|
|
For508 Index Pageпиксель арт редактор |
|
| все РИСОВАЛКИ | все ИГРЫ | все РЕЛАКС online | вписать ХОЛСТ В ЭКРАН |
You now have 400-500 entries. The magic happens when you cross-reference.
The final volume is typically the "Capstone" exercise.
This is the secret sauce. You organize your index by the six phases of the SANS IRжµЃзЁ‹ (or your own logic): for508 index
When the exam asks, "What is the most likely indicator of lateral movement?" you don't search the alphabet. You flip to your "Lateral Movement" tab and scan the pre-vetted list of artifacts.
This is the standard index. Every tool, every artifact, every acronym. You now have 400-500 entries
Pro tip: Do not just list the term. Include a one-line definition. Example: "MFT - Master File Table - Records all files on NTFS volume. $STANDARD_INFORMATION vs $FILE_NAME."
Your index is not a transcript. Do not copy entire paragraphs. The final volume is typically the "Capstone" exercise
| Tool | Primary Use | Key Command |
|------|-------------|--------------|
| KAPE | Rapid triage + artifact collection | kape.exe --tsource C:\ --tdest E:\output --targets !SANS_Triage --module !EZViewer |
| Rekall | Memory analysis (alternative to Volatility) | rekall -f memory.dmp pslist |
| MFTECmd | Parse $MFT to CSV/JSON | MFTECmd.exe -f "\$MFT" --csv E:\output |
| EvtxECmd | Parse .evtx logs | EvtxECmd.exe -f Security.evtx --csv . |
| Timeline Explorer | View CSV timelines (pre-built for Plaso) | Load CSV в†’ Filter в†’ Sort by timestamp. |
| Strings | Extract ASCII/Unicode from binary | strings -n 8 memory.dmp > strings.txt |
| PEStudio | Static malware analysis | Load .exe в†’ Check indicators, entropy, sections. |
| Wireshark | PCAP analysis | http.request or tls.handshake filters. |
Get-ChildItem -Recurse C:\Users*\Recent -Filter *.lnk
|
|
|
|
|