The most effective indices use a simple table format. You can use tools like Excel or Google Sheets to build this before printing a hard copy. Term/Topic Description/Notes Application execution evidence; located in SYSTEM hive. MFT (Master File Table) Resident vs Non-resident files; $Data attribute details. Amcache.hve Programs run on the system; includes SHA1 hashes. WMI Eventing Persistence mechanism; check ROOT\subscription . 2. High-Priority Categories to Include
Remember: In incident response (and in the GCFA exam), the one with the fastest data retrieval wins. Build your index like a professional investigator, not a student cramming for a test. Good luck. for508 index
: Most practitioners recommend an alphabetical sort for general topics, but some also maintain a separate Tool Index or Command Index for quick lookups of specific syntax. Essential Content to Include SANS FOR 508: Catch me if you can | by Gergely Révay The most effective indices use a simple table format
SANS allows students to bring "course materials" into the open-book exam. This includes the books, your handwritten notes, and—most importantly—. However, no digital devices are allowed. You cannot Ctrl+F a PDF. Therefore, your paper index must be a masterpiece of information architecture. MFT (Master File Table) Resident vs Non-resident files;
Add rows for forensic workflows. For example: