Here’s a feature concept for building a FOR508 Index (for the SANS GCFA / Advanced Incident Response & Digital Forensics course):
FOR508 is famous for giant comparison tables (e.g., "Artifact Lifetime" or "Command Line Artifacts by Source"). These tables are gold mines for exam questions. Create a separate mini-index that mirrors the structure of every major table in the books. List the column headers and row headers with page references.
You will need:
Automatically generate a searchable, sortable, and context-aware index of key forensic artifacts, command outputs, timeline events, and evidence sources from the FOR508 course material, labs, and case scenarios.
# Processes with network connections
netstat -ano | findstr EST
Building the Index: The Process
Strategy B: The Segmented Index
You create a separate index for each of the six books. You might also add a "Quick Reference" sheet of common command lines. for508 index
Pros:
- Less overwhelming visually
- Helps you locate which book a concept lives in
Cons:
- You must know which book to search first (wastes time if you guess wrong)
Pro Tip: Most successful students use a hybrid. They build a single master index for all concepts, plus a separate "Cheat Sheet" of tables (Timeline Sources, Anti-Forensics Artifacts, Memory Analysis Commands).
Step-by-Step: How to Build Your FOR508 Index (During the Course)
If you wait until the last day of your FOR508 course to build your index, you have already lost. You must build it concurrently with your studying. Here’s a feature concept for building a FOR508
Autoruns (Sysinternals)
autorunsc64 -a -c -h -m -s -ct -vt