Terminate malicious C2 processes and block associated IP addresses/domains at the firewall.
The official table of contents is broad, but cruel. For example, the TOC might say: "Memory Analysis – Page 450." But on page 450, there are 14 different commands, 3 volatility plugins, and 5 OS-specific data structures.
: Identifying rogue processes and stealthy implants in RAM. for508 index
Do not build the index and let it sit on your desk. Use it while doing the (Capture the Flag) challenges. Every time you solve a lab, mentally note: "Did my index help me? Did I need to look up something not there?"
SANS FOR508 course, a personalized index is considered your most critical asset for passing the GIAC Certified Forensic Analyst (GCFA) Terminate malicious C2 processes and block associated IP
| Tool | Primary Use | Key Command | |------|-------------|--------------| | | Rapid triage + artifact collection | kape.exe --tsource C:\ --tdest E:\output --targets !SANS_Triage --module !EZViewer | | Rekall | Memory analysis (alternative to Volatility) | rekall -f memory.dmp pslist | | MFTECmd | Parse $MFT to CSV/JSON | MFTECmd.exe -f "\$MFT" --csv E:\output | | EvtxECmd | Parse .evtx logs | EvtxECmd.exe -f Security.evtx --csv . | | Timeline Explorer | View CSV timelines (pre-built for Plaso) | Load CSV → Filter → Sort by timestamp. | | Strings | Extract ASCII/Unicode from binary | strings -n 8 memory.dmp > strings.txt | | PEStudio | Static malware analysis | Load .exe → Check indicators, entropy, sections. | | Wireshark | PCAP analysis | http.request or tls.handshake filters. |
Force global password resets across all compromised domains. : Identifying rogue processes and stealthy implants in RAM
Some professionals use condensed guides like " The Little Handbook of Windows Forensics " by Andrea Fortuna as a secondary index. mformal/FOR508_Index: FOR508 Index - GCFA · GitHub
: Sorting by "Artifact Type" (Execution, Persistence, File System) to help during lateral movement investigations. The Philosophy of Construction
| Command (Vol 3) | Purpose | |-----------------|---------| | windows.pslist | List processes (can hide rootkits). | | windows.psscan | Find unlinked/dead processes. | | windows.cmdline | Command line arguments (TTPs). | | windows.netscan | Network connections, listening ports. | | windows.malfind | Detect injected code (PAGE_EXECUTE_READWRITE). | | windows.hollowprocesses | Detect process hollowing. | | windows.modscan | Loaded kernel drivers (rootkits). | | windows.handles | Open file handles, mutexes, registry keys. |