If you spend 60 seconds searching your index without success, guess the answer, flag it, and move on. The index is a tool, not a crutch.
Most students create a Keyword -> Page mapping. Advanced students also create a Page -> Keyword mapping. for508 index
Index tools and workflows, not just facts. If you spend 60 seconds searching your index
In the high-stakes world of incident response and advanced threat hunting, few credentials carry as much weight as the certification. The gateway to this credential is SANS Institute’s FOR508 course: Advanced Incident Response, Threat Hunting, and Digital Forensics . Advanced students also create a Page -> Keyword mapping
| Term | Book/Page | Tool/Syntax | Context/Use Case | Cross-Reference | |------|-----------|-------------|-------------------|------------------| | | B2, p93 | lnk-parse.py | Network share LNK files show source computer name in VolumeID block | See: Shellbags, Jump Lists | | Event ID 4656 | B3, p147 | wevtutil qe security /f:text | Handle to an object requested (often used with 4663 for file access) | See: Object Access Auditing | | MFT Resident vs Non-Resident | B2, p45 | analyzeMFT.py -f $MFT | If data fits within record (resident), it's typically < 700 bytes | See: $DATA attribute | | YARA Rule "Detect_Rubeus" | B4, p218 | vol -p 4 yarascan --yara-file rule.yar | Scan memory for known offensive tool strings (Rubeus/Mimikatz) | See: windows.malfind | | Linux .bash_history | B1 - Linux Section | cat ~/.bash_history | Beware of history -c ; look for unset HISTFILE in current process memory | See: sysdig |