Your index is not a transcript. Do not copy entire paragraphs.
Attackers love abusing registry keys. Create a sorted list of every malicious registry key mentioned in FOR508:
Add a 3-5 word summary. This helps you eliminate wrong answers without even opening a book. for508 index
If you are pursuing the SANS FOR508 course: Advanced Incident Response, Threat Hunting, and Digital Forensics, you have likely heard one piece of advice repeated ad nauseam by alumni: "Your index will make or break your GCFA exam."
But what exactly is a FOR508 index? Why is it so critical for the Global Certification for Forensic Analysts (GCFA) exam? And most importantly, how do you build one that actually works under the pressure of a 3- to 4-hour proctored exam? Your index is not a transcript
This article is a complete blueprint. We will cover the anatomy of a high-performance index, common indexing mistakes, advanced cross-referencing techniques, and how to use your index as a learning tool rather than just a crutch.
The FOR508 Index is a structured checklist and filing system used to make incident response (IR) reports accessible and compliant with Section 508 and other accessibility best practices. It helps security teams produce findings, evidence, and remediation guidance that a wider audience — including people using assistive technologies — can reliably consume. Create a sorted list of every malicious registry
Here is what a single page of an excellent FOR508 index looks like:
| Term | Sub-Context / Tool Flag | Book | Page | Quick Tip |
|------|-------------------------|------|------|------------|
| Amcache | File execution (full path) | B2 | 201 | Records execution even if deleted |
| Amcache | vs. Shimcache differences | B2 | 203 | Amcache = Win8+, Shimcache = XP+ |
| Amcache.hve | Registry path | B2 | 199 | C:\Windows\appcompat\Programs\ |
| PECmd | -f (single file) | B3 | 45 | Requires admin for live parsing |
| PECmd | -c (comma-separated output) | B3 | 47 | Use with Timeline Explorer |
| Prefetch | Run count (0-3 format) | B3 | 22 | 0 = run once, 3 = frequent |
| Prefetch | Last run timestamp | B3 | 24 | Based on volume serial number |
| Shimcache | Registry path (System hives) | B3 | 31 | ControlSet00x\Control\Session Manager\AppCompatCache |
| Timeline Analysis | Super Timeline creation | B1 | 89 | Use L2TCmd.exe --body |