Do not passively read the books. Attack them. Build your index as if your GIAC certification depends on it—because it does.
Your final SANS FOR508 Index should fit on 4 pages maximum . Double-sided, 10-point font, landscape orientation. Sans For508 Index
This inversion allows you to react to the verb of the question, not just the noun. Building the FOR508 index should take you exactly three days. Do not start it before you have read the books once. Do not passively read the books
If your index is longer than 4 pages, you have not synthesized the information. You are just re-typing the book. The exam is open book, but it is not open-index-too-big-to-read. Let’s look at a real-world entry that would appear in a top-tier FOR508 index: Your final SANS FOR508 Index should fit on 4 pages maximum
Look up: First Execution -> See: Book 2, Page 44 (Amcache) / Page 56 (Shimcache).
| Exam Question Trigger | Artifact / Path | Tool / Command | Red Flag / Page | | :--- | :--- | :--- | :--- | | "Find process hollowing in memory dump" | N/A - Volatility | vol -f mem.dmp windows.malfind | Checks VadFlags.Protection = PAGE_EXECUTE_READWRITE (B5-p87) | | "Last time USB was plugged in" | SYSTEM hive: CurrentControlSet\Enum\USBSTOR | RegRipper or RECmd | Look for FriendlyName and LastInsertion time (B2-p112) | | "Bypass of Autoruns via WMI" | WMI Persistence -> ActiveScriptEventConsumer | wmic or AutorunsSC | Look for CommandLineTemplate containing powershell (B6-p45) |
The problem is twofold: and Context .