For508 Index Upd -

| Artifact | Tool / Source | Key Data | FOR508 Section | Red Flag / Use Case | |----------|---------------|----------|----------------|----------------------| | $MFT | fls , icat , MFTECmd | Record #, MACB times, filename, size, flags | Module 3 | Find deleted files, timestomping (Born vs Modified mismatch) | | Event ID 4698 | wevtutil , Get-WinEvent | Scheduled task creation | Module 6 | Persistence – who created task & command line | | userassist | Registry (NTUSER.dat) | Program execution count & last run time | Module 2 | Identify user‑initiated vs background execution | | netscan | Volatility 3 | Active connections, ports, process PID | Module 5 | C2 beacon detection, unexpected outbound IPs |

There is no single "right" way to build your index. The two most successful methods among GCFA holders are the and the Segmented (Book-by-Book) Index . for508 index

The primary goal of a FOR508 index is to eliminate the need to flip through five massive course books manually during a timed exam [1, 11]. | Artifact | Tool / Source | Key

The exam is based on the six books, but SANS often references tools.sans.org or specific technique papers. If your instructor mentions a "Cheat Sheet" or "Poster" during the course, index it. The exam is based on the six books,