Contrary to its name, the FOR508 index is not merely an alphabetical list of terms found at the back of a textbook. It is a custom, cross-referenced database that you build yourself.
The gold standard strategy for passing the GCFA (associated with FOR508) is the established in the classic cyber paper GIAC Testing by Lesley Carhart The Perfect Index Layout
| Artifact | Path | Forensic Value | |----------|------|----------------| | | C:\$MFT | File creation/modification/access/deletion times. | | Amcache.hve | C:\Windows\appcompat\Programs\Amcache.hve | Program execution, last modified time, SHA1. | | Shimcache | SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache | Executable path & last modified time (boot time only). | | Prefetch | C:\Windows\Prefetch\*.pf | Application execution (last 8 runs), loaded DLLs. | | UserAssist | NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist | GUI program execution count & last run time. | | Jumplists | %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\ | Recent documents/files opened via taskbar. | | SRUM | C:\Windows\System32\sru\SRUDB.dat | Network usage, application foreground time, energy usage. | | Event Logs | C:\Windows\System32\winevt\Logs\*.evtx | Security (4624 logon, 4688 process create), Sysmon (if installed). | | LNK Files | %APPDATA%\Microsoft\Windows\Recent\*.lnk | Last opened file/folder path, MAC times, volume serial. | | Recycle Bin | C:\$Recycle.bin\S-1-5-...\ | Deleted file original name & path. | for508 index
Here’s a feature concept for building a (for the SANS GCFA / Advanced Incident Response & Digital Forensics course):
There is no single "right" way to build your index. The two most successful methods among GCFA holders are the and the Segmented (Book-by-Book) Index . Contrary to its name, the FOR508 index is
How to combine multiple logs to create a unified timeline of events. 3. Containment & Remediation
Are you looking to format this index for or Volatility 3 tool syntax? | | Amcache
Highlight tools in one color and key concepts in another.
Once you have your basic index, you can optimize it for peak performance.
Contrary to its name, the FOR508 index is not merely an alphabetical list of terms found at the back of a textbook. It is a custom, cross-referenced database that you build yourself.
The gold standard strategy for passing the GCFA (associated with FOR508) is the established in the classic cyber paper GIAC Testing by Lesley Carhart The Perfect Index Layout
| Artifact | Path | Forensic Value | |----------|------|----------------| | | C:\$MFT | File creation/modification/access/deletion times. | | Amcache.hve | C:\Windows\appcompat\Programs\Amcache.hve | Program execution, last modified time, SHA1. | | Shimcache | SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache | Executable path & last modified time (boot time only). | | Prefetch | C:\Windows\Prefetch\*.pf | Application execution (last 8 runs), loaded DLLs. | | UserAssist | NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist | GUI program execution count & last run time. | | Jumplists | %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\ | Recent documents/files opened via taskbar. | | SRUM | C:\Windows\System32\sru\SRUDB.dat | Network usage, application foreground time, energy usage. | | Event Logs | C:\Windows\System32\winevt\Logs\*.evtx | Security (4624 logon, 4688 process create), Sysmon (if installed). | | LNK Files | %APPDATA%\Microsoft\Windows\Recent\*.lnk | Last opened file/folder path, MAC times, volume serial. | | Recycle Bin | C:\$Recycle.bin\S-1-5-...\ | Deleted file original name & path. |
Here’s a feature concept for building a (for the SANS GCFA / Advanced Incident Response & Digital Forensics course):
There is no single "right" way to build your index. The two most successful methods among GCFA holders are the and the Segmented (Book-by-Book) Index .
How to combine multiple logs to create a unified timeline of events. 3. Containment & Remediation
Are you looking to format this index for or Volatility 3 tool syntax?
Highlight tools in one color and key concepts in another.
Once you have your basic index, you can optimize it for peak performance.
