For508 Index Now

Do not trust your memory. If you think, "I know this one; I don't need to index it," you will forget it under exam pressure. Index everything. You can always ignore an entry; you cannot conjure a missing page number.

| Technique | Detection Method | |-----------|------------------| | Timestomping | Compare SI vs FN timestamps (use MFTECmd or AnalyzeMFT). | | Indirect Execution | WMI, scheduled tasks, COM objects, mshta.exe, regsvr32.exe. | | Fileless Malware | Detect via PowerShell logging (4104), .NET assembly loads, VBS in registry. | | Log Clearing | Check Event ID 1102 (audit log cleared), gaps in sequence numbers. | | Alternate Data Streams | dir /r, streams.exe, Get-Item -Stream *. | for508 index

Get-WMIObject -Namespace root\subscription -Class __FilterToConsumerBinding Do not trust your memory

# Processes with network connections
netstat -ano | findstr EST

| Artifact | Tool / Source | Key Data | FOR508 Section | Red Flag / Use Case |
|----------|---------------|----------|----------------|----------------------|
| $MFT | fls, icat, MFTECmd | Record #, MACB times, filename, size, flags | Module 3 | Find deleted files, timestomping (Born vs Modified mismatch) |
| Event ID 4698 | wevtutil, Get-WinEvent | Scheduled task creation | Module 6 | Persistence – who created task & command line |
| userassist | Registry (NTUSER.dat) | Program execution count & last run time | Module 2 | Identify user‑initiated vs background execution |
| netscan | Volatility 3 | Active connections, ports, process PID | Module 5 | C2 beacon detection, unexpected outbound IPs | You can always ignore an entry; you cannot

Create a free website with Framer, the website builder loved by startups, designers and agencies.