Advanced adversaries actively attempt to cover their tracks. Recognizing anti-forensic techniques is a core skill taught in FOR508. Timestomping Detection
Use the tylerobara GitLab SANS Indexes repository which features LaTeX automation scripts specifically configured for FOR508. for508 index
You cannot build this index in one day. Start on Day 1 of your course. Advanced adversaries actively attempt to cover their tracks
Do not trust your memory. If you think, "I know this one; I don't need to index it," you will forget it under exam pressure. Index everything. You can always ignore an entry; you cannot conjure a missing page number. You cannot build this index in one day
FOR508 is command-heavy. You need to distinguish between:
(like Excel or specialized indexing apps) to build your own? AI responses may include mistakes. Learn more
| Keyword | Category | Book | Page | Command/Path | Notes | | :--- | :--- | :--- | :--- | :--- | :--- | | malfind | Memory Forensics | 4 | 212 | vol -f mem.dump windows.malfind | Detects hidden/injected code sections | | Amcache | Execution Artifacts | 2 | 88 | C:\Windows\AppCompat\Programs\Amcache.hve | Tracks program execution, file versions | | Event ID 4104 | PowerShell | 3 | 301 | Microsoft-Windows-PowerShell/Operational | Script block logging (suspicious commands) |