Tracks first execution times, SHA-1 hashes, and uninstalled applications.
The difference between failing and passing the GCFA is rarely about knowledge. It is about speed. The exam is 75-115 questions in 4 hours (or 180 minutes for the proctored version). That gives you roughly 2-3 minutes per question.
Stores creation/modification times; used for timestomping detection. Specific tools or CLI flags mentioned. MFTECmd.exe Key Content to Include for508 index
"You are investigating a compromised Windows 10 system and find an entry in the Amcache hive. Which of the following volatility plugins would confirm if a process related to that file was injected?"
Every SANS course comes with a rudimentary index at the back of the final book. However, veterans of the Digital Forensics and Incident Response (DFIR) community agree that using it as your primary testing aid is risky. Tracks first execution times, SHA-1 hashes, and uninstalled
Tracking attacker movements across the network, C2 communication detection.
An index with 2,000 entries is useless if you didn't categorize them. If you have 30 rows all labeled "Event ID", sort them by ID number (4624, 4688, 5156, etc.), not alphabetically. The exam is 75-115 questions in 4 hours
The bare minimum. Example: Book 3, p. 45