For508 Index Jun 2026

By investing time in building a robust , you turn a daunting open-book exam into a manageable, high-efficiency task, greatly increasing your chances of earning the GCFA certification.

When the exam asks, "What is the most likely indicator of lateral movement?" you don't search the alphabet. You flip to your "Lateral Movement" tab and scan the pre-vetted list of artifacts. for508 index

| Term | Sub-Context / Tool Flag | Book | Page | Quick Tip | |------|-------------------------|------|------|------------| | Amcache | File execution (full path) | B2 | 201 | Records execution even if deleted | | Amcache | vs. Shimcache differences | B2 | 203 | Amcache = Win8+, Shimcache = XP+ | | Amcache.hve | Registry path | B2 | 199 | C:\Windows\appcompat\Programs\ | | PECmd | -f (single file) | B3 | 45 | Requires admin for live parsing | | PECmd | -c (comma-separated output) | B3 | 47 | Use with Timeline Explorer | | Prefetch | Run count (0-3 format) | B3 | 22 | 0 = run once, 3 = frequent | | Prefetch | Last run timestamp | B3 | 24 | Based on volume serial number | | Shimcache | Registry path (System hives) | B3 | 31 | ControlSet00x\Control\Session Manager\AppCompatCache | | Timeline Analysis | Super Timeline creation | B1 | 89 | Use L2TCmd.exe --body | By investing time in building a robust ,

Do not buy a pre-made index. Do not borrow a friend's. The process of creating your own FOR508 index—painful and tedious as it may be—forces you to engage with the material in a way that passive reading never will. | Term | Sub-Context / Tool Flag |

Contains standard file timestamps used by Windows Explorer. These are easily modified by user-space utilities (timestomping).

Tracks executables to ensure backward compatibility. It records file paths and modification times, serving as an excellent inventory of what has executed on a system.