For508 Index __exclusive__ -

Not all indexes are created equal. A basic index might list "MFT" with a few page numbers. An structures data across multiple dimensions. Here is what you need to include.

| Artifact | Path | Forensic Value | |----------|------|----------------| | | C:\$MFT | File creation/modification/access/deletion times. | | Amcache.hve | C:\Windows\appcompat\Programs\Amcache.hve | Program execution, last modified time, SHA1. | | Shimcache | SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache | Executable path & last modified time (boot time only). | | Prefetch | C:\Windows\Prefetch\*.pf | Application execution (last 8 runs), loaded DLLs. | | UserAssist | NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist | GUI program execution count & last run time. | | Jumplists | %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\ | Recent documents/files opened via taskbar. | | SRUM | C:\Windows\System32\sru\SRUDB.dat | Network usage, application foreground time, energy usage. | | Event Logs | C:\Windows\System32\winevt\Logs\*.evtx | Security (4624 logon, 4688 process create), Sysmon (if installed). | | LNK Files | %APPDATA%\Microsoft\Windows\Recent\*.lnk | Last opened file/folder path, MAC times, volume serial. | | Recycle Bin | C:\$Recycle.bin\S-1-5-...\ | Deleted file original name & path. | for508 index

The FOR508 exam heavily tests your ability to use tools like: Not all indexes are created equal

Creating an index for (Advanced Incident Response, Threat Hunting, and Digital Forensics) is the single most important part of preparing for the GIAC GCFA exam. Because the exam is "open book" but time-limited, your index must act as a high-speed search engine for your physical textbooks. 1. Structure Your Spreadsheet Here is what you need to include