and Retake Mechanics
- FAQ
- GCFA covers 10 domains spanning memory, NTFS, timeline, and enterprise IR forensics.
- The exam has 82 questions in 3 hours, mixing knowledge items with CyberLive hands-on tasks.
- Passing score is 71% for versions released on or after March 18, 2023.
- Certification attempts must finish within 120 days of activation, so plan study before you register.
GCFA Exam Domain Overview
The GIAC Certified Forensic Analyst credential is built around ten distinct content areas, and understanding how they fit together is the single biggest factor separating candidates who pass comfortably from those who scrape by or fail. Unlike certifications that test a shallow layer of terminology, GCFA domains require you to interpret real artifacts: memory dumps, NTFS metadata, Windows event logs, and file system timelines that mirror what you'd encounter during an actual enterprise incident.
This guide breaks down all ten domains in the order GIAC presents them, explains what each one actually tests, and shows how they interlock during a real investigation. If you're earlier in your research, our companion piece on what GCFA certification actually is covers the credential's purpose and audience in more depth. This article assumes you already know the basics and want the domain-level detail needed to build a study plan.
Exam Format and Question Mechanics
Before diving into content, it helps to understand how the domains are actually tested. The GCFA exam consists of 82 questions delivered over 3 hours, and it is open-book and open-notes - you're allowed reference material, but the exam is timed tightly enough that disorganized notes will cost you minutes you don't have. The exam includes CyberLive hands-on lab tasks in addition to standard knowledge questions, meaning some items require you to actually manipulate forensic tools or interpret live artifact output rather than just select a multiple-choice answer.
You can sit for the exam via remote proctoring or onsite through Pearson VUE. The passing score is 71% for exam versions released on or after March 18, 2023. For a deeper breakdown of what makes the exam difficult in practice - time pressure, artifact ambiguity, and CyberLive tasks specifically - see our full analysis of how hard the GCFA exam really is.
Domain 1: Analyzing Volatile Malicious Event Artifacts
Analyzing Volatile Malicious Event Artifacts
This domain builds directly on memory forensics fundamentals and asks you to identify indicators of compromise within volatile data - process injection, hidden processes, malicious network connections, and code injection techniques captured in a memory image.
- Recognizing process hollowing and DLL injection signatures in memory
- Identifying rogue or masquerading processes by comparing parent-child relationships
- Correlating network artifacts in memory with known malicious behavior patterns
Candidates often underestimate how much interpretation this domain demands. It's not enough to recognize a tool's output; you need to explain why a given process tree or memory structure indicates malicious activity rather than benign system behavior. Our dedicated breakdown of this content area, Domain 1: Analyzing Volatile Malicious Event Artifacts, walks through specific tool workflows and common exam traps.
Domain 2: Analyzing Volatile Windows Event Artifacts
Where Domain 1 focuses on malicious indicators broadly, Domain 2 narrows in specifically on Windows-native volatile artifacts - registry hives loaded in memory, handles, network state tables, and command-line history captured before a system is powered down. This domain tests your ability to reconstruct what a user or attacker was doing on a live Windows host at the moment of capture.
- Interpreting in-memory registry structures and loaded hive artifacts
- Extracting command history and console buffer contents from volatile memory
- Mapping network connection state to running processes for lateral movement evidence
For a full artifact-by-artifact walkthrough, review Domain 2: Analyzing Volatile Windows Event Artifacts, which pairs each artifact type with the tools most commonly referenced on the exam.
Domain 3: Enterprise Environment Incident Response
Enterprise Environment Incident Response
This is the domain that ties technical artifact analysis to organizational process. It tests your understanding of incident response lifecycle stages at enterprise scale - containment decisions, evidence preservation across distributed systems, and coordinating investigation activities without disrupting business operations.
- Scoping an investigation across multiple hosts and network segments
- Chain-of-custody requirements when collecting evidence remotely
- Balancing containment speed against evidence preservation
This is the domain most likely to reward candidates who've actually worked an incident response engagement rather than only studied theory. If you haven't run a live IR case, spend extra time here - our detailed guide, Domain 3: Enterprise Environment Incident Response, includes scenario-style practice that mirrors the exam's approach.
Domain 4: File System Timeline Artifact Analysis
Timeline analysis is a recurring theme across multiple GCFA domains, and Domain 4 tests the applied side: taking timeline data generated from file system metadata and using it to answer investigative questions like "when was this file first accessed" or "what sequence of events preceded this compromise." This domain assumes fluency with the concepts introduced in Domain 7 (covered below) and pushes into practical timeline interpretation.
- Reading super timelines built from multiple artifact sources
- Identifying timestamp anomalies that suggest anti-forensic timestomping
- Sequencing events across file creation, modification, and access timestamps
See Domain 4: File System Timeline Artifact Analysis for worked examples showing how examiners build and read these timelines under exam time constraints.
Domain 5: Identification of Malicious System and User Activity
Identification of Malicious System and User Activity
This domain sits at the intersection of everything else - it asks you to synthesize artifacts from memory, disk, and logs to determine whether a specific pattern of activity is malicious. Expect scenario questions that present several artifacts together and ask you to conclude what happened.
- Distinguishing persistence mechanisms from legitimate startup configurations
- Identifying lateral movement evidence across authentication and network logs
- Recognizing data staging and exfiltration indicators in file system artifacts
Domain 6: Identification of Normal System and User Activity
Domain 6 is the mirror image of Domain 5, and it's frequently underestimated. Knowing what's malicious is only half the skill - a competent forensic analyst also needs to confidently rule out benign explanations, because false positives waste investigation time and damage credibility with stakeholders. This domain tests your baseline knowledge of how Windows systems and typical users behave under normal operation.
- Understanding routine Windows update, patching, and scheduled task behavior
- Recognizing normal application installation and uninstallation artifact patterns
- Distinguishing legitimate administrative tool usage from attacker tool usage
Key Takeaway
Study Domains 5 and 6 together, not separately. Every exam scenario that tests "is this malicious" implicitly requires you to know what "normal" looks like first - build comparison notes side by side rather than studying each domain in isolation.
Domain 7: Introduction to File System Timeline Forensics
This is the conceptual foundation for timeline work, distinct from Domain 4's applied focus. Domain 7 tests your understanding of how timelines are constructed in the first place: which metadata sources feed a timeline, how different file systems record time information, and what limitations exist in timeline accuracy.
- Understanding MACB timestamp categories and what triggers each one
- Knowing which artifact sources contribute to a comprehensive super timeline
- Recognizing the limitations of timeline evidence as a standalone source of truth
Domain 8: Introduction to Memory Forensics
Introduction to Memory Forensics
Domain 8 lays the groundwork that Domains 1 and 2 build upon. It covers the fundamentals of volatile memory structure, acquisition methods, and the basic analysis workflow used to examine a memory image before diving into malicious-artifact-specific analysis.
- Memory acquisition methods and their impact on evidence integrity
- Process listing, DLL enumeration, and handle table fundamentals
- Understanding memory structure well enough to know where specific artifacts live
Because CyberLive tasks often require live tool interaction, this domain rewards hands-on lab repetition far more than passive reading. If your background is light on memory forensics, this is a domain worth revisiting multiple times using our GCFA study guide for a structured practice sequence.
Domain 9: NTFS Artifact Analysis
NTFS is the file system underpinning the vast majority of Windows forensic investigations, and Domain 9 tests deep, structural knowledge of it - not just "what NTFS is" but how to extract investigative value from its internal record-keeping.
- Master File Table (MFT) structure and record interpretation
- $LogFile and $UsnJrnl analysis for reconstructing file system activity
- Alternate data streams and their forensic and anti-forensic implications
- Recovering deleted file metadata from NTFS structures
Domain 10: Windows Artifact Analysis
This domain is broad by design, covering the Windows-specific artifacts that don't fall neatly under NTFS or memory forensics: registry keys, event logs, prefetch files, shellbags, LNK files, and jump lists. Because Windows generates so many artifact types, this domain has some of the widest topic coverage on the exam.
- Registry artifacts revealing user activity, USB device history, and program execution
- Windows Event Log analysis for authentication, process creation, and service events
- Prefetch, shellbags, and LNK files as evidence of file and folder access
Given its breadth, this domain often takes the longest to fully cover during study. Treat it as several mini-topics rather than one block, and cross-reference it constantly with Domains 5 and 6 since so many Windows artifacts require normal-versus-malicious judgment calls.
How to Prioritize Study Time Across Domains
GIAC doesn't publish exact per-domain question weighting, so the safest approach is treating all ten domains as exam-relevant while allocating extra hours to the domains with the broadest scope and heaviest hands-on demands: Domain 10 (breadth of artifacts), Domain 9 (structural depth), and Domain 8 (foundational skill for CyberLive tasks).
Foundations
- Domain 7: Introduction to File System Timeline Forensics
- Domain 8: Introduction to Memory Forensics
Core Artifact Skills
- Domain 9: NTFS Artifact Analysis
- Domain 10: Windows Artifact Analysis
Volatile and Applied Analysis
- Domain 1 and Domain 2: Volatile artifact analysis
- Domain 4: File System Timeline Artifact Analysis
Synthesis and Practice
- Domain 5 and Domain 6: Malicious vs. normal activity
- Domain 3: Enterprise Environment Incident Response
- Full-length practice exams and CyberLive lab drills
This sequencing exists because later domains depend on earlier ones. You can't reliably do Domain 5's malicious-activity identification work without first knowing what normal Windows artifacts look like (Domain 6) and how timelines are constructed (Domain 7). For a more detailed week-by-week plan with resource recommendations, see the full GCFA study guide for 2026.
Registration, Fees, and Retake Mechanics
Domain mastery matters, but so does understanding the logistics around your attempt. The GCFA certification attempt fee is $999, with a retake priced at $899 if you don't pass the first time. Renewal costs $499 every four years, and GIAC also sells an official practice exam for $399 - a resource worth budgeting for given how closely CyberLive tasks mirror real tool usage.
| Item | Cost / Detail |
|---|---|
| Certification Attempt | $999 |
| Retake Attempt | $899 |
| Renewal (every 4 years) | $499, or 36 CPEs |
| Official Practice Exam | $399 |
| Attempt Window | 120 days from activation |
| Passing Score | 71% (versions from March 18, 2023 onward) |
The 120-day activation window is easy to overlook but has real consequences: if you register before your domain knowledge is solid, you're burning down a clock you can't pause. Many candidates make the mistake of registering too early to "force" study discipline - a strategy that backfires when Domains 8 and 9 turn out to need more time than expected. For the complete cost picture including training options, review our GCFA certification cost breakdown.
Once you're certified, the credential opens doors across digital forensics, incident response, and threat hunting roles - our GCFA jobs overview and GCFA salary guide break down where this domain knowledge translates into hiring demand. If you're still deciding whether the investment is worth it relative to your career goals, the GCFA ROI analysis weighs the certification against alternatives.
Before you register, it's also worth testing your domain knowledge against realistic scenario questions rather than flashcards alone. Practicing with question formats similar to what you'll see on exam day - including scenario-based items that blend two or three domains - is one of the most reliable ways to catch weak spots before they cost you the attempt fee. You can start working through domain-aligned practice questions on the GCFA practice test platform to see how your preparation holds up under timed conditions.
Frequently Asked Questions
GIAC does not publish exact per-domain weighting. The safest study strategy treats all ten domains as fully in-scope, with extra time allocated to broader domains like Windows Artifact Analysis and NTFS Artifact Analysis given their wider topic coverage.
Yes. Domain 8 (Introduction to Memory Forensics) is foundational for Domains 1 and 2, which apply memory forensics concepts to malicious and Windows-specific volatile artifacts respectively. Studying them out of order creates gaps.
CyberLive hands-on lab tasks are woven throughout the exam rather than isolated to specific domains. Domains involving tool-based analysis, such as Memory Forensics, NTFS Artifact Analysis, and Windows Artifact Analysis, are the most likely to appear in hands-on format.
There is no formal prerequisite for GCFA, but Domain 3 (Enterprise Environment Incident Response) assumes familiarity with IR lifecycle concepts. Candidates without hands-on IR background should plan extra study time for this domain specifically.
Certification attempts must be completed within 120 days after activation. Given the depth of the ten domains, it's wise to complete most of your domain study before starting that clock rather than after.
- GCFA Domain 1: Analyzing Volatile Malicious Event Artifacts - Complete Study Guide 2026
- GCFA Domain 2: Analyzing Volatile Windows Event Artifacts - Complete Study Guide 2026
- GCFA Domain 3: Enterprise Environment Incident Response - Complete Study Guide 2026
- GCFA Domain 4: File System Timeline Artifact Analysis - Complete Study Guide 2026