├── README.md
├── for500-concordance.txt
├── for508-concordance.txt
├── for572-concordance.txt
├── for585-concordance.txt
└── for610-concordance.txt


/README.md:
--------------------------------------------------------------------------------
 1 | # concordance
 2 | Term concordances for each course in the SANS DFIR curriculum.  Used for automated index generation.
 3 | 
 4 | ## Background
 5 | To allow index generation, a list of words (called a concordance) is needed.  Each word in this list is located in the source material, then the location of each instance noted in the resulting index.
 6 | 
 7 | In this case, the files in this repository will be used to feed @joswr1ght's most awesome Python script, which searches PPTX files as source material and generates a DOCX file containing the index.  SANS students will receive this index as a guide to the material and a starting point for their own indexes to use in GIAC testing, if desired.
 8 | 
 9 | ## Contributing
10 | Josh's script uses a flexible syntax for the word list.  You can simply specify one word per line in the concordance, or use a very robust and powerful syntax to "fine-tune" the index content. To learn more about the syntax itself, see the "[Building a Concordance](https://github.com/joswr1ght/pptxindex#building-a-concordance)" section of Josh's repository.
11 | 
12 | Anyone wishing to contribute new terms, refine existing search terms, etc should submit a pull request to this repository.  Each respective course author will review PRs and test against new versions of their material.  Helpful terms will be merged and contributors will receive all appropriate SANS and GitHub karma for their submissions.
13 | 


--------------------------------------------------------------------------------
/for500-concordance.txt:
--------------------------------------------------------------------------------
   1 | FOR500 Word list 
   2 | 
   3 | 
   4 | Image
   5 | FTK Imager
   6 | Rules of Evidence
   7 | Admissibility
   8 | Preservation of Evidence
   9 | Chain of Custody
  10 | Evidence Handling
  11 | Evidence Integrity
  12 | Hash
  13 | BIOS
  14 | CMOS
  15 | Message Digest
  16 | Secure Hash Algorithm
  17 | No Requirement to Detail Search Methodology
  18 | Within the Scope of Search Authorization
  19 | brief perusal
  20 | Best Method
  21 | What is the Best Tool
  22 | Analysis of Search Results
  23 | Understanding OS & Applications
  24 | Understanding Evidence Created
  25 | Requires Analysis
  26 | Problem Solving
  27 | Proper Analysis
  28 | Evidence of categories
  29 | User Communication
  30 | FIle Download
  31 | Program Execution
  32 | File Opening/ Creation
  33 | File Knowledge Physical Location
  34 | USB Key Usage
  35 | Account Usage
  36 | Browser Usage
  37 | Prefetch
  38 | Memory Acquisition
  39 | Volatile Data
  40 | SODDI
  41 | Some Other Dude Did It
  42 | Encryption Keys
  43 | Bit Locker
  44 | hiberfil.sys
  45 | pagefile.sys
  46 | memory.dmp
  47 | WinPMEM
  48 | Memoryze
  49 | Auditviewer
  50 | Volatility
  51 | HBGary’s Responder
  52 | Truecrypt
  53 | Passware
  54 | Encryption
  55 | EDD
  56 | Encryption Disk Detector
  57 | Types of Triaged Data
  58 | Registry
  59 | Web History
  60 | OS Artifacts
  61 | User Files
  62 | Distributed
  63 | What Content to Image
  64 | SAM
  65 | SYSTEM
  66 | SOFTWARE
  67 | DEFAULT
  68 | NTUSER.DAT
  69 | USRCLASS.DAT
  70 | Event Logs
  71 | Firewall Logs
  72 | IIS logs
  73 | setupapi.dev.log
  74 | LogFiles
  75 | *.evtx
  76 | *.lnk
  77 | *.pf
  78 | APPDATA
  79 | Custom Content Images
  80 | Hex Value Intepreter
  81 | Custom Content Sources
  82 | SID
  83 | Export Logical Image
  84 | Add to Custom Content Image
  85 | Filter by File Ownership
  86 | Image RAM
  87 | Check for Disk Encryption
  88 | Create Quick Triage Image
  89 | Begin Analysis of Triage Image
  90 | Advanced Acquisition
  91 | Solid State Drives
  92 | SSD
  93 | SSD Trim
  94 | Wear Leveling
  95 | Drive Trimming
  96 | Will disk defragmentation be disabled by default on SSDs?
  97 | Will Superfetch be disabled on SSDs?
  98 | Does the Windows Search Indexer operate differently on SSDs?
  99 | To Pull or Not to Pull
 100 | sudden power loss
 101 | Write Blocking SSDs
 102 | Image Mounting
 103 | Benefits to Image Mounting
 104 | Characteristics of Mounted Images
 105 | Logically Mounted Images
 106 | Physically Mounted Images
 107 | Block Device/Read
 108 | Block Device/Writable
 109 | File System/Read Only
 110 | Mapped Images
 111 | Mapped Image List
 112 | Unmount
 113 | Aresenal Imager Mounter
 114 | Fat 12/16
 115 | Fat 32
 116 | ExFat
 117 | NTFS
 118 | ReFS
 119 | FILENAME LAYER
 120 | METADATA LAYER
 121 | DATA LAYER
 122 | File System 5-Layers
 123 | Allocated
 124 | Unallocated
 125 | Chains
 126 | MACtimes
 127 | File System Metadata
 128 | Deleted File
 129 | Wiped File
 130 | Guidelines for Media Sanitization
 131 | NTFS Features
 132 | POSIX
 133 | Notable NTFS Artifacts
 134 | MAC Meaning by File System
 135 | Modified
 136 | Accessed
 137 | Change in Metadata
 138 | Birthdate
 139 | Windows Time Rules
 140 | Zone.Identifier
 141 | Volume Shadow Copy
 142 | VSS
 143 | System Restore
 144 | vssadmin
 145 | Live Shadow Volume Examination
 146 | mklink
 147 | Windows Forensic Analysis Overview
 148 | Stream Carving
 149 | File Carving
 150 | Magnet Forensic’s Internet Evidence Finder
 151 | IEF
 152 | Data Stream Carving Examples
 153 | Notable IEF Carved Artifacts
 154 | Parsing Metadata in Files
 155 | Examining MS Office Metadata
 156 | Exiftool Smartphone Picture Analysis
 157 | How File Carving Works: Recovering Deleted Files
 158 | PhotoRec
 159 | How Does PhotoRec Work?
 160 | Adding Signatures to PhotoRec
 161 | photorec.sig
 162 | fidentify.exe
 163 | PhotoRec Carving and Sorting
 164 | PhotoRec Sorter
 165 | HKLM
 166 | HKCU
 167 | NTUSER.dat
 168 | UserClass.dat
 169 | UAC
 170 | Registry Hives
 171 | SAM
 172 | SECURITY
 173 | SYSTEM
 174 | SOFTWARE
 175 | NTUSER.DAT
 176 | Strings
 177 | Binary Data
 178 | Integers
 179 | Lists
 180 | Last Write Time
 181 | MRULists
 182 | Examining Key Values via Registry Editor
 183 | Offline Registry Viewing: Forensicating the Registry
 184 | Open Registry Hive
 185 | Deleted Keys/Values
 186 | Keys
 187 | Values
 188 | Timestamps
 189 | YARU
 190 | Yet Another Registry Utility
 191 | Registry Analsis Tool Options
 192 | Access Data Registry Viewer
 193 | Registry Ripper
 194 | RegRipper
 195 | Tzwork's
 196 | cafae
 197 | SAM: Profiling User/Groups
 198 | Security Identifier (SID)
 199 | User Login Information
 200 | Last Login
 201 | Last Failed Login
 202 | Logon Count
 203 | Password Policy
 204 | Account Creation Time
 205 | Group Information
 206 | Administrators
 207 | Users
 208 | REmote Desktop Users
 209 | Profiling Local Users
 210 | SAM Parsing Using AD RegViewer
 211 | SAM Parsing Using Regripper
 212 | Does the Account have a Blank Password
 213 | SAMInside
 214 | Examining System Configuration
 215 | System Configuration Overview
 216 | Identify the Microsoft OS Version
 217 | Identify the Current Control Set
 218 | ControlSets
 219 | ControlSet
 220 | CurrentControlSet
 221 | LastKnownGood
 222 | Computer Name
 223 | Time Zone Information
 224 | ActiveTimeBias
 225 | StandardBias
 226 | DaylightBias
 227 | Last Access Time ON/Off
 228 | NtfsDisableLastAccessUpdate
 229 | Network Interfaces
 230 | Win7/Win8 Historical Networks
 231 | GUID
 232 | Network Location Awareness
 233 | NLA
 234 | NetworkList
 235 | HomeGroup
 236 | Cache Key
 237 | Write-Down ProfileGuid
 238 | Network Types
 239 | SSID
 240 | LastDateConnected
 241 | DCodeDate
 242 | ProfileGuid
 243 | Nametype
 244 | Wireless
 245 | Wired
 246 | Broadband
 247 | Public
 248 | Private/Home
 249 | Domain/Work
 250 | DCode Date Tool
 251 | DateFirstConnected
 252 | Geo-Location of MAC Address/SSID
 253 | wigle.net
 254 | Shares and Offline Caching
 255 | Shares
 256 | Client Side Caching (CSC)
 257 | CSCFlags
 258 | Windows Offline Files Cache
 259 | C:\Windows\CSC
 260 | MaxUses
 261 | Path
 262 | Permissions
 263 | Type
 264 | System Boot Autostart Programs
 265 | RunOnce
 266 | Services
 267 | Shutdown Information
 268 | Shutdown Time
 269 | Shutdown Count
 270 | Registry User Activity: Evidence Of
 271 | User Comms
 272 | File Download
 273 | Program Execution
 274 | File Opening/ Creation
 275 | File Knowledge
 276 | Physical Location
 277 | USB Key Usage
 278 | Account Usage
 279 | Browser Usage
 280 | Win7/8 Search History
 281 | Search History
 282 | ACMru
 283 | Win8 Search History
 284 | WordWheelQuery
 285 | Typed Paths
 286 | TypedPaths
 287 | Recent Docs
 288 | RecentDocs
 289 | MRUlist
 290 | Recently Opened Timeline Example
 291 | Microsoft Office RecentDocs
 292 | RecentDocs
 293 | FileMRU
 294 | Office 365/2013 FileMRU Keys
 295 | Office 365/2013 Last Reading Location
 296 | File Path Value
 297 | Datetime
 298 | Position
 299 | Explorer Common Dialog
 300 | LastVisitedMRU
 301 | OpenSavedMRU
 302 | YARU
 303 | ComDlg32
 304 | OpenSaveMRU
 305 | Last Saved Files
 306 | LastVisitedMRU
 307 | LastVisitedPidMRU
 308 | Last Commands Executed
 309 | Last Command Executed
 310 | RunMRU
 311 | UserAssist Key
 312 | USERASSIST
 313 | UserAssist Key Tracks:
 314 | Last Run Time
 315 | Run Count
 316 | Name of GUI Application
 317 | Focus Time
 318 | Focus Count
 319 | Nirsoft
 320 | GUIDs for XP
 321 | Internet Toolbar
 322 | Active Desktop
 323 | GUIDs for Win7/8
 324 | Executable File Execution
 325 | Shortcut File Execution
 326 | UMEME_
 327 | RunPath
 328 | RUNCPL
 329 | RUNPIDL
 330 | UIQCUT
 331 | UISUT
 332 | UITOOLBAR
 333 | Win7/8 UserAssist Name Values
 334 | ProgramFilesX64
 335 | ProgramFilesx86
 336 | System
 337 | SystemX86
 338 | Desktop
 339 | Documents
 340 | Downloads
 341 | UserProfiles
 342 | ROT13
 343 | Vibranium
 344 | GUIDs for UserAssist
 345 | Evidence of Execution Timeline Example
 346 | Wigle
 347 | 0x47
 348 | ntuser.dat
 349 | shutdown count
 350 | 0x02
 351 | caching
 352 | 128 bit system structure
 353 | 0x06
 354 | 0x17
 355 | Shell Item Analysis
 356 | Shell Item Artifact Attributes
 357 | Shell Item
 358 | known folder
 359 | Type of Drive target is on
 360 | Path of Target File
 361 | Target Metadata
 362 | Shell Item: General Layout
 363 | LNK
 364 | PIDL
 365 | LikInfo
 366 | CNRL
 367 | CommonNetworkRelativeLink
 368 | StringData
 369 | ExtraData
 370 | PropertyStore
 371 | TrackerInformation
 372 | LNK: ShellLinkHeader
 373 | ShellLinkHeader
 374 | CLSID
 375 | FILETIME
 376 | Shortcut Files (.lnk)
 377 | Max number of file in the “RECENT”
 378 | .LNK Time of First/Last Open
 379 | LNK File Analysis
 380 | Windows LNK Parsing Utility
 381 | lp.exe
 382 | -rawscan
 383 | -deepscan
 384 | -pipe
 385 | LNK Target File Analysis Using lp.exe
 386 | Windows 8.1 Recent Folder - LNK files with URLs
 387 | Windows 8.1 Charm Bar
 388 | Metro Interface
 389 | magnifying glass
 390 | DCpde Date
 391 | suggested search
 392 | Windows 8/8.1 Search History
 393 | Charm History
 394 | SearchHistory\Microsoft.Windows.FileSearchApp
 395 | ConnectedSearch\History
 396 | Windows 8.1 Search Types
 397 | txt_
 398 | set_
 399 | site_
 400 | UserAssist and Charm Bar
 401 | USERASSIST Registry Key GUIDS
 402 | BCB48336
 403 | Win7/Win8 Jump Lists
 404 | Jump Lists
 405 | jump
 406 | mini-start
 407 | What is a Jump List?
 408 | Destination
 409 | Tasks
 410 | Automatic
 411 | Custom
 412 | registered handler
 413 | AppIDs
 414 | adecfb853d77462a
 415 | Unique AppID
 416 | Automatic Destinations
 417 | AutomaticDestinations
 418 | automaticDestinations-ms
 419 | AppID
 420 | AddID
 421 | MiTeC’s Structured Storage Viewer
 422 | Custom Destinations
 423 | CustomDestinations
 424 | custom jump list
 425 | customDestinations-ms
 426 | Mapping Between Directions
 427 | Automatic Destinations in Structured Storage Viewer
 428 | Export Stream and Save LNK
 429 | Save Stream
 430 | break
 431 | Jump List Analysis File Analysis
 432 | jmp.exe
 433 | Jumplist Parsing Utility
 434 | Automatic Destinations:
 435 | MRU/FRU
 436 | MRU
 437 | FRU
 438 | Custom Destinations: jmp.exe CSV Output
 439 | Tracking Folder/Directory Usage Win7/8 shellbags
 440 | Explorer Access -
 441 | Bags
 442 | BagMRU
 443 | Desktop Access -
 444 | BagMRU
 445 | Bags
 446 | GUID folder
 447 | Shellbag sub-key
 448 | Shellbag keys
 449 | ShellBags Based on Windows Explorer
 450 | Parsing Win7/Win8 Shellbags
 451 | ShellBags Analysis Key Items
 452 | MRUListEx
 453 | inode number
 454 | sbag
 455 | ShellBag GUIDs
 456 | Parsing ShellBags via ShellBags Explorer
 457 | ShellBags Explorer
 458 | SBE
 459 | ShellBags Explorer Command Line
 460 | Shellbags Explorer CMD Output
 461 | Absolute Path
 462 | First Explored
 463 | Last Explored
 464 | Shellbags Analysis sbag.exe
 465 | ShellBagNoRoam\BagXxx
 466 | Key Last Write Time
 467 | sbag.exe Output Analysis
 468 | inode
 469 | Analyzing USB Devices
 470 | Vendor/Make/Version
 471 | Unique Serial Number
 472 | MSC
 473 | Mass Storage Class
 474 | PTP
 475 | Pitcure Transfer Protocol
 476 | MTP
 477 | Media Transfer Protocol
 478 | UMS
 479 | Mass Storage Device (MSC)
 480 | MSC Overview
 481 | Media Transport Protocol
 482 | Picture Transfer Protocol (PTP)
 483 | PTP Overview
 484 | WIA
 485 | Windows Image Acquisition
 486 | WIA
 487 | Windows Portable Device
 488 | WPD
 489 | Media Transfer Protocol (MTP)
 490 | MTP Overview
 491 | DRM
 492 | exfiltration points
 493 | Evidence of File Opening on USB Device
 494 | MSC Devices
 495 | MTP Devices
 496 | WPDNSE
 497 | Mass Storage Class Devices
 498 | WPDNSE Folder (MTP Devices)
 499 | WPDNSE Temp Folder
 500 | WPDNSE Folder and GUID Analysis
 501 | USB MSC Device Forensics on Win7/Win8
 502 | USBSTOR
 503 | XP/Win7/Win8 USB Devices
 504 | What if you have MSC USB? Link via Serial # - UVCView
 505 | UVCView
 506 | MSC, PTP, and MTP USB Enumeration
 507 | VID
 508 | PID
 509 | Discover the Volume Name
 510 | MountedDevice
 511 | Find the Last Drive Letter: USB Keys
 512 | ParentIDPrefix
 513 | Find Last Drive Letter: External USB Hard Drives
 514 | MountedDevices
 515 | Find the User that Used USB Device
 516 | MountPoints2
 517 | Discover Volume Serial Number
 518 | EMDMgmt
 519 | ReadyBoost
 520 | USB Unique Serial Number
 521 | Volume Serial Number Analysis
 522 | MSC Device Times to Track
 523 | First Time Device Connected
 524 | Last Time Device Connected
 525 | Removal Time
 526 | First & Last Connected and USB Removal
 527 | 0064
 528 | 0066
 529 | 0067
 530 | 83da6326
 531 | DEVPKEY_Device_FirstInstallDate
 532 | First Time Device Connected - Alternative
 533 | Last Time Device Connected - Alternative
 534 | Time Device Disconnected - Removal
 535 | Alternative: Discover First Time Device Connected
 536 | setupapi.log
 537 | setupapi.dev.log
 538 | Alternative: Find First Time USB Plugged in via setupapi.dev.log
 539 | Alternative: Win7/Win8 - Last Time Device Connected
 540 | USB MSC Device Forensics on Win7/Win8
 541 | Win7 USB Device Artifacts (MSC vs. PTP vs. MTP)
 542 | DDO
 543 | ContainerID
 544 | ENUM\USB
 545 | DeviceHandlers
 546 | Automated Analysis - Dead Forensics
 547 | USBDeviceForensics
 548 | Key Word Searching
 549 | Forensic Suites
 550 | EnCase
 551 | FTK
 552 | Key Word Lists
 553 | Index Search Form
 554 | ASCII
 555 | UNICODE
 556 | Searching
 557 | Boolean
 558 | Index Search Wildcards
 559 | Search Results
 560 | Search Results List
 561 | Review Results
 562 | File List
 563 | Triage Review of Hits
 564 | Exporting Hits for Review
 565 | 
 566 | 
 567 | What can E-mail Forensics Tell Us?
 568 | What can We Analyze
 569 | E-Mail Headers
 570 | envelope
 571 | Simple Mail Transfer Protocol
 572 | SMTP
 573 | Mail Transfer Agent
 574 | MTA
 575 | Message-ID
 576 | X-Originating-IP
 577 | X-IP
 578 | X-Mailer
 579 | Message-ID Threading
 580 | In-Reply-To
 581 | Extended MAPI Headers
 582 | Microsoft Messaging Application Programming Interface
 583 | MAPI
 584 | Mapi-Client-Submit-Time
 585 | Mapi-Conversation-Index
 586 | Mapi-EntryID
 587 | Mapi-Message-FLags
 588 | Pr_Last_Verb_Executed
 589 | Host-based E-mail
 590 | Microsoft Outlook
 591 | .PST
 592 | Personal Storage Table
 593 | Compressible encryption
 594 | Kernel Outlook PST Viewer
 595 | eDiscovery
 596 | Offline Folder Files
 597 | Cached Exchange Mode
 598 | .OST
 599 | Orphan .OST
 600 | scanost.exe
 601 | Kernel OST Viewer
 602 | Outlook Attachment Recovery
 603 | Secure Temp Folder
 604 | Content.Outlook
 605 | INetCache
 606 | OLK
 607 | timestamp phenomenon
 608 | USNJournal
 609 | E-Mail Analysis with nuix
 610 | Cloud Services
 611 | Other Host-based Formats
 612 | Calendar and Contacts
 613 | .ICS
 614 | .SDB
 615 | .WAB
 616 | .PAB
 617 | .VCS
 618 | vCard
 619 | .NNT
 620 | .SDB
 621 | Corrupted E-mail Archives
 622 | E-mail Encryption
 623 | S/MIME
 624 | PGP/MIME
 625 | .pgp
 626 | .p7m
 627 | Network-based mail encryption
 628 | Transport Layer Security
 629 | TLS
 630 | Secure Socket Layer
 631 | SSL
 632 | Office 365 encryption
 633 | Host-based E-mail Review
 634 | E-mail Servers
 635 | Server E-mail Forensic Tools
 636 | Network E-mail Examiner
 637 | Paraben Forensics
 638 | Microsoft Exchange
 639 | .EDB
 640 | Extensible Storage Engine
 641 | .STM
 642 | MIME
 643 | eseutil
 644 | Deleted Objects in Exchange
 645 | Delete
 646 | Soft Delete
 647 | Soft-deleted
 648 | Hard Delete
 649 | Hard-deleted
 650 | non-IPM
 651 | Exchange Dumpster
 652 | Online Windows Acquisition Windows Server Backup
 653 | Windows Server Backup
 654 | WSB
 655 | WSBExchange.exe
 656 | Virtual Hard Disk
 657 | VHD
 658 | Exchange 2007: Export-Mailbox Tool
 659 | Export-Mailbox
 660 | ExMerge
 661 | Export-Mail
 662 | Exporting Mail in Exchange 2010_
 663 | New-MailboxImportRequest
 664 | New-MailboxExportRequest
 665 | Exchange Multi-Mailbox Search
 666 | .PST Proliferation!
 667 | PST Capture
 668 | Webmail Forensics
 669 | AJAX
 670 | Exporting Office 365 Mail
 671 | MessageOps Exchange Migrator
 672 | Microsoft Azure
 673 | F-Reponse
 674 | FOR508 Sneak Preview
 675 | iSCSI
 676 | Cryptome Legal Guides
 677 | Compressed Webmail Remnants
 678 | Webmail Remnants - Hotmail
 679 | Webmail Remnants - Yahoo
 680 | Mobile E-mail
 681 | BlackBerry Enterprise Server
 682 | BES
 683 | Microsoft ActiveSync
 684 | .IPD
 685 | .mdbackup
 686 | .mddata
 687 | Review: Forensic E-mail Analysis
 688 | Additional Artifacts Thumbs, RecycleBin, Prefetch
 689 | Windows Search Database
 690 | libesedb
 691 | ESE Database
 692 | windows.edb
 693 | eseinfo
 694 | eseexport
 695 | ESE NT Utilites - Windows.edb
 696 | esentutl
 697 | Thumbnail Forensics thumbs.db
 698 | Thumbs.db
 699 | Thumbs.db Examination Thumbs Viewer
 700 | Thumbs.db Exported
 701 | Win7/Win8 Thumbcache
 702 | Thumbcache Viewer
 703 | Mapping File Names to Thumbscache
 704 | Recycle Bin Forensics
 705 | Recycled
 706 | Recycler
 707 | $Recycle.bin
 708 | Recycle Bin
 709 | INFO
 710 | INFO2
 711 | Win7/Win8 Recycle Bin
 712 | $I
 713 | Parsing Recycle Bin (recbin)
 714 | recbin.exe
 715 | Windows Prefetch Supertfetch
 716 | Layout.ini
 717 | Prefetching
 718 | .pf
 719 | pefetch_hashes_lookup.txt
 720 | Prefetch Analysis - First last Execution
 721 | Windows Prefetch Parser
 722 | Prefetch Parser
 723 | Prefetch Parser Output
 724 | Prefetch Files
 725 | Prefetch Analyser
 726 | Prefetch Reports
 727 | Distinct File Paths
 728 | Prefectch File Analysis
 729 | pf.exe
 730 | Event Log Analysis
 731 | Windows Events
 732 | Event Logging service
 733 | Event Log
 734 | Event Log Analysis
 735 | SecEvent.evt
 736 | Application.evt
 737 | AppEvent.evt
 738 | SysEvent.evt
 739 | .evtx
 740 | Security.evtx
 741 | Application.evtx
 742 | System.evtx
 743 | .evtx Log Format
 744 | Windows Event Log
 745 | Event Logging
 746 | Types of Event Logs
 747 | Security Log:
 748 | System Log:
 749 | Application Log:
 750 | Directory Service:
 751 | File Replication Service:
 752 | DNS Server:
 753 | Application & Service Logs
 754 | Forwarded Events:
 755 | Application and Services:
 756 | Security Log
 757 | LSASS
 758 | What is Recorded? Security Event Categories
 759 | Audit account logon events:
 760 | Audit account management:
 761 | Audit directory service access:
 762 | Audit logon events:
 763 | Audit object access:
 764 | SACL
 765 | System Access Control List
 766 | Audit policy change:
 767 | Audit process tracking:
 768 | Audit system events:
 769 | What are We Likely to Find? Default Security Logging
 770 | Event Types
 771 | Error:
 772 | Warning:
 773 | Information:
 774 | Success Audit
 775 | Failure Audit:
 776 | Tracking account Usage
 777 | Event ID Codes
 778 | 4624
 779 | 4625
 780 | 4634 / 4647
 781 | 4672
 782 | 528-552
 783 | eventvwr.exe
 784 | Logon Type
 785 | Logged:
 786 | Level:
 787 | User:
 788 | Computer:
 789 | Source:
 790 | Task Category:
 791 | Event ID:
 792 | General Description:
 793 | Details:
 794 | Logon Type Codes
 795 | Identifying Logon Sessions
 796 | 4634
 797 | 4647
 798 | 4800/4801
 799 | Tracking Account Usage Brute Force Password Attack
 800 | BackTrack
 801 | 529
 802 | Built-in Service Accounts
 803 | SYSTEM:
 804 | LOCAL SERVICE:
 805 | NETWORK SERVICE:
 806 | ANONYMOUS LOGON
 807 | Tracking Account Usage Remote Desktop Protocol
 808 | Fast User Switching
 809 | RDP
 810 | 4778
 811 | 4779
 812 | 528
 813 | 682
 814 | 683
 815 | Account Logon Events
 816 | Logon Event
 817 | NTLM protocol
 818 | 4776
 819 | Kerberos protocol
 820 | 4768
 821 | 4769
 822 | 4771
 823 | NTLM
 824 | Account Logon Error Codes (Kerberos)
 825 | 0x6:
 826 | 0x7:
 827 | 0xC:
 828 | 0x12
 829 | 0x17
 830 | 0x18
 831 | 0x25
 832 | 675
 833 | Non-existent account username
 834 | Incorrect password (username correct)
 835 | Account not allowed to login at this time
 836 | Expired password
 837 | Account locked
 838 | Find a Rogue Local Account
 839 | Locating Log Evidence
 840 | Lateral Movement Detection
 841 | Alternate Logon Sources: TaskScheduler & RdpCore
 842 | Analysing File & Folder Access
 843 | 4656
 844 | 4660
 845 | 4663
 846 | Handle to object request
 847 | Object deleted
 848 | Access attempt on object
 849 | Global Object Access Auditing
 850 | Object Auditing Events
 851 | Audit File System
 852 | Audit Handle Manipulation
 853 | File and Folder Object Access Success and Failure
 854 | Application Installation
 855 | 1033
 856 | 1034
 857 | 11707
 858 | 11708
 859 | 11724
 860 | Installation completed
 861 | Application removal completed
 862 | Installation operation failed
 863 | Application removal completed successfully
 864 | Evidence of Malware Execution
 865 | Application Event Log
 866 | System Event Log
 867 | PWDump
 868 | LSASSCapturing
 869 | Command Lines
 870 | 4688
 871 | Suspicious Services
 872 | 7034
 873 | 7035
 874 | 7036
 875 | 7040
 876 | 7045
 877 | 4697
 878 | Service crashed unexpectedly
 879 | Service sent a Start / Stop control
 880 | Service started or stopped
 881 | Start type changed (Boot | On Request | Disabled)
 882 | A service was installed on the system (Win2008R2)
 883 | A service was installed on the system (from Security log)
 884 | Service Control Manager
 885 | SCM
 886 | fgdump
 887 | Time Manipulation
 888 | 4616
 889 | Tracking BYOD and External Devices
 890 | 20001
 891 | 4663
 892 | 4656
 893 | Plug and Play driver install attempted (System log)
 894 | Attempt to access removable storage object (Security log)
 895 | Failure to access removable storage object (Security log)
 896 | UsrPnpservice
 897 | Tracking BYOD and External Devices Firewire (1394)
 898 | Auditing Access to BYOD
 899 | Audit Removable Storage
 900 | Wireless Network Geolocation
 901 | 11000
 902 | 8001
 903 | 8002
 904 | 6100
 905 | Wireless network association started
 906 | Successful connection to wireless network
 907 | Failed connection to wireless network
 908 | Network diagnosis
 909 | WLAN-Autoconfig Log
 910 | BSSID
 911 | Basic Service Set Identifier
 912 | Media Access Control
 913 | Network Diagnostics
 914 | Event Log Clearing
 915 | 1102
 916 | Audit log cleared
 917 | WinZapper
 918 | Extracting Event Logs
 919 | Exporting from a live system
 920 | Offline extraction
 921 | Exporting online Logs
 922 | Exporting offline Logs
 923 | Offline Extractions
 924 | evtwalk
 925 | evtx_view
 926 | Remote Log Access
 927 | Remote management
 928 | Event Log Explorer
 929 | Regular Expression Filtering
 930 | X-Path
 931 | Event Log Analysis Resources
 932 | Log Review with Mandiant Highlighter
 933 | 
 934 | 
 935 | Internet Explorer rowser Forensics
 936 | Browser Forensics
 937 | What can we find During Browser Forensics?
 938 | History Files
 939 | Browser Cache
 940 | Cookies
 941 | Browser basics
 942 | Internet Explorer (IE)
 943 | IE6 / IE7
 944 | IE8
 945 | IE9
 946 | IE10
 947 | IE10
 948 | IE11
 949 | Where to Start: IE8 & IE 9 Data Locations
 950 | Index.dat
 951 | Roaming
 952 | Local
 953 | History.IE5
 954 | Content.IE5
 955 | Favorites
 956 | IE 10 Data Locations
 957 | WebCacheV*dat
 958 | IE 11 Data Locations
 959 | INetCache
 960 | INetCookies
 961 | Old School: Index.dat
 962 | dir /a
 963 | Extensible Storage Engine (ESE)
 964 | DOMstore
 965 | Internet Explorer History: Investigating Sites Visited
 966 | DaysToKeep
 967 | URL History
 968 | Parsing WebCacheV*.dat
 969 | LastAccessTime
 970 | ContainerId
 971 | Container
 972 | WebCacheV*.dat History Tables
 973 | ModifiedTime
 974 | AccessedTime
 975 | AccessCount
 976 | Multiple Tables Per Artifact
 977 | MSHist
 978 | protected mode
 979 | IE Data Location
 980 | Legacy IE5-IE9 History Folders
 981 | container.dat
 982 | desktop.ini
 983 | Local File Access in IE History
 984 | Nirsoft BrowserHistoryView
 985 | BrowsingHistoryView
 986 | ESEDatabaseView
 987 | Internet Explorer Cache: View the Browser Stockpile
 988 | no_cache_write
 989 | IE Cache Folders
 990 | IE9 Cache Metadata: Index.dat
 991 | URL
 992 | Leak
 993 | REDR
 994 | HASH
 995 | IE10+ Cache Metadata: WebCacheV*.dat
 996 | SecureDirectory
 997 | AccessCount
 998 | IE Cache Timestamps
 999 | CreationTime
1000 | AccessedTime
1001 | ModifiedTime
1002 | ExipryTime
1003 | LastChecked
1004 | Internet Explorer Cookies: Digging Deep into Website Activity
1005 | persistent
1006 | IE Cookie Update
1007 | Cookie Metadata
1008 | Win8 Modern UI Application
1009 | INetCache
1010 | INetCookies
1011 | INetHistory
1012 | windows_ie_ac_XXX
1013 | IE Download History
1014 | IE Download History IE10+
1015 | ResponseHeaders
1016 | ESE Databases are Dirty!
1017 | ESE NT Utilities - WebCache
1018 | Read Headers:
1019 | Recover dirty db:
1020 | Carving the ESE Database
1021 | ESEcarve
1022 | ESECarve.exe
1023 | IE Auto-Complete: What was the User Typing
1024 | Address bar history
1025 | TypedURLs
1026 | TypedURLsTime
1027 | Typed URLs
1028 | Auto-Complete Data:
1029 | Protected Storage / Windows Vault
1030 | Internet Explorer Credential Manager
1031 | Windows Vault
1032 | Data Protection API
1033 | DPAPI
1034 | WebBrowserPassView
1035 | Protected Storage
1036 | .vcrd
1037 | Decrypting .vcrd Files
1038 | Web Browser Bookmarks: Looking at Saved Locations
1039 | InternetShortcut
1040 | NirSoft FavoritesView
1041 | IE8 and Beyond
1042 | Recovered Folders
1043 | Web (DOM)
1044 | Web Storage
1045 | IE Session Recovery
1046 | RecoveryStore files
1047 | NoReopenLastSession
1048 | Save_Session_History_On_Exit
1049 | IE Session Recovery Folders
1050 | RecoveryStore
1051 | Structured Storage Viewer
1052 | MiTeC Structured Storage Viewer
1053 | ParseRS & RipRS
1054 | Recovery Folder Parsing tool
1055 | IE Session Recovery Form Data
1056 | {GUID}.dat
1057 | InPrivate Browsing Mode
1058 | Porn Mode
1059 | Recovering InPrivate Artifacts
1060 | Cache files
1061 | Automatic Crash
1062 | InPrivate Session recovery
1063 | InPrivate Artifact Carving
1064 | Magnet Forensics
1065 | IE Synchronization
1066 | LastRoamed
1067 | WinInet
1068 | History, Favorites, TypedUrls Synchronization
1069 | IE 11 TabRoaming
1070 | IE11 Tab Synchronization
1071 | TabRoaming
1072 | MachineInfo.dat
1073 | Dissecting a Roaming tab
1074 | Can We Differentiate Synced Data
1075 | Identifying Synchronized IE History
1076 | ExpiryTime
1077 | What synced data persists after a history is cleared?
1078 | IE Forensics Methodology
1079 | Mozilla Firefox
1080 | Firefox Versions
1081 | user_pref
1082 | Firefox Major Version Releases
1083 | Where to Start: Firefox File Locations
1084 | Firefox and SQLite
1085 | places.sqlite
1086 | formhistory.sqlite
1087 | cookies.sqlite
1088 | signons.sqlite
1089 | webappsstore.sqlite
1090 | extensions.sqlite
1091 | Validate your Tools!
1092 | History Artifacts in Firefox: Investigating Sites Visited
1093 | browser.history.expiration.transient_current_max_pages
1094 | How was the Web Page Requested? Visit Types in Firefox
1095 | Case Study: Julie Amero
1096 | Using NirSoft Tools - Step-By-Step
1097 | MozillaHistoryViewer
1098 | NirSoft MozillaHistoryView
1099 | MozillaHistoryView
1100 | index.html
1101 | Firefox Cache: Viewing the Browser Stockpile
1102 | Browser.cache.disk.capacity
1103 | prefs.js
1104 | cache
1105 | cache2
1106 | Firefox Cache Files (prior to v32)
1107 | Cache Map
1108 | Cache Block
1109 | Cache Data
1110 | Firefox Cache2
1111 | cache2\entries
1112 | NirSoft MozillaCacheView
1113 | Firefox Cookies: Going Deep into Website Activity
1114 | NirSoft MozillaCookieView
1115 | Google Analytics Cookies
1116 | utma
1117 | utmb
1118 | utmc
1119 | utmv
1120 | utmx
1121 | utmz
1122 | Google Analytics Cookies Unique Visitors
1123 | Google Analytics Cookies Session Tracking
1124 | Google Analytics Cookies Traffic Sources
1125 | GA Cookie Cruncher
1126 | Local Stored Objects (Flash Cookies)
1127 | Local Stored Objects
1128 | LSO
1129 | NirSoft FlashCookiesView
1130 | HTML5 Web Storage
1131 | webappstore2.sqlite
1132 | DOMStore
1133 | Local Storage
1134 | Super Cookie
1135 | http_bits.blogs.bytimes.com_0.localstorage
1136 | IE Web Storage (DOMStore)
1137 | SPMruDocsItemJson
1138 | FireFox Download History: Examining what was downloaded
1139 | anno_attribute_id 8
1140 | place_id
1141 | anno_attribute_id 7
1142 | anno_attribute_id 9
1143 | anno_attribute_id 9
1144 | moz_places
1145 | browser.download.lastdir
1146 | Investigating Download History: SQL Manager Plug-in
1147 | moz_annos
1148 | Firefox Auto-complete: What was the User Typing
1149 | formhistory.sqlite
1150 | PRTIME
1151 | DumpAutoComplete
1152 | SQLite Manager: formhistory.sqlite
1153 | searchbarhistory
1154 | Firefox Session Restore
1155 | sessionstore.js
1156 | Session Restore
1157 | .bak
1158 | browser.sessionstore.enabled
1159 | browser.sessionstore.max_windows_undo
1160 | sessionstore.bak
1161 | FirefoxSessionRestoreExtractor
1162 | Firefox Privacy Settings
1163 | Firefox Privacy Additions
1164 | Clear Recent History:
1165 | Forget About This Website:
1166 | Private Browsing:
1167 | Private Browsing Mode
1168 | Recovering Deleted Artifacts in FireFox
1169 | SQLite Deleted Data
1170 | CCL Group epilog
1171 | Sanderson SQLite Recovery
1172 | sqlparse.py
1173 | Firefox Extensions
1174 | Add N Edit Cookies
1175 | Firebug
1176 | extensions.sqlite
1177 | addons.sqlite
1178 | extensions.rdf
1179 | install.rdf
1180 | Firefox Forensic Methodology
1181 | Why Can’t One Tool Do it All?
1182 | Google Chrome
1183 | WebKit
1184 | SQLite
1185 | JSON
1186 | SNSS
1187 | Chrome History Artifacts: Investigating Sites Visited
1188 | Segments
1189 | Archived History
1190 | Top Sites
1191 | Chrome History Page Transition Types
1192 | transition
1193 | visits
1194 | History database
1195 | CHAIN_START
1196 | CHAIN_END
1197 | CLIENT_REDIRECT
1198 | SERVER_REDIRECT
1199 | IS_REDIRECT_MASK
1200 | QUALIFIER_MASK
1201 | Chrome Timestamps
1202 | Webkit Format
1203 | Unix epoch
1204 | DCode
1205 | Chrome Cache: Viewing the Browser Stockpile
1206 | disk_cache::kMaxBlockSize
1207 | Nirsoft ChromeCacheViewer
1208 | ChromeCacheViewer
1209 | Rebuilding Cached Webpages
1210 | NetAnaylsis
1211 | Internet Evidence Finder
1212 | Hindsight Chrome Forensics
1213 | ChromeHistoryView
1214 | ChromeFornesics Tool
1215 | hindsight.py
1216 | Chrome Review
1217 | 


--------------------------------------------------------------------------------
/for508-concordance.txt:
--------------------------------------------------------------------------------
   1 | access token
   2 | Account Creation
   3 | Account Logon
   4 | Account Logon Events
   5 | Account Management
   6 | Account Usage
   7 | Acquiring Processes
   8 | Acquiring Processes and Drivers – Volatility
   9 | Acquiring Remote Data
  10 | Additional Time Rule Exceptions
  11 | Admin$
  12 | Admin Shares
  13 | Admin Shares – Detection
  14 | Admin Shares – Permissions required
  15 | ADS
  16 | Advanced NTFS Journal Parser (ANJP)
  17 | Advanced Persistent Threat
  18 | Advantages of memory analysis
  19 | Adversary Operation Process
  20 | Allocated Clusters
  21 | Alternate Data Streams
  22 | AmCache.hve
  23 | AmCache.hve – Contents
  24 | AmCache.hve – Location
  25 | AmCache.hve – Value Name Chart
  26 | Amcache.py
  27 | Analysis Pass
  28 | analyzeMFT.py
  29 | Analyzing Processes – Identifiers of Evil
  30 | Analyzing Process Objects 
  31 | Analyzing Process Objects – Volatility
  32 | ANJP
  33 | Anonymous Logon
  34 | Antivirus Checks
  35 | apihooks
  36 | API Manipulation – Malware
  37 | Appcompat cache
  38 | Application
  39 | Application and Services
  40 | Application Compatibility Cache
  41 | Application Compatibility Cache – Contents
  42 | Application Compatibility Cache – Registry
  43 | Application Deployment Software
  44 | Application Deployment Software – Detection
  45 | Application Experience
  46 | Application Installation
  47 | Application of techniques
  48 | Application Vulnerabilities
  49 | Artifact - Browser usage
  50 | Artifacts - Chart
  51 | ASEP
  52 | AsJob
  53 | at.exe
  54 | at job
  55 | Atomic
  56 | attack progression
  57 | $ATTRDEF
  58 | $ATTRIBUTE_LIST
  59 | Authentication – PowerShell
  60 | Automated Memory Analysis
  61 | autorun locations
  62 | autorunner
  63 | autorun offline examination
  64 | Autoruns
  65 | autorunsc.exe
  66 | Autoruns – Search locations
  67 | Auto-start Extensibility Point (ASEP)
  68 | AutoStart – Persistence
  69 | AV Scanners
  70 | $BADCLUS
  71 | baseline
  72 | Batch Files
  73 | Behavioral
  74 | Behavioral Indicators
  75 | BEViewer
  76 | Binary Whitelisting
  77 | $BITMAP
  78 | blkcalc
  79 | blkcat
  80 | blkls
  81 | blkstat
  82 | bodyfile
  83 | Bodyfile - Creation
  84 | $BOOT
  85 | bootkey
  86 | Breaking TrueCrypt
  87 | Browser Search Terms
  88 | Building IR/Threat Hunting Capability
  89 | Building Threat Hunting Capability
  90 | Build portable agent
  91 | Built-In Service Accounts
  92 | bulk_extractor
  93 | bulk_extractor usage
  94 | By-Hand Memory Analysis
  95 | By-Hand Third-Party Hash Lookups
  96 | C2
  97 | Cache
  98 | Cached
  99 | Cached – Common Tools
 100 | Cached – Mitigation
 101 | Cached – Storage Location
 102 | cafae.exe
 103 | calculating partition byte offset
 104 | Capability
 105 | Certificate Revocation List
 106 | Certification Authority
 107 | Certification Authority – Intent
 108 | Certification Authority - Verification Process
 109 | Change journal
 110 | Change.log
 111 | Checkpoint Records
 112 | cmdline
 113 | cmdscan
 114 | Code injection
 115 | Code Injection behavior
 116 | Code Injection – Detection
 117 | Code Injection – Volatility
 118 | Code Signing
 119 | Code Signing - Malware
 120 | Code Signing - Malware - Benefits
 121 | Code Signing - Malware - Negatives
 122 | Code Signing - Operating Systems
 123 | Collector
 124 | Command line
 125 | Common Locations – Malware
 126 | common malware locations
 127 | common malware names
 128 | Common Names – Malware
 129 | Comprehensive Collector
 130 | Compromise detection
 131 | Compromised host
 132 | Compromise situations
 133 | Computed
 134 | Computed Indicators
 135 | Connections
 136 | connscan
 137 | consoles
 138 | Containment
 139 | Containment and Intelligence Development
 140 | context clues
 141 | Context Triggered Piecewise Hashing (CTPH)
 142 | Contiguous Clusters
 143 | Contiguous disk space
 144 | Cookies
 145 | Copy Malware
 146 | Create Bodyfile
 147 | creating signatures
 148 | Credential Guard
 149 | Credentials – Compromising (attacker)
 150 | Credentials – Goal of Attacker
 151 | Credentials Misuse (attacker) – Detection
 152 | Credentials Misuse (attacker) – Mitigation
 153 | CredSSP
 154 | Critical Remediation Control
 155 | CRITS
 156 | csrss
 157 | csrss.exe
 158 | Custom
 159 | Custom – Categories
 160 | Cyber threat intelligence
 161 | Cyber Threat Intelligence Capability
 162 | Cybox
 163 | $DATA
 164 | Data Collection
 165 | Data Exfiltration
 166 | $Data Header
 167 | data layer
 168 | Data Layer - Basics
 169 | data layer tools
 170 | $Data – Nonresident
 171 | Data Reduction
 172 | $Data – Resident
 173 | DataSectionObject
 174 | dd
 175 | dd.exe
 176 | deep dive analysis
 177 | Deep-dive analysis
 178 | Deep-dive forensics
 179 | Default.rdp
 180 | Delegate Token
 181 | Deleted files
 182 | Delivery
 183 | density
 184 | densityscout
 185 | deskthrd
 186 | detect compromise without malware
 187 | detecting rogue processes
 188 | Detection Avoidance – Malware
 189 | Detection Situations – Malware
 190 | determining indicators
 191 | Determining Pivot Point
 192 | \Device\PhysicalMemory
 193 | devicetree
 194 | Digital forensics
 195 | Direct Kernel Object Manipulation
 196 | Direct Kernel Object Manipulation (DKOM)
 197 | Directory Handle
 198 | Directory Service
 199 | Disk Layer
 200 | diskpart.exe
 201 | DKOM
 202 | DLL doubly linked lists
 203 | dlldump
 204 | DLL Injection
 205 | dlllist
 206 | DLL Persistence
 207 | DLL Persistence Attacks
 208 | DLLs
 209 | DLL Search Order
 210 | DLL Search Order Hijacking
 211 | DLL Side Loading
 212 | DLL Side-Loading
 213 | Domain Account Hash
 214 | Domain Account Hash – Reqs for attacker to gain
 215 | Downloads.sqlite
 216 | Drive Letter
 217 | DriveLetter$
 218 | Driver, Acquiring
 219 | Driverbl
 220 | driverirp
 221 | drivers
 222 | Dual-hop authentication
 223 | dumpfiles
 224 | dumping files
 225 | Dumpit
 226 | Dun & Bradstreet
 227 | Dynamically Linked Library (DLL)
 228 | $EA
 229 | $EA_INFORMATION
 230 | early detection
 231 | Email attachments
 232 | Enterprise Incident Response
 233 | Enterprise IR Scripting
 234 | enterprise scanning
 235 | Enter-PSSession
 236 | entropy
 237 | Entropy / Packing
 238 | EPROCESS
 239 | Eprocess blocks
 240 | Establish Foothold
 241 | Evasion Techniques Malware
 242 | Event Handle
 243 | EventID
 244 | Event Log Clearing
 245 | Event Log Explorer
 246 | Event logs
 247 | Event Logs – Analysis Resources
 248 | Event Logs - .evt
 249 | Event Logs - .evtx
 250 | Event Logs – Extract/Export
 251 | Event Logs – Location
 252 | Event Logs – Remote Log Access
 253 | Event Logs – Size limit
 254 | Event Logs – Types
 255 | Event Logs – Types – System
 256 | Event Viewer
 257 | Event Viewer – Export
 258 | eventvwr.exe
 259 | Evidence of Persistence
 260 | evtwalk
 261 | evtx
 262 | evtx_parser
 263 | evtx_view
 264 | ewfmount
 265 | Execute Malware/Commands
 266 | ExFat
 267 | Exfiltration
 268 | Exploitation
 269 | Exploit - Multi-Phase
 270 | Exploit - Single Phase
 271 | $EXTEND
 272 | Extracting Files dumpfiles 
 273 | Extracting Files filescan
 274 | Fast Forensics
 275 | FAT
 276 | FAT32
 277 | ffind
 278 | File Carving
 279 | File Deletion Artifacts
 280 | file density
 281 | File Downloads
 282 | File Entry Header - Attibute Count
 283 | File Entry Header - File Reference to Base Record
 284 | File Entry Header - Fixup
 285 | File Entry Header - Flags
 286 | File Entry Header - Hard Link
 287 | File Entry Header - Inode Number
 288 | File Entry Header - $LogFile Sequence Number
 289 | File Entry Header - Sequence Number
 290 | File Fragment
 291 | File Handle
 292 | File Headers/Footers
 293 | File Knowledge
 294 | $Filename
 295 | $FILE_NAME
 296 | $File_Name Header
 297 | Filename layer
 298 | Filename Layer Tools
 299 | File_Object
 300 | File Opening/Creation
 301 | File Record – Directory
 302 | File Record - Files
 303 | filesan
 304 | filescan
 305 | File System Abstraction
 306 | File System Focused Timeline
 307 | File System Layer
 308 | File System Timeline
 309 | File System Timeline - Output
 310 | Filesystem Tools
 311 | Filesystem - Types
 312 | File Time Anomalies
 313 | Filter file
 314 | find evil
 315 | find rogue local account
 316 | Firefox Downloads
 317 | First/Last Times
 318 | Fixup Array
 319 | Flash and Super Cookies
 320 | fls
 321 | fls vs. Supertimeline
 322 | Follow Up
 323 | FOR 408
 324 | foremost
 325 | foremost.conf
 326 | Forensic Analysis
 327 | Forensics Process
 328 | Forwarded Events
 329 | F-Response
 330 | F-Response Accelerator
 331 | F-Response Attach remote drive
 332 | F-Response Attach remote memory
 333 | F-Response connect to targets
 334 | F-Response Deploy Agents
 335 | F-Response Deployment overview
 336 | F-Response Introduction
 337 | F-Response License Manager
 338 | F-Response - Licensing
 339 | F-Response Management Console
 340 | F-Response - Steps
 341 | fsstat
 342 | fstat
 343 | FTK Imager
 344 | FTK Imager Lite
 345 | fuzzy hashing
 346 | Gain Authority
 347 | Gathering intel through kill chain completion
 348 | Get-RekalPslist.ps1
 349 | getsids
 350 | Get-SvcFail.ps1
 351 | Golden Ticket
 352 | Golden Ticket – Creation
 353 | gpedit.msc
 354 | grep
 355 | grep Usage
 356 | GRR
 357 | Handle
 358 | handles
 359 | handles (Volatility Plugin)
 360 | hash databases
 361 | hashdump
 362 | Hashes
 363 | Hashes – Common Tools
 364 | Hashes – How to Acquire
 365 | Hashes – Local and Domain Storage Location
 366 | Hashes – Mitigation
 367 | Hash Lookups
 368 | HBGary responder
 369 | hfind
 370 | hiber2bin
 371 | hiberfil.sys
 372 | Hibernation File Analysis
 373 | Hibernation File Conversion
 374 | hibr2bin
 375 | Hiding in plain sight
 376 | Hiding (NOT in plain sight) – Malware
 377 | Hiding techniques
 378 | Hierarchical Process View
 379 | Hierarchical view
 380 | histogram
 381 | hivedump
 382 | hivelist
 383 | Hooking
 384 | Hooking – Types
 385 | Host based IOC
 386 | Hunting Organization
 387 | $I30
 388 | $I30 – Index Block
 389 | $I30 – Slack space
 390 | IAT
 391 | icat
 392 | Identification
 393 | identifying outliers in memory
 394 | Identifying Rogue Processes
 395 | Identify Rogue Processes – Volatility
 396 | idt
 397 | IEF
 398 | ifind
 399 | imagecopy
 400 | imageinfo
 401 | imagemounter.py
 402 | ImageSectionObject
 403 | Immediate Response 
 404 | Impact
 405 | Import Address Table (IAT)
 406 | importance of malware analysis
 407 | Incident Response
 408 | Incident Response Detection and Intelligence Loop
 409 | Incident Response Lifecycle
 410 | Incident Response Process
 411 | $INDEX_ALLOCATION
 412 | Index.dat
 413 | Index Entry
 414 | $INDEX_ROOT
 415 | Indicator of Compromise
 416 | Indicator of Compromise (IOC)
 417 | Indicator of Compromise (IOC) – Redline
 418 | Indicators
 419 | Indicators of Compromise
 420 | Indicators of Compromise - Creation
 421 | Indicators of Compromise Search
 422 | Indicators - Types
 423 | INDXParse.py
 424 | Infinite Log Area
 425 | Initial Compromise
 426 | Injection - Detection
 427 | Injection - Stuxnet
 428 | Injection - Zeus
 429 | inline (trampoline) hooks
 430 | Inodes
 431 | Intelligence
 432 | Intelligence Development
 433 | Intent
 434 | Interactive Logon
 435 | Interface Panes – Redline
 436 | Interrupt Descriptor Table (IDT)
 437 | Intrusion Operation - Phases
 438 | Intrusions - Statistics
 439 | Invoke-Command
 440 | IOC
 441 | IOC Analysis
 442 | IOC Bucket
 443 | IOC Development
 444 | IOCe
 445 | IOC Editor
 446 | IOC Finder
 447 | IOC Search Collector
 448 | I/O Request Packets (IRP)
 449 | IPC$
 450 | IR & Hunt Team Life Cycle Overview
 451 | IRP
 452 | IR Process
 453 | istat
 454 | $J
 455 | jobparser.pl
 456 | jobparser.py
 457 | journal
 458 | Journal Layer Tools
 459 | jp
 460 | Kansa
 461 | Kansa.ps1
 462 | Kansa.ps1 – Get-RekalPslist.ps1
 463 | Kansa.ps1 – Get-RekalPslist.ps1 – Negatives
 464 | Kansa.ps1 – Modules
 465 | Kansa.ps1 – Output
 466 | Kansa.ps1 – Prerequisites
 467 | Kansa.ps1 – Target List
 468 | KDBG
 469 | Kerberos – Account Logon Error Codes
 470 | Kerberos – How it works
 471 | Kernel Debugger Datablock (KDBG)
 472 | Kernel Path Protection (PatchGuard)
 473 | Kernel Processor Control Region (KPCR)
 474 | Kill chain
 475 | knowing key windows processes
 476 | KPCR
 477 | Last Login
 478 | Last PW Change
 479 | lateral movement
 480 | ldrmodules
 481 | Least Frequency of Occurrence
 482 | LFO
 483 | LIBPFF
 484 | Live Memory Analysis – Whitelisting
 485 | Live Memory Forensics
 486 | Live Response Kit
 487 | Live System Acquisition
 488 | LNK files
 489 | Local Service
 490 | Locating Log Evidence
 491 | log2timeline
 492 | log2timeline.py
 493 | log2timeline.py examples
 494 | log2timeline.py - File Filter
 495 | log2timeline.py - Goals
 496 | log2timeline.py - Parser List
 497 | log2timeline.py reference
 498 | $LOGFILE
 499 | $LOGGED_UTILITY_STREAM
 500 | Logon Events
 501 | Logon ID
 502 | Logon Type
 503 | Logon Type Codes
 504 | Logon types
 505 | Logs
 506 | Long v. Short File Names
 507 | lsadump
 508 | LSA Secrets
 509 | LSA Secrets – Common Tools
 510 | LSA Secrets – Mitigation
 511 | LSA Secrets – Stealing
 512 | lsass.exe
 513 | lsevt
 514 | MACB
 515 | MACB Chart
 516 | mactime
 517 | Maintain Presence
 518 | malfind
 519 | malprocfind
 520 | malsysproc
 521 | Malware analysis
 522 | Malware analysis process
 523 | Malware Analysis Process – Step 1
 524 | Malware Analysis Process – Step 2
 525 | Malware Analysis Process – Step 3
 526 | Malware Analysis Process – Step 4
 527 | Malware Analysis Process – Step 5
 528 | Malware Analysis Process – Step 6
 529 | Malware Analysis Process – Steps
 530 | Malware detection
 531 | Malware Detection Methods
 532 | Malware detection stages
 533 | Malware evasion techniques
 534 | Malware Execution
 535 | Malware - finding
 536 | Malware funneling
 537 | Malware Funnelling - IOC
 538 | Malware paradox
 539 | Malware persistence
 540 | Malware Risk Index – Components
 541 | Malware Risk Index (MRI)
 542 | Malware Scheduled Tasks
 543 | Malware - signed?
 544 | Malware signing cons
 545 | Malware signing graph
 546 | malware signing likelihood
 547 | Malware signing pros
 548 | Malware Windows Services
 549 | Management Support
 550 | Master File Table
 551 | $Max
 552 | MBR
 553 | md5deep
 554 | md5deep - With sorter
 555 | Media Forensics VS Memory Analysis
 556 | Media Management Layer Tools
 557 | memdump
 558 | Memory Acquisition
 559 | Memory acquisition Tools
 560 | Memory acquisition VM
 561 | Memory Acquisition – VM’s
 562 | Memory acquisition Windows
 563 | Memory Analysis
 564 | Memory Analysis – Advantages
 565 | Memory Analysis – Stages
 566 | Memory Analysis – Suites
 567 | Memory analysis tools
 568 | Memory Analysis VS Media Forensics
 569 | Memory Analysis Windows
 570 | memory.dmp
 571 | Memory Forensics
 572 | Memory Section (or Pages)
 573 | Memory Sections
 574 | Memory – Timeline analysis
 575 | metadata layer
 576 | Metadata Layer Tools
 577 | $MFT
 578 | MFT Analysis
 579 | MFT Anomalies
 580 | MFT - File Entry Header - Start
 581 | MFT FILE Record Header
 582 | $MFTMIRR
 583 | MFT Outlier analysis
 584 | MFT – Record Numbers
 585 | MFT Zone
 586 | mimikatz
 587 | mklink
 588 | mmls
 589 | moddump
 590 | modscan
 591 | modules
 592 | MRI
 593 | Mutant Handle
 594 | mutantscan
 595 | Mutex
 596 | Namespace Type
 597 | National Software Reference Library
 598 | Netcat
 599 | netscan
 600 | Network artifacts
 601 | Network Artifacts – Volatility
 602 | Network Based IOC
 603 | Network Logon
 604 | Network Service
 605 | Network Shares
 606 | Non-Layer Tools
 607 | Non-Resident
 608 | NSRL
 609 | NTDS.DIT
 610 | NTDSXtract
 611 | NTFS
 612 | NTFS Attributes
 613 | NTFS - Attributes
 614 | NTFS Features
 615 | NTFS - Features
 616 | NTFS – How a file is written to disk?
 617 | NTFS Overview
 618 | NTFS Timestamps
 619 | NTFS – What data still exists upon file deletion?
 620 | NTLM – Account Logon Error Codes
 621 | NTUSER.DAT
 622 | Object Access
 623 | $OBJECT_ID
 624 | Object ID
 625 | $ObjId
 626 | obtaining hashes
 627 | Offline – Extraction – Events
 628 | OpenIOC
 629 | openioc_scan
 630 | Operating System Vulnerabilities
 631 | Operational Tempo
 632 | Opportunity
 633 | Packing/Entropy Check
 634 | Page Directory Base offset (PDB)
 635 | Page_Execute_ReadWrite
 636 | pagefile.sys
 637 | Parser Lists
 638 | Parsing the Amcache.hve
 639 | Parsing the RecentFileCache.bcf
 640 | Partitioning
 641 | Pass the Hash attack
 642 | Pass the Ticket attack
 643 | PEB
 644 | pe_carve.py
 645 | persistence
 646 | persistence mechanisms
 647 | pescan
 648 | pescan - Adnormality Detection
 649 | pescan - Hash
 650 | pescan usage
 651 | pf
 652 | pffexport
 653 | .pf signature
 654 | Phantom DLL
 655 | Phantom DLL Hijacking
 656 | Physical Layer
 657 | Physical Memory Offset
 658 | Piecewise Hashing
 659 | pinfo
 660 | pinfo.py
 661 | pivotal phase
 662 | pivot point
 663 | Pivot Point Determination
 664 | plasm
 665 | plaso
 666 | Plaso - Goals
 667 | Plaso - Parsers
 668 | Policy Change
 669 | Ports
 670 | powercfg.exe
 671 | Powershell
 672 | Powershell Authentication
 673 | Powershell Basics
 674 | PowerShell – Basics
 675 | Powershell Remoting
 676 | PowerShell Remoting – Detection
 677 | PowerShell Script Block Logging
 678 | P&P Event Log
 679 | Prefetch
 680 | Prefetch – Carving
 681 | Prefetch – Directory
 682 | Prefetch – Files
 683 | Prefetch – File System Time Stamps
 684 | prefetchparser
 685 | Preparation
 686 | Previous Versions
 687 | printkey
 688 | Privileged/Admin Activity
 689 | Privilege User
 690 | Problems
 691 | procdump
 692 | Process
 693 | Processbl
 694 | Process Environment Block (PEB)
 695 | Process Hollowing
 696 | Process Objects
 697 | Process – Timeline Analysis
 698 | Process Tracking
 699 | Profiles – Volatility
 700 | ProgramDataUpdater
 701 | Program Execution
 702 | Protected Process
 703 | protecting hashes
 704 | psexec
 705 | PsExec – ??
 706 | PsExec – Credentials
 707 | PsExec – Detection
 708 | PsExec – Event Log Artifacts
 709 | psexec.exe
 710 | PsExec – File System Artifacts
 711 | PsExec – Memory Artifacts
 712 | PsExec – Process Steps
 713 | psexec - protecting credentials
 714 | PsExec – Registry Artifacts
 715 | PsExec – Remote Command Execution
 716 | pslist
 717 | PsLogList
 718 | PsLoglist.exe
 719 | PsLogList – Extraction – Events
 720 | psort
 721 | psort.py
 722 | pspcid
 723 | psscan
 724 | pstotal
 725 | pstree
 726 | psxview
 727 | Quick Response
 728 | $Quota
 729 | RDP
 730 | RDPClip.exe
 731 | RdpCore log
 732 | rdphint
 733 | RDP Usage
 734 | Reactive Organization
 735 | Reality – Timeline Analys
 736 | RecentFileCache
 737 | RecentFileCache.bcf
 738 | RecentFileCache.bfc – Location
 739 | RecentFileCache.bfc – Purpose
 740 | RecentFileCache.bfc – Rules
 741 | Recent Files
 742 | Recon
 743 | Reconnaissance
 744 | Recovery
 745 | Redline
 746 | Redline – Analyze Data
 747 | Redline – Collect Data
 748 | Redline IOC Analysis
 749 | Redline - Supports
 750 | Redo Pass
 751 | ReFS
 752 | reg.exe
 753 | Registry and Password Analysis – Volatility
 754 | Registry Artifacts in Memory
 755 | Registry Extraction
 756 | Registry Handle
 757 | RegRipper
 758 | regular expressions
 759 | Rekall
 760 | Remediation
 761 | Remediation - Challenges
 762 | Remediation - Critical Controls
 763 | Remediation Event
 764 | Remediation Event - Goals
 765 | Remediation Event - Plan
 766 | Remediation Event - Plan - Posture
 767 | Remediation - Incorrect lifecycle
 768 | Remote Access Agent
 769 | Remote Analysis Agent
 770 | Remote Desktop Services (attacker) – Detection
 771 | Remote Desktop Services (attacker) – Registry Key
 772 | Remote Enterprise Incident Response & Forensics
 773 | Remote Forensics
 774 | Remote Log Access
 775 | Remote Management Tools
 776 | Remote System IR
 777 | Remoting – PowerShell
 778 | $Reparse
 779 | $REPARSE_POINT
 780 | Reparse Point
 781 | Resident
 782 | Restart Area
 783 | restore points
 784 | Restore Points – When Created
 785 | rfc.pl
 786 | Right Mindset
 787 | rip.pl
 788 | Risk
 789 | Rootkit
 790 | Rootkit Behavior
 791 | Rootkit Detection Plugins – Volatility
 792 | Rootkit Hooking
 793 | Rootkit Hooking – Types
 794 | Rootkits
 795 | sc
 796 | sc.exe
 797 | Scheduled Tasks logs
 798 | Scheduled Tasks – Malware Persistence
 799 | schtasks.exe
 800 | Scope
 801 | searching for malicious processes
 802 | Secondlook
 803 | Section_Object_Pointer
 804 | sector sizes
 805 | $SECURE
 806 | Security
 807 | Security – Categories
 808 | $SECURITY_DESCRIPTOR
 809 | Security – Detailed
 810 | Security Identifier (SID)
 811 | Semaphore
 812 | Service Accounts
 813 | servicebl
 814 | Service Replacement – Malware
 815 | Services Events
 816 | session
 817 | Session Restore
 818 | Setup
 819 | Shadow Copy
 820 | Shadow Copy Volumes
 821 | Shadow volume
 822 | SharedCachedMap
 823 | ShellBags
 824 | shimcache
 825 | shimcachemem
 826 | Shimcacheparser.py
 827 | Shortcut (LNK) files
 828 | SID – Parts
 829 | SID – Well known
 830 | SIFT Workstation
 831 | SIFT Workstation – Extraction – Events
 832 | Sigcheck
 833 | sigcheck.exe
 834 | Six-Step Incident Response Process
 835 | Six-step IR Process
 836 | Skype History
 837 | Sleuth Kit
 838 | sockets
 839 | socketscan
 840 | sockscan
 841 | sorter
 842 | sorter - Data types
 843 | sorter - hash database
 844 | Sparse file
 845 | srch_strings
 846 | ssdeep
 847 | ssdt
 848 | ssdt_ex
 849 | Stable registry keys
 850 | Standard Collector
 851 | $Standard_Information
 852 | $Standard_Information Header
 853 | Standard Windows Time Rules
 854 | Start->Run
 855 | $STDINFO
 856 | STIX
 857 | Stop pulling the plug
 858 | Stormworm
 859 | strings
 860 | String Searching
 861 | StringSearching with memdump
 862 | Stuxnet
 863 | Super Timeline
 864 | Super Timeline Analysis
 865 | Super Timeline - Color Template
 866 | Super Timeline - Creation
 867 | Super Timeline - Fields/Columns
 868 | Super Timeline - Import into Excel
 869 | Supertimeline - Step-by-step creation
 870 | Suspicious Binaries LFO
 871 | Suspicious Services
 872 | svcscan
 873 | swapfile.sys
 874 | Sysinternals
 875 | SysKey
 876 | System
 877 | System Events
 878 | System Files
 879 | System process
 880 | system restore
 881 | System Service Descriptor Table (SSDT)
 882 | Targeted Timeline collection
 883 | TaskSchedular log
 884 | Task Scheduler Logs
 885 | Task Scheduler v1.0
 886 | Task Scheduler v1.2
 887 | TDL3/TDSS
 888 | Team Composition
 889 | TeamViewer
 890 | Technet
 891 | Temporal Proximity
 892 | The Pivot Point
 893 | The Sleuth Kit
 894 | thrdproc
 895 | Thread
 896 | Threads
 897 | Threat
 898 | Threat Detection
 899 | Threat Environment
 900 | Threat Hunting
 901 | Threat Hunting - From Automated to Manual
 902 | Ticket Granting Tickets (TGT)
 903 | Tickets
 904 | Tickets – Golden Ticket
 905 | Tickets – How to Steal
 906 | Tickets – Mitigation
 907 | Timeline
 908 | Timeline Analysis
 909 | Timeline Analysis - Core ares
 910 | Timeline Analysis - Evidence
 911 | Timeline Analysis - Tools
 912 | Timeline Benefits
 913 | Timeline Creation
 914 | Timeline Creation - Step One
 915 | Timeline Data Filtering
 916 | Timeline evidence
 917 | timeliner
 918 | Time Rule Exceptions
 919 | Time Rules
 920 | Time Rules - Exceptions
 921 | Time Slice
 922 | Timestamp Analysis
 923 | Timestamp Anomalies
 924 | Timestamps - NTFS
 925 | timestomp
 926 | Timezone
 927 | token
 928 | Tokens
 929 | Tokens – Common Tools
 930 | Tokens – Mitigation
 931 | Tokens – Stealing
 932 | trampoline (inline) hooks
 933 | Transaction Logging – System Crash
 934 | Triage
 935 | Triage Extraction
 936 | TrueCrypt
 937 | Trusted Code Signing
 938 | TSK
 939 | Ultimate Windows Security
 940 | Unallocated
 941 | Unallocated Clusters
 942 | Understanding Security Identifiers
 943 | Undo Pass
 944 | $UPCASE
 945 | Update Records
 946 | USB or Drive usage
 947 | userassist
 948 | $UsnJrnl
 949 | vaddump
 950 | VAD tree
 951 | Virtual Address Descriptor (VAD)
 952 | Virtual Machine Memory Acquisition
 953 | Virtual Memory Offset
 954 | VirusTotal.com
 955 | Vista/Win7 Thumbnails
 956 | VNC
 957 | volafox
 958 | Volatile Data Collection
 959 | Volatile Data - Network
 960 | Volatile Data - Processes
 961 | Volatile registry keys
 962 | Volatility
 963 | Volatility help
 964 | Volatility overview
 965 | Volatility Plugins
 966 | Volatility profiles
 967 | Volatility reference
 968 | Volatility – Supported Plugins
 969 | $VOLUME
 970 | Volume Boot Record
 971 | $VOLUME_INFORMATION
 972 | $VOLUME_NAME
 973 | Volume Name
 974 | Volume Serial Number
 975 | Volume Shadow Copy
 976 | Volume Shadow Copy – Analysis Options
 977 | Volume Shadow Copy – How it works
 978 | Volume Shadow Copy – How to Mount
 979 | Volume Shadow Copy – Location
 980 | Volume Shadow Copy – When Created
 981 | Volume Snapshot Service
 982 | vshadowinfo
 983 | vshadowmount
 984 | Vshadowmount – Steps
 985 | vssadmin.exe
 986 | vssadmin list shadows
 987 | VSS examination
 988 | VSS Exclusions
 989 | VSS forensics
 990 | VSS image examination
 991 | VSS imaging
 992 | VSS mounting
 993 | VSS Timelining
 994 | Vulnerability
 995 | Vulnerability Exploitation
 996 | Vulnerability Exploitation – Detection
 997 | Vulnerability Exploitation – Types
 998 | Wdigest
 999 | Weaponization
1000 | Web History
1001 | What is memory forensics?
1002 | What to grab?
1003 | Whitelisting binaries
1004 | Whitelisting – Live Memory Analysis
1005 | Why memory?
1006 | Win32/64dd
1007 | Win7 Jump Lists
1008 | Win7 Recycle Bin
1009 | Win7 Search
1010 | Windows Artifacts Dissected
1011 | Windows Audit Collection Service
1012 | Windows Credential Editor (WCE)
1013 | Windows Disk Signature
1014 | Windows Management Instrumentation
1015 | Windows Memory Acquisition
1016 | Windows Services – Malware Persistence
1017 | Windows Side-by-side – DLL Loading
1018 | Windows-TerminalServices-LocalSessionManager log
1019 | Windows Time Rules
1020 | WinPMEM
1021 | winrs.exe
1022 | wisp
1023 | WMI
1024 | WMIC
1025 | WMI – Detection
1026 | WMI Event Consumers
1027 | WMI Event Consumers - Steps
1028 | WMI Event Consumers - Triggers
1029 | WMIEvtConsumer
1030 | wsmprovhost.exe
1031 | Yara
1032 | YARA-Project
1033 | Zeus
1034 | Zone Identifier
1035 | 


--------------------------------------------------------------------------------
/for572-concordance.txt:
--------------------------------------------------------------------------------
  1 | (perfect) forward secrecy
  2 | 0x0d0a0d0a
  3 | 4-way handshake
  4 | 6in4
  5 | 802.11 control frame
  6 | 802.11 data frame
  7 | 802.11 frame
  8 | 802.11 frame control field
  9 | 802.11 frame type
 10 | 802.11 security
 11 | 802.1q
 12 | 802.2x
 13 | AES-CCM
 14 | AES-CMAC
 15 | API; "application programming interface" in page or "api" in wordlist
 16 | APT; "advanced persistent threat" in page or "apt" in wordlist
 17 | Bro NSM;"bro nsm" in page or "bro" in cswordlist
 18 | CBC-MAC
 19 | CIDR
 20 | ESS; "ESS" in cswordlist or "extended service set" in page
 21 | ETL; "event tracing log" in page or "ETL" in cswordlist
 22 | ETW; "event tracing for Windows" in page or "ETW" in cswordlist
 23 | EVT; "evt format" in page or "EVT" in cswordlist
 24 | GRE; "GRE" in cswordlist
 25 | HSRP; "hot standby router protocol" in page or "HSRP" in cswordlist
 26 | IOC; "indicator of compromise" in page or "indicators of compromise" in page or "ioc" in wordlist
 27 | ISAC; "intelligence sharing and analysis center" in page or "isac" in wordlist or "intelligence sharing and analysis councils" in page
 28 | MACB
 29 | NSM; "network and security manager" in page or "network security monitor" in page or "NSM" in cswordlist
 30 | NTP; "NTP" in cswordlist
 31 | PRI; "priority value" in page or "PRI" in cswordlist
 32 | RAT; "remote administration tool" in page or "RAT" in cswordlist
 33 | SNI; "server name indication" in page or "server name indicator" in page or "SNI" in cswordlist
 34 | TOE; "tcp/ip offload engine" in page or "TOE" in cswordlist
 35 | TTL; "time to live" in page or "TTL" in cswordlist
 36 | TTP; "tactics, techniques, and procedures" in page or "ttp" in wordlist or "ttps" in wordlist
 37 | UniFi; "UniFi" in cswordlist
 38 | WISE; "WISE" in cswordlist or "with intelligence see everything" in page
 39 | Zeek NSM; "zeek nsm" in page or "zeek" in wordlist
 40 | _utma cookie
 41 | _utmb cookie
 42 | _utmz cookie
 43 | access.log
 44 | access_log
 45 | acknowledgment
 46 | acknowledgment of receipt of the correct traffic
 47 | acrsight siem
 48 | active directory
 49 | active ftp
 50 | activesync
 51 | ad-hoc
 52 | ad-hoc mode
 53 | address formats for data exchange
 54 | address mapping
 55 | air-gap
 56 | aircrack-ng
 57 | airmon-ng
 58 | airodump-ng
 59 | airport
 60 | ajax
 61 | amplification attack
 62 | analysis console
 63 | analyst supporting tool
 64 | analyzing ftp
 65 | apache
 66 | apache kafka
 67 | apache lucene
 68 | appflow
 69 | application log
 70 | application reassembly
 71 | arp spoofing
 72 | arpspoof
 73 | artifact extraction
 74 | asymmetric
 75 | atsvc.opnum
 76 | attacking wps
 77 | authentication method
 78 | authentification
 79 | authorization
 80 | automated tool
 81 | autonomous system
 82 | awk
 83 | awstats
 84 | backdoor
 85 | backdoor hidden in common protocol
 86 | backspace attack
 87 | bar chart
 88 | barracuda
 89 | base64
 90 | base64 encoding
 91 | basic authentication
 92 | basic https process
 93 | basic service set
 94 | basic smtp transaction
 95 | beats
 96 | berkeley packet filter
 97 | bettercap
 98 | big endian
 99 | binary protocol analysis
100 | bless
101 | block cipher
102 | blue coat
103 | botnet
104 | bpf
105 | bpf primitive
106 | bro-cut
107 | bss
108 | bssid
109 | bubble diagram
110 | bump server first; "bump server first" in page or "bump-server-first" in page
111 | byod
112 | cache-control
113 | calamaris
114 | capinfos
115 | caploader
116 | capture platform design
117 | capture-platform
118 | capturing ftp
119 | casefile
120 | cbl
121 | certificate authorities
122 | certificate chain
123 | certificate daemon
124 | certificate field
125 | certificate pinning
126 | cewl
127 | chaosreader
128 | chunked transfer encoding
129 | cifs
130 | cipher suite
131 | cisco
132 | clear to send
133 | client access server
134 | client hello
135 | client time exchange
136 | close andx
137 | closing a file
138 | cloud
139 | cname
140 | cobalt strike
141 | collection process
142 | collector
143 | command channel
144 | commercial network forensic
145 | commercial proxy log analysis
146 | comprehensive log aggregation
147 | compression
148 | compromised environment
149 | compromised web pages / sites
150 | connect in wordlist
151 | control frame
152 | control information
153 | cookie
154 | cram-md5
155 | create derivative log file
156 | cryptanalysis attacks
157 | cryptolocker
158 | csma/ca
159 | csma/cd
160 | darpa layer
161 | data channel
162 | data collection planning
163 | data dumping
164 | data format for data exchange
165 | data frame
166 | data loss prevention (dlp) system
167 | data of security interest
168 | data record
169 | data reduction
170 | data retransmission
171 | datagram syslogagent
172 | dealing with encoding and encryption
173 | deauth
174 | deauth attack
175 | decapsulation
176 | deliberate modification
177 | denial of service
178 | derivative log file
179 | determine content type
180 | dga
181 | dhcp
182 | dhcp and dns
183 | dhcp log
184 | dhcp process
185 | dhcp server configuration
186 | dhcp spoofing
187 | dhcp timeline
188 | dhcpack
189 | dhcpd.conf
190 | dhcpdiscover
191 | dhcpoffer
192 | dhcprequest
193 | diffie-hellman
194 | digital signature
195 | directionality
196 | distributed log storage and analysis
197 | distribution system
198 | dns amplification attack
199 | dns as tunnel transport
200 | dns basics
201 | dns compression
202 | dns correlation
203 | dns in network forensics
204 | dns query logging
205 | dns record
206 | dns tunneling
207 | dnscapy
208 | dnssec
209 | dnsspoof
210 | domain name generation
211 | domaintools.com
212 | dora
213 | dos
214 | dos attack
215 | dot 1q
216 | double flux fast-flux
217 | drop
218 | dshell
219 | dsniff
220 | dumpcap
221 | dwell time
222 | dynamic trunking protocol
223 | e-mail message flow
224 | ebtables
225 | edns
226 | elasticsearch
227 | elsa
228 | emulex endace
229 | encapsulation
230 | encoding
231 | encoding / encryption
232 | encrypted traffic flow analysis
233 | encryption
234 | endian
235 | entreprise log search and archive
236 | envelope
237 | eprt
238 | epsv
239 | esmtp id
240 | etag
241 | ettercap
242 | evaluate proxy data
243 | event id
244 | event viewer
245 | eventing 6,0
246 | eventing-to-syslog
247 | eventlog-to-syslog
248 | evernote
249 | evidence type
250 | evil twin
251 | evil twin attack
252 | evtsys
253 | examine content
254 | exchange to outlook
255 | exporter
256 | exporter positioning
257 | extended passive ftp
258 | extended port
259 | extended service set
260 | extension mechanism for dns
261 | external source
262 | facility (list)
263 | fake open ap
264 | fast flux
265 | fast-flux dns
266 | fid
267 | file id
268 | filebeat
269 | filesystem modification
270 | filter and review smb
271 | firewall and ids
272 | firewall families
273 | firewall log
274 | firewall rule
275 | firewall syntax
276 | firewalld
277 | flow analysis
278 | flow key
279 | flowgrep
280 | flume
281 | follow tcp stream
282 | footprint considerations
283 | forcepoint
284 | forward table
285 | forwarding proxy
286 | forwared events log
287 | ftp
288 | ftp basics
289 | ftp file extraction
290 | ftp file extraction with wireshark
291 | full packet capture; "full-packet capture" in page or "full packet capture" in page
292 | gateway
293 | generic routing encapsulation
294 | generic security service api
295 | geolocation
296 | get
297 | get and store data
298 | gh0st rat
299 | glasswire
300 | gnuplot
301 | goals for smb analysis
302 | google analytics
303 | google analytics cookie
304 | google search autocomplete
305 | gre
306 | grep
307 | grok
308 | gss-api
309 | guard intelligence
310 | hadoop
311 | hostname
312 | how do we acquire
313 | hpack
314 | http
315 | http log
316 | http log format
317 | http referer uri
318 | http request method
319 | http request string
320 | http response code
321 | http return code
322 | http server log
323 | http version history
324 | http/2
325 | https
326 | https differences from http
327 | hubspot
328 | ibss
329 | icmp redirect
330 | identd
331 | identify choke and critical point
332 | ids
333 | ids families
334 | ids rules and signatures
335 | iis
336 | iis log file format
337 | imap
338 | independant basic service
339 | information seeking mantra
340 | infrastructure evidence
341 | infrastructure rogue
342 | initialization vector
343 | input table
344 | inssider
345 | internal netflow data
346 | internet protocol flow information export
347 | intrusion detection system
348 | intrustion detection system (ids)
349 | investigation opsec and footprint consideration
350 | iodine
351 | ip flow
352 | ipfix
353 | ipsec
354 | ipsecinter process communication
355 | iptables
356 | irdp spoofing
357 | jflow
358 | justniffer
359 | justsniffer
360 | karma
361 | keep-alive
362 | kerberos
363 | kibana
364 | kismet
365 | lanman
366 | layer 7 source
367 | legal compliance
368 | libnids
369 | libpcap
370 | librelp
371 | link diagram
372 | little snitch
373 | live research
374 | live research complications
375 | locking a file for access
376 | locking andx
377 | log aggregation solutions
378 | log aggregation to go
379 | log data collection, aggregation and analysis
380 | log evidence collection scenario
381 | log lizard
382 | log parser
383 | log rule
384 | log source
385 | log-prefix
386 | logevent
387 | logformat
388 | logging innovation
389 | logging shortfall
390 | login
391 | logoff
392 | logoff andx
393 | logparser
394 | logparser studio
395 | logrhythm
396 | logstash
397 | mac address
398 | maccof
399 | mail delivery agent
400 | mail exchange
401 | mail submission agent
402 | mail transfer agent
403 | mail user agent
404 | maltego 100, 101
405 | malware analysis
406 | man-in-the-middle
407 | managed mode
408 | managed mode sniffing
409 | management frame
410 | mangle table
411 | mapi
412 | master
413 | master mode
414 | mda
415 | mdk3
416 | mdns
417 | message based
418 | message based protocol
419 | metering process
420 | metricbeat
421 | mic code
422 | michael mic
423 | microsoft eventing
424 | microsoft protocols
425 | microsoft winrm client
426 | mime
427 | mime part
428 | mitigations
429 | mitm for network defense
430 | mitm theme
431 | mixed protocol analysis
432 | mod_log_forensic
433 | modes (wireless)
434 | moloch
435 | monitor mode
436 | mpls
437 | msa
438 | mta
439 | mua
440 | multiplex id value
441 | multiprotocol label switching
442 | mx
443 | name-based virtual hosting
444 | nat
445 | native ssl
446 | ncsa common
447 | ncsa common format
448 | net time
449 | netflow
450 | netflow analysis and collection
451 | netflow architecture
452 | netflow header
453 | netflow v5 header
454 | netresec
455 | netspot
456 | netwitness
457 | network architectural challenges and opportunities
458 | network data acquisition
459 | network data collection strategies
460 | network design
461 | network evidence types and sources
462 | network forensic (what is it)
463 | network protocol
464 | network protocol reverse engineering
465 | network time protocol
466 | network watcher
467 | networkminer
468 | nfcapd
469 | nfdump
470 | nfdump aggregating flows
471 | nfdump custom format
472 | nfdump filter
473 | nfdump statistics
474 | nfpcapd
475 | nfreplay
476 | nfsight
477 | nftables
478 | nginx
479 | ngrep
480 | niksun
481 | notebook
482 | ns
483 | nss keylogging
484 | nt create andx
485 | ntlm
486 | ntop
487 | ntopng
488 | ntp basics
489 | ntp during acquisition
490 | ntp in transit
491 | ntp structure
492 | ntpq
493 | ntsyslog
494 | null
495 | objects by url
496 | observation point
497 | obsrevation domain
498 | obtain network directory metadata
499 | odbc
500 | open relay
501 | open-source flow tools
502 | open-source intelligence
503 | opening a file
504 | operational security
505 | opsec
506 | optimization
507 | os determination
508 | osi layer 7
509 | osi model
510 | osint
511 | outlook
512 | outlook anywhere
513 | outlook web access
514 | output table
515 | owa
516 | ozymandns
517 | packet
518 | pairwise master key
519 | parallel axis
520 | parallel coordinate
521 | pass-the-hash
522 | passive dns
523 | passive dns visualisation
524 | passive ftp
525 | passive mode
526 | passivedns
527 | pasv
528 | paterva
529 | payload reconstruction
530 | pcap
531 | pcap file format
532 | pcap next generation
533 | pcapng
534 | pdml
535 | peakflow praxvail nsi
536 | perfect forward secrecy
537 | pf
538 | pfs
539 | pineapple
540 | plain
541 | plain text
542 | platform identification
543 | plixer scrutinizer
544 | pmk
545 | point-to-point tunneling protocol
546 | pop3
547 | popular libraries
548 | port
549 | port mirroring
550 | port stealing
551 | port tracker
552 | positive acknowledment
553 | post
554 | postrouting table
555 | pptp
556 | premature traffic block
557 | prerouting table
558 | process
559 | processing software
560 | project management
561 | promiscuous mode; '"promiscuous" mode' in page or "promiscuous" in wordlist
562 | protocol approach
563 | protocol attribute
564 | protocol flow
565 | protocol functionality
566 | protocol negotiation
567 | protocol structure
568 | proxy
569 | proxy cache extraction
570 | proxy extraction wallthrough
571 | proxy log wallthrough
572 | proxy server
573 | proxy solution
574 | psk
575 | pth attack indicator
576 | ptr
577 | public key encryption
578 | qos
579 | qradar
580 | rabbitmq
581 | raw table
582 | read andx
583 | reading from a file
584 | real-time networked logging
585 | reaver
586 | referer
587 | referer log
588 | refresh_pattern
589 | reject
590 | reliable event logging protocol
591 | relp
592 | remove header
593 | request component
594 | request dissection
595 | request string
596 | request to send
597 | response code
598 | response component
599 | response dissection
600 | reverse proxy
601 | rf jammer
602 | rf overload
603 | rf transmission analysis
604 | rfc114
605 | rfc2428
606 | rfc2554
607 | rfc3954
608 | rfc4954
609 | rfc5101
610 | rfc5102
611 | rfc5103
612 | rfc5424
613 | rfc5470
614 | rfc6066
615 | rfc7011
616 | rfc7540
617 | rfc7541
618 | rfc765
619 | rfc821
620 | rfmon
621 | riverbed steelcentral packet analyzer
622 | riverbed steelcentral packet analyzer personal edition
623 | robust security network
624 | routing
625 | rsa key exchange
626 | rsa netwitness
627 | rsa security analytics
628 | rsn
629 | rsyslog
630 | rsyslog configuration file
631 | rts/cts attacks
632 | rumint
633 | rwfileinfo
634 | rwfilter
635 | rwflowappend
636 | rwflowpack
637 | rwidsquery
638 | rwpmatch
639 | rwreceiver
640 | rwsender
641 | sarg
642 | savvius
643 | scapy
644 | scoping
645 | scribe
646 | sctp
647 | search string
648 | secure dialect negotiation
649 | secure password authentication
650 | secure sockets tunneling protocol
651 | security (list)
652 | security analytics platform
653 | security information event manager
654 | security log
655 | security onion
656 | seeking mantra
657 | sequence control
658 | serial number
659 | server 2012
660 | server hello
661 | server message block
662 | server name indicator
663 | service set identifier
664 | session establishment
665 | session reconstruction
666 | session setup andx
667 | set
668 | setup log
669 | sflow
670 | sharepoint
671 | siem
672 | silk
673 | simple aggregation
674 | simple protected negotiation
675 | small endian
676 | smb
677 | smb 3
678 | smb attack indicator
679 | smb clients by version
680 | smb file access session
681 | smb protocol negotiation
682 | smb release date
683 | smb session establishment
684 | smb.file
685 | smb2 command
686 | smb2.boot_time
687 | smb3
688 | smb: good filters
689 | smb: opening a file
690 | smtp
691 | smtp body
692 | smtp header
693 | smtp-auth
694 | snare
695 | snort
696 | snort alert
697 | snort basics
698 | snort logging
699 | snort rule
700 | sntp
701 | social engineering toolkit
702 | social engineering toolkit (set)
703 | sof-elk
704 | software wifi tools
705 | spa
706 | span port
707 | splunk
708 | splunk log aggregation
709 | spnego
710 | spotting wep attacks
711 | squid
712 | squid analytics tools
713 | squid cache file structure
714 | squid configuration file
715 | squid custom logs
716 | squid logs
717 | squid raw analysis
718 | squid.conf
719 | squidview
720 | srv
721 | ssh
722 | sshcure
723 | sshfp
724 | ssid
725 | ssl handshake
726 | ssl inspection
727 | ssl-bump
728 | ssl/tls
729 | ssldump
730 | sslstrip
731 | sstp
732 | staged approach to wifi hacking
733 | standby collection hardware
734 | starttls
735 | stp mangling
736 | stratum
737 | stream based
738 | stream based protocol
739 | stream cipher
740 | stream control transmission protocol
741 | strength of algorithm
742 | strip_query_terms
743 | suggested answer
744 | surfmap
745 | suricata
746 | symmetric
747 | symmetric key encryption
748 | syslog
749 | syslog event parameters
750 | syslog network transaction
751 | syslog server
752 | syslog source
753 | syslog-ng
754 | system for internet level knowledge
755 | system forensics
756 | system log
757 | tap
758 | tcp
759 | tcp payload reassembly
760 | tcpdstat
761 | tcpdump
762 | tcpdump / wireshark refresher
763 | tcpdump example
764 | tcpdump trick
765 | tcpflag
766 | tcpflow
767 | tcpslice
768 | tcpstat
769 | tcpstat/tcpdstat
770 | tcptrace
771 | tcpxtract
772 | template record
773 | threat hunting
774 | timeline
775 | timestamps
776 | tkip
777 | tkip mic attack
778 | tkip michael check
779 | tls
780 | topn statistic
781 | traffic manipulation
782 | traffic shaping
783 | trans2
784 | transfer-encoding
785 | transmission control protocol
786 | transmission error
787 | transparent mode, ipsec
788 | transparent proxy
789 | transport mode
790 | tree connect andx
791 | tree disconnect
792 | tree disconnection
793 | trend
794 | tshark
795 | tshark option
796 | tshark smb filter
797 | tshark, ssl decryption
798 | tunnel
799 | tunnel mode
800 | tunnel mode, ipsec
801 | tunnels and vpn
802 | txt
803 | u2boat
804 | u2spewfoo
805 | ubiquiti
806 | udp first response wins
807 | unicode
808 | uniform ressource identifier
809 | unlocking a file
810 | upnp
811 | urchin tracking module
812 | uri
813 | useful field
814 | user agent
815 | user data
816 | user-agent
817 | user-agent string
818 | useragent_log
819 | utf-16
820 | utf-7
821 | utf-8
822 | virtual private network
823 | visualisation
824 | visualisation for security staff
825 | visualisation purpose
826 | visualisation techniques and tools
827 | visualizing a compromise
828 | vlan
829 | vpc-flow
830 | vpn
831 | w32tm
832 | w3c extended
833 | w3c extended/combined format
834 | wds
835 | weak keys and exchange
836 | webdav
837 | wep attack
838 | wepattack
839 | what to capture
840 | which tool to choose
841 | whois
842 | wifi attack
843 | wildcard
844 | windows 8
845 | windows architecture
846 | windows event forwarding
847 | windows eventing model
848 | windows evtx
849 | windows os bidging
850 | winlogbeat
851 | winlogd
852 | winpcap
853 | wireless
854 | wireless distribution system
855 | wireless distribution system (wds)
856 | wireless network forensics
857 | wireshark
858 | wireshark display filter
859 | wireshark name resolution
860 | wireshark smb filter
861 | wireshark ssl decryption
862 | wpa/wpa2 psk attack
863 | wpa2
864 | wps
865 | xplico
866 | yahoo! mail
867 | yersinia
868 | zcat
869 | zeroconf
870 | zeromq
871 | zone alarm
872 | zone transfer
873 | 


--------------------------------------------------------------------------------
/for585-concordance.txt:
--------------------------------------------------------------------------------
  1 | 24kpwn
  2 | 91 mobile
  3 | Abbreviated Dialing Numbers (ADN); "Abbreviated Dialing Numbers" in page or "ADN" in page
  4 | ABC Amber
  5 | Absinthe
  6 | accounts.db
  7 | ACPO
  8 | Acquisition Action
  9 | ActiveSync
 10 | ActiveSync; "active sync" in page or "activesync" in page
 11 | AddressBook
 12 | Address Book
 13 | AddressBook.sqlitedb
 14 | Adware
 15 | Aggregated Contacts
 16 | Airplane Mode
 17 | AirWatch
 18 | Always Off Rule; "Always off" in page
 19 | .alx
 20 | Andrew Case
 21 | Andrew Hoog
 22 | Andriller
 23 | Android Debug Bridge (ADB); "Android Debug Bridge" in page or "ADB" in page
 24 | Android Developer Toolkit
 25 | Android Device Manger
 26 | AndroidManifest.xml
 27 | Android Runtime
 28 | Anubis; "anubis" in page or "andrubis" in page
 29 | APK Inspector
 30 | .apk;page.count(".apk") > 2
 31 | .app
 32 | AppleComputer Folder; "applecomputer" in page
 33 | Apple Continuity
 34 | Apple File Connection (AFC); "apple file connection" in page or "AFC" in cswordlist
 35 | Apple Watch
 36 | Application Framework
 37 | AppsLib
 38 | Apps Zoom
 39 | Aptoide
 40 | Archiving
 41 | Autopsy
 42 | Backdoor
 43 | Backup Services
 44 | .bar
 45 | Base64
 46 | BatchGeo
 47 | batterystats.bin
 48 | .bbb
 49 | .bbb; "bbb" in cswordlist
 50 | best practice guide
 51 | Bitdefender
 52 | Bitlocker
 53 | BlackBerry
 54 | Blackberry Backup
 55 | BlackBerry Desktop Manager (BDM); "blackberry desktop manager" in page or "BDM" in cswordlist
 56 | BlackBerry Enterprise Software (BES); "blacknerry enterprise software" in page or "BES" in cswordlist
 57 | BlackBerry Internet Service (BIS); "blackberry internet service" in page or "BIS" in cswordlist
 58 | BlackBerry Link
 59 | BlackBerry Link Backup file (.bbb); "blackBerry link backup file" in page or ".bbb" in cswordlist
 60 | BlackBerry Messenger
 61 | BlackBerry Messenger (BBM); "blackBerry messenger" in page or "BBM" in cswordlist
 62 | BlackBerry OS
 63 | BlackBerry OS 10
 64 | BlackBerry Playbook
 65 | Blink
 66 | Blocks
 67 | Bluetooth
 68 | Bookmarks.db
 69 | Bookmarks.plist
 70 | Boot Loader
 71 | Bricking; "brick" in page or "bricking" in page or "bricked" in page
 72 | browser.db
 73 | Burner
 74 | /cache
 75 | cache.cell
 76 | Cache.db
 77 | cache.wifi 
 78 | call_history.db
 79 | callhistory.storedata
 80 | CallHistory.storedata
 81 | Call logs
 82 | Call Logs
 83 | Carving; "carve" in page or "carving" in page
 84 | Cellebrite
 85 | Cellebrite Advanced Investigative Services (CAIS); "cellebrite advanced investigative services" in page or "CAIS" in cswordlist
 86 | Cells
 87 | Cell towers
 88 | cemail.vol
 89 | CFAbsoluteTimeConverter
 90 | Chain Manager
 91 | chess.db
 92 | Chip-off
 93 | classes.dex
 94 | Class Key
 95 | CNET
 96 | Cocoa Touch framework
 97 | .cod
 98 | Code Divided Multiple Access (CDMA); "Code Divided Multiple Access" in page or "CDMA" in page
 99 | com.apple.Carousel
100 | com.apple.ipod.plist
101 | Communications Statistics
102 | Confide
103 | consolidated.db
104 | contacts2.db
105 | Conversion
106 | Customizable Secure Boot (CSB); "Customizable Secure Boot" in page or "CSB" in page
107 | Cyber Dust
108 | Cydia
109 | dalvik-cache
110 | Dalvik Virtual Machine (DVM); "Dalvik" in page or "DVM" in page
111 | /data
112 | Data Extraction Wizard
113 | DCIM/100APPLE
114 | DeCode
115 | Decode Images
116 | decoding
117 | Decompiler
118 | destination_history
119 | Device Passcode
120 | DeviceRegistry
121 | Dex2Jar
122 | Dexter
123 | DFU mode
124 | Digital Camera Images (DCIM); "digital camera images" in page or "DCIM" in cswordlist
125 | dmappmgr.db
126 | Docs To Go
127 | Documenting
128 | /download
129 | Dropbox
130 | DropCopy
131 | Dynamic-text.dat
132 | eDEC Tarantula
133 | Effacable Storage
134 | Elcomsoft
135 | Elcomsoft iOS Forensic Toolkit
136 | Elcomsoft Phone Password Breaker; "elcomsoft phone password breaker" in page or "EPPB" in cswordlist
137 | Electronic Serial Number (ESN); "Electronic Serial Number" in page or "ESN" in page 
138 | Elementary Files (EF); "Elementary Files" in page
139 | Embedded Multimedia Cards (eMMC); "Embedded Multimedia Cards" in page or "eMMC" in page
140 | emmc.db
141 | Enable Handoff
142 | EnCase
143 | Encryption, Full Disk; "FDE" in page or "Full Disk" in page
144 | Encrypt Local Backup
145 | Envasi0n
146 | Epilog
147 | events_serv.db
148 | Evernote
149 | evidentiary locations
150 | Exchangeable image file format (EXIF); "Exchangeable image file format" in page or "EXIF" in page
151 | Exchange ActiveSync
152 | EXFAT
153 | external.db
154 | extraction
155 | Facebook
156 | Facebook Messenger
157 | Facetime
158 | FaceTime
159 | Face Unlock
160 | Faraday
161 | FAT file system
162 | fbsyncstore.db
163 | F-Droid
164 | FileHopper
165 | File Key
166 | File System Acquisition
167 | File System Extraction
168 | FindMyiPhone
169 | Find My iPhone
170 | flash.bin
171 | Flash Counter
172 | Flasher box
173 | Flash Translation Layer (FTL); "flash translation layer" in page or "FTL" in cswordlist
174 | FlexiSpy
175 | flowchart
176 | FourSquare
177 | Frankly
178 | FreeType
179 | Frhed
180 | Friendster
181 | fstab
182 | FTK Imager
183 | Fuzzy Search
184 | Garbage Collection (GC); "Garbage Collection" in page or " GC " in page
185 | Garmin Street Pilot
186 | Gartner
187 | GeoHistory.mapsdata
188 | GeoServices
189 | Gesture
190 | gesture.key
191 | Gingerbread
192 | Glance
193 | Global System for Mobile Communications (GSM); "Global System for Mobile Communications" in page or "GSM" in page
194 | Good Practice Guide
195 | Google Docs
196 | Google Maps
197 | Google Wallet
198 | GUID
199 | Hash; "hash" in cswordlist or "hashes" in cswordlist or "hashed" in cswordlist
200 | hex
201 | Hex editor
202 | Heywire
203 | HFS+
204 | HFSK
205 | History.plist
206 | Hive
207 | Hotspots
208 | HTC
209 | Huawei
210 | iCloud
211 | Identification
212 | IEF Mobile
213 | ifans; "www.ifans.com" in page
214 | iMessage
215 | info.mkf
216 | Info.plist
217 | Intake
218 | Integrated Circuit Card Identification (ICCID); "Integrated Circuit Card Identification" in page or "ICCID" in page
219 | International Mobile Subscriber Identity (IMSI); "International Mobile Subscriber Identity" in page or "IMSI" in page;
220 | Internet history
221 | iOS Version
222 | iPad 5
223 | iPad Mini
224 | iP-BOX 
225 | .ipd; "ipd" in cswordlist
226 | iPhone 4
227 | iPhone 4s
228 | iPhone 5
229 | iPhone 5s
230 | iPhone 6
231 | iPhone 6s
232 | Isolation
233 | iTunes
234 | iXAM
235 | .jad
236 | Jailbreak; "jailbreak" in page or "jailbroken" in page or "jail break" in page or "jailbreaking" in page
237 | .jar
238 | Java Decompiler
239 | Java Platform Micro Edition (Java ME); "java platform micro edition" in page or "Java ME" in cswordlist
240 | JavaScript Object Notation (JSON); "javascript object notation" in page or "JSON" in cswordlist
241 | jd-gui
242 | Jelly Bean
243 | jg-gui
244 | JotNot
245 | JTAG
246 | JTAG; "JTAG" in page or "Joint Test Action Group" in page
247 | Juniper Networks; "juniper" in page
248 | Jurisdiction
249 | Kaspersky Labs; "kaspersky" in page
250 | Keyboard Cache
251 | Key Evidence
252 | Kies
253 | Kik Messenger
254 | KitKat
255 | .kml
256 | kml file
257 | KNOX
258 | Libraries
259 | Library folder
260 | Linux Kernel
261 | Linux Memory Extractor (LiME); "Linux Memory Extractor" in page or "LiME" in page
262 | Liveness Check
263 | localstorage
264 | Locard's Exchange Principle
265 | Locations; "data/app folder" in page or "microsd" in page
266 | Locations.kml
267 | Lockdown File; "lockdown" in page
268 | Logical Acquisition
269 | Logical Extraction
270 | logs.db
271 | Lollipop
272 | Low-Power Assist
273 | Maas360
274 | Magellan RoadMate
275 | Magnet Forensics
276 | Malware
277 | Malware, Detection; "malware detection" in page
278 | malware scanner
279 | Manifest.mbdb
280 | Manifest.plist
281 | Manual Examination
282 | mapsdata
283 | Marshmallow
284 | Mbackup
285 | .mbm
286 | Media Framework
287 | message_attachment_join
288 | message_id
289 | metadata
290 | Microsystemation
291 | MIDP
292 | .mif
293 | mmssms.db
294 | /mnt
295 | Mobango
296 | Mobile Device Management (MDM); "Mobile Device Management" in page or "MDM" in page
297 | Mobile Directory Number (MDN); "Mobile Directory Number" in page or "MDN" in page
298 | Mobile Equipment ID (MEID); "Mobile Equipment ID" in page or "MEID" in page
299 | Mobile Identification Number (MIN); "Mobile Identification Number" in page or "MIN" in page
300 | MobileIron
301 | Mobile Sandbox
302 | MobileSpy
303 | MobileSync Folder; "mobilesync" in page
304 | MobiStealth
305 | Monitoring
306 | MPE+
307 | MSAB
308 | mSpy
309 | Multimedia Messaging Service (MMS); "multimedia messaging service" in page or "mms" in page
310 | MySpace
311 | NAND
312 | NAND Flash Memory; "NAND" in page
313 | NAND Flash; "NAND" in cswordlist
314 | nanopasses.sqlite3
315 | NBU Backup Explorer
316 | Near Field Communication (NFC); "near field communication" in page or "nfc" in page
317 | NEFconfig.xml
318 | Network Service Provider (NSP); "Network Service Provider" in page or "NSP" in page
319 | .nfl
320 | Nike+
321 | Nimbuzz
322 | Nokia
323 | Nokia Backup Explorer
324 | Nokia Belle
325 | Nokia PC Suite
326 | Nokia’s Lifeblog
327 | Nokia Symbian
328 | NOR
329 | NOR Flash; "NOR" in cswordlist
330 | notes.sqlite
331 | Notification
332 | NTFS
333 | NVISO
334 | .obliterated
335 | oneNAND
336 | On/Off Rule; "On/Off" in page or "On / Off" in page
337 | OpenGL
338 | OpenTable
339 | Out of Bound (OOB); "Out of Bound" in page or "OOB" in page
340 | Over The Air (OTA); "over the air" in page or "OTA" in cswordlist
341 | Over the Air (OTA); "Over the Air" in page or "OTA" in page
342 | Ovi Suite
343 | Oxygen Forensics Suite; "oxygen" in page
344 | packages.list
345 | packages.xml
346 | PadMapper
347 | Pages
348 | PairedSync
349 | PanGu
350 | Paraben
351 | Paraben Device Seizure
352 | Passcode
353 | Passwords folder
354 | PayPal
355 | Personal Identification Number (PIN); "Personal Identification Number" in page or "PIN" in page
356 | Personal Information Management (PIM); "personal information management" in page or "PIM" in cswordlist
357 | Personal Unblocking Key (PUK); "Personal Unblocking Key" in page or "PUK" in page
358 | PhotoData
359 | Physical Extraction
360 | pim.vol
361 | PIN Unblocking Key (PUK); "PIN Unblocking Key" in page or "PUK" in page
362 | Plist
363 | PList Editor
364 | Plists
365 | Plug-in
366 | POSIX
367 | Potentially Unwanted Application (PUA); "potentially unwanted application" in page or "pua" in page
368 | Preferences
369 | Preparation
370 | Presentation
371 | PrivatOS
372 | Processing
373 | properties.bin
374 | Property List Files (Plist); "property list files" in page or "plist" in cswordlist
375 | QNX
376 | QR Code
377 | Ransomware
378 | Rapid Identification Friend or Foe (RIFF); "Rapid Identification Friend or Foe" in page or "RIFF" in page
379 | raw_contacts table
380 | Recently Deleted; "recently deleted" in page
381 | Record Stores
382 | Recovery Mode; "Recovery" in page
383 | RedBox
384 | Registry
385 | Remote Code Execution (RCE); "remote code execution" in page or "RCE" in page
386 | Removable User Identity Module (R-UIM); "Removable User Identity Module" in page or "R-UIM" in page
387 | Removable User Identity Module (RUIM); "Removable User Identity Module" in page or "RUIM" in page
388 | .rem; ".rem" in page
389 | Repackaging
390 | Repair
391 | reporting
392 | Reporting
393 | Research in Motion (RIM); "research in motion" in page or "RIM" in cswordlist
394 | Riley v. California
395 | .rms
396 | Robust File System (RFS); "Robust File System" in page or "RFS" in page
397 | Root; "root" in page or "rooting" in page or "superuser" in page
398 | .rsc
399 | Safari
400 | SAFE
401 | Samba
402 | Samsung
403 | Samsung Kies
404 | Sandbox
405 | Santoku
406 | SaveIt!
407 | SD Card
408 | search_history.db
409 | SearchResults.dat
410 | Secure Digital eXtended Capacity (SDXC); "Secure Digital eXtended Capacity" in page or "SDXC" in page
411 | Secure Digital High Capacity (SDHC); "Secure Digital High Capacity" in page or "SDHC" in page
412 | secureProperties.bin
413 | Security Enhanced Linux (SELinux); "Security Enhanced Linux" in page or "SELinux" in page
414 | Service Books
415 | Service.plist
416 | SGL
417 | Shared Memory File (SHM); "shared memory file" in page or "SHM" in cswordlist
418 | ShareFile
419 | Short Message Service (SMS); "Short Message Service" in page or "SMS" in page
420 | Short Messaging Service Center (SMSC); "Short Messaging Service Center" in page or "SMSC" in page
421 | Silent Text
422 | SIM Cloning
423 | SIMIS
424 | Siri
425 | .sis
426 | Skype
427 | Slide ME
428 | Smarterforensics.com
429 | Smart Lock
430 | Smishing
431 | SMS.db
432 | Snapchat
433 | SnapChat
434 | Solid State Memory 
435 | Sophos
436 | SpyBubble
437 | Spyera
438 | Spyware
439 | SQLite
440 | Square
441 | SSL
442 | Stagefright; "stagefright" in page or "libStageFright" in page
443 | Store.sqlite
444 | Subscriber Identity Module (SIM); "Subscriber Identity Module" in page or "SIM" in page
445 | Surface Manger
446 | SWGDE
447 | Symbian OS
448 | System-on-a-Chip (SoC); "system-on-a-chip" in page or "SoC" in cswordlist
449 | Tango
450 | Tappin
451 | TAPs; "TAP" in page or "TAPs" in page or "Test Access Ports" in page
452 | TarArchive
453 | TaxiMagic
454 | TeleNav
455 | TigerText
456 | TMSI
457 | Tracer
458 | Trace Window
459 | Trackware
460 | Trojan
461 | Trulia
462 | Trust Platform Module (TPM); "trust platform module" in page or "trusted platform module" in page or "TPM" in cswordlist
463 | TrustZone based Integrity Measurement Architecture (TIMA); "TrustZone based Integrity Measurement Architecture" in page or "TIMA" in page
464 | Twitter
465 | UberCab
466 | UFED4PC
467 | UFED Link Analysis; "ufed" in page
468 | UFED Touch
469 | Universal Integrated Circuit Card (UICC); "Universal Integrated Circuit Card" in page or "UICC" in page
470 | Unrecognized
471 | UrbanSpoon
472 | usage-history.xml
473 | USB debugging
474 | user_dict.db
475 | User Dictionary
476 | Verification
477 | viaExtract
478 | viaForeniscs
479 | Viber
480 | Virus Total
481 | VZ Navigator
482 | watch list
483 | Watch List
484 | Watch Lists
485 | Waze
486 | Wear Leveling
487 | webkit
488 | WebKit
489 | webviewCached.db
490 | webview.db
491 | Whatsapp
492 | WhatsApp
493 | Wickr
494 | Wi-Fi assist
495 | Windows CE
496 | Windows Mobile
497 | Windows Phone
498 | WireLurker
499 | Wireshark
500 | WordsWithFriends
501 | Words With Friends
502 | WordWithFriends
503 | Worm
504 | Wrist Detection
505 | Write Ahead Logs (WAL); "write ahead log" in page or "WAL" in cswordlist
506 | XACT
507 | XAMN
508 | Xcode
509 | XcodeGhost
510 | XenMobile
511 | XRY
512 | XRY Reader
513 | Yahoo Messenger
514 | Yandex
515 | Yet Another Flash File System (YAFFS2); "Yet Another Flash File System" in page or "YAFFS2" in page
516 | Zdziarski Method
517 | Zedge
518 | Zimperium Labs; "zimperium" in page
519 | .zip;page.count(".zip") > 2
520 | 


--------------------------------------------------------------------------------
/for610-concordance.txt:
--------------------------------------------------------------------------------
  1 | ADD; "ADD" in cswordlist
  2 | Address Space Layout Randomization (ASLR); "address space layout randomization" in page or "ASLR" in cswordlist
  3 | Adobe Reader
  4 | AND; "AND" in cswordlist
  5 | ApateDNS
  6 | apihooks
  7 | automated sandboxes
  8 | base64dump.py
  9 | bbcrack.py
 10 | Beaconing
 11 | beautify; "beautify" in page or "beautification" in page
 12 | BelkaSoft Live RAM Capturer
 13 | BinText
 14 | BlockInput
 15 | box-js
 16 | Browser Helper Objects (BHOs); "browser helper objects" in page or "BHOs" in cswordlist
 17 | brutexor.py
 18 | brxor.py
 19 | CallNextHook
 20 | Call Stack
 21 | call table hooks
 22 | capstone engine
 23 | cdecl
 24 | CFF Explorer
 25 | cleardb
 26 | Clonezilla
 27 | CloseClipboard
 28 | CMP; "CMP" in cswordlist
 29 | command and control (C2); "command and control" in page or "C2" in cswordlist
 30 | conditional jump
 31 | console.group
 32 | console.log
 33 | CreateMutex
 34 | CreateProcess
 35 | CreateRemoteThread
 36 | CREATE_SUSPENDED
 37 | CreateToolhelp32Snapshot
 38 | CryptDecrypt
 39 | CryptEncrypt
 40 | CScript
 41 | curl
 42 | d8
 43 | data structure
 44 | Deep Freeze
 45 | dereferencing
 46 | Detect It Easy (DIE); "detect it easy" in page or "DIE" in cswordlist
 47 | Device Driver
 48 | dlllist
 49 | document.write
 50 | dropper
 51 | DS; "DS" in cswordlist
 52 | DumpIt
 53 | dwFlags
 54 | DynamicBase
 55 | EAX; "EAX" in cswordlist
 56 | EBP; "EBP" in cswordlist
 57 | EBX; "EBX" in cswordlist
 58 | ECX; "ECX" in cswordlist
 59 | EDI; "EDI" in cswordlist
 60 | EDX; "EDX" in cswordlist
 61 | EFLAGS; "EFLAGS" in cswordlist
 62 | EIP; "EIP" in cswordlist
 63 | EnumProcess
 64 | ES; "ES" in cswordlist
 65 | ESI; "ESI" in cswordlist
 66 | ESP; "ESP" in cswordlist
 67 | eval
 68 | Exeinfo
 69 | Exfiltration
 70 | exiftool
 71 | fakedns
 72 | FakeNet-NG
 73 | fastcall
 74 | Fast Library Identification and Recognition Technology (FLIRT); "fast library identification and recognition technology" in page or "FLIRT" in cswordlist
 75 | feh
 76 | Fiddler
 77 | FileInsight
 78 | FindSc
 79 | FireWire
 80 | FlateDecode
 81 | FLOSS
 82 | FOG; "FOG" in cswordlist
 83 | for loop; "for" in page and "loop" in page
 84 | Foxit Reader
 85 | Framework
 86 | FS; "FS" in cswordlist
 87 | general-purpose registers
 88 | GetAsyncKeyState
 89 | GetClipboardData
 90 | GetCursorPos
 91 | GetKeyState
 92 | GetModuleHandle
 93 | GetThreadContext
 94 | GetTickCount
 95 | GetWindowText
 96 | Global Descriptor Table (GDT); "global descriptor table" in page or "GDT" in cswordlist
 97 | grep
 98 | GS; "GS" in cswordlist
 99 | heap spraying
100 | Hextostring
101 | HKEY_CURRENT_USER (HKCU); "hkey_current_user" in page or "HKCU" in cswordlist
102 | HKEY_LOCAL_MACHINE (HKLM); "hkey_local_machine" in page or "HKLM" in cswordlist
103 | hooking
104 | Hopper
105 | HTML Applications (HTAs); "html applications" in page or "HTAs" in cswordlist
106 | HttpOpenRequest
107 | IDA; "IDA" in cswordlist
108 | Import Address Table (IAT); "import address table" in page or "IAT" in cswordlist
109 | Import/Export Table
110 | impscan
111 | IMUL; "IMUL" in cswordlist
112 | Indicator of Compromise (IOC); "indicator of compromise" in page or "IOC" in cswordlist
113 | INetSim
114 | inline hooks
115 | Internet Explorer
116 | Internet Relay Chat (IRC); "internet relay chat" in page or "IRC" in cswordlist
117 | Interrupt Descriptor Table (IDT); "interrupt descriptor table" in page or "IDT" in cswordlist
118 | I/O Request Packet (IRP); "i/o request packet" in page or "IRP" in cswordlist
119 | iptables
120 | JGE; "JGE" in cswordlist
121 | jmp2it
122 | JMP; "JMP" in cswordlist
123 | JNE; "JNE" in cswordlist
124 | JNG; "JNG" in cswordlist
125 | JNL; "JNL" in cswordlist
126 | JNZ; "JNZ" in cswordlist
127 | JonDonym
128 | js-didier
129 | Kahu
130 | Kahu Security
131 | kdbgscan
132 | Keylogger
133 | keystroke logger
134 | KnTDD
135 | layering
136 | ldrmodules
137 | LEAVE; "LEAVE" in cswordlist
138 | libemu
139 | LibreOffice
140 | LoadLibrary
141 | location.href
142 | LOOPcc
143 | looping
144 | lower 16 bits
145 | lpFile
146 | lpOperation
147 | lpParameters
148 | lpStartAddress
149 | macros
150 | malfind
151 | MASTIFF
152 | memdump
153 | memory forensics
154 | Memory Map
155 | MEM_WRITE
156 | Microsoft APIs
157 | MicroSoft Developer Network (MSDN); "microsoft developer network" in page or "MSDN" in cswordlist
158 | Microsoft Office
159 | minidriver
160 | MOV; "MOV" in cswordlist
161 | mutant
162 | mutex
163 | Native APIs
164 | NoMoreXOR.py
165 | No OPeration (NOP); "no operation" in page or "NOP" in cswordlist
166 | Notepad++
167 | NtAllocateVirtualMemory
168 | NTDLL.DLL
169 | NtGetContextThread
170 | NtUnmapViewOfSection
171 | NT Virtual DOS Machine (NTVDM); "nt virtual dos machine" in page or "NTVDM" in cswordlist
172 | Object Linking and Embedding (OLE); "object linking and embedding" in page or "OLE" in cswordlist
173 | Office Open XML (OOXML); "office open xml" in page or "OOXML" in cswordlist
174 | OLE2
175 | olebrowse.py
176 | olecfinfo
177 | oledir.py
178 | oledump.py
179 | oleid.py
180 | olemap.py
181 | oletools
182 | olevba.py
183 | OllyDbg
184 | OpenAction
185 | OpenClipboard
186 | OpenClipBoard
187 | OpenProcess
188 | Open-Source INTelligence (OSINT); "open-source intelligence" in page or "OSINT" in cswordlist
189 | Open Threat Exchange
190 | OpenVPN
191 | Origami PDF
192 | Original Entry Point (OEP); "original entry point" in page or "OEP" in cswordlist
193 | OR; "OR" in cswordlist
194 | packerid
195 | page tables
196 | Parent Process ID (PPID); "parent process id" in page or "PPID" in cswordlist
197 | patching
198 | PCAP
199 | pdfid.py
200 | pdf-parser.py
201 | PDF Stream Dumper
202 | pdftk
203 | PE Capture
204 | peepdf.py
205 | peframe
206 | PE Header
207 | pepack
208 | percent Unicode
209 | pescan
210 | pestr
211 | PeStudio
212 | pe_unmapper
213 | Pev toolkit
214 | PhantomJS
215 | Pinpoint
216 | Portable Document Format (PDF); "portable document format" in page or "PDF" in cswordlist
217 | portex
218 | Position-Independent Code (PIC); "position-independent code" in page or "PIC" in cswordlist
219 | PowerShell
220 | PowerShell ISE
221 | ProcDOT
222 | Process32First
223 | Process32Next
224 | Process Environment Block (PEB); "process environment block" in page or "PEB" in cswordlist
225 | Process Hacker
226 | Process Hollowing
227 | Process IDentifier (PID); "process identifier" in page or "PID" in cswordlist
228 | Process ID (PID); "process id" in page or "PID" in cswordlist
229 | Process Monitor
230 | process replacement
231 | ProtectionID
232 | pstree
233 | PXE boot
234 | qpdf
235 | queuing
236 | Quttera
237 | Radare
238 | Radare2
239 | RAX register
240 | RDG Packer Detector
241 | ReadFile
242 | reg_export
243 | RegOpenKeyEx
244 | Regshot
245 | regsvr32.exe
246 | ResumeThread
247 | RETN; "RETN" in cswordlist
248 | RET; "RET" in cswordlist
249 | Rich Text Format (RTF); "rich text format" in page or "RTF" in cswordlist
250 | RIP pointer
251 | RIP-relative addressing
252 | RollBack Rx
253 | rootkit
254 | rtfdump.py
255 | RtlDecompressBuffer
256 | RunPE
257 | sandboxes
258 | Sandboxie
259 | scdbg
260 | SciTE
261 | Scout
262 | Scylla
263 | ScyllaHide
264 | Secure File Transfer Protocol (SFTP); "secure file transfer protocol" in page or "SFTP" in cswordlist
265 | Secure Shell (SSH); "secure shell" in page or "SSH" in cswordlist
266 | segment registers
267 | setdllcharacteristics
268 | SetThreadContext
269 | SetWindowsHook
270 | SetWindowsHookEx
271 | Shellcode
272 | shellcode2exe
273 | shellcode2exe.py
274 | ShellExecuteW
275 | SHL; "SHL" in cswordlist
276 | SHR; "SHR" in cswordlist
277 | signsrch
278 | SOCKS
279 | SpiderMonkey
280 | SS; "SS" in cswordlist
281 | Stages of malware analysis
282 | static analysis
283 | static analyzer
284 | stdcall
285 | strace
286 | Strace-for-NT
287 | strcpy
288 | strdeob.pl
289 | strings2
290 | Structured Exception Handling (SEH); "structured exception handling" in page or "SEH" in cswordlist
291 | Structured Storage (SS; "structured storage" in page or "SS" in cswordlist
292 | SUB; "SUB" in cswordlist
293 | Summary of the analysis
294 | svchost.exe
295 | swf_mastah.py
296 | switch statement
297 | SysAnalyzer
298 | system calls
299 | System Monitor (Sysmon); "system monitor" in page or "Sysmon" in cswordlist
300 | System Service Descriptor Table (SSDT); "system service descriptor table" in page or "SSDT" in cswordlist
301 | TcpLogView
302 | TEST; "TEST" in cswordlist
303 | thiscall
304 | Thread Information Block (TIB); "thread information block" in page or "TIB" in cswordlist
305 | Thread Local Storage (TLS); "thread local storage" in page or "TLS" in cswordlist
306 | ThreatAnalyzer
307 | Thug
308 | Tinba
309 | TitanMist
310 | TOR; "TOR" in cswordlist
311 | TorSocks
312 | trampoline
313 | TrickBot
314 | trid
315 | unescape
316 | Unicode
317 | unXOR
318 | unzip
319 | UPX
320 | urlQuery
321 | user-mode
322 | usewithtor
323 | V8
324 | vaddump
325 | Viper
326 | Virtual Address Descriptor (VAD); "virtual address descriptor" in page or "VAD" in cswordlist
327 | VirtualAlloc
328 | VirtualAllocEx
329 | VirtualBox
330 | Virtual Function Table (vftable); "virtual function table" in page or "vftable" in cswordlist
331 | Virtualization
332 | Virtual PC
333 | VirtualProtect
334 | VirusTotal
335 | Visual Basic for Applications (VBA); "visual basic for applications" in page or "VBA" in cswordlist
336 | VMDetection
337 | VMware
338 | Volatility
339 | VPN
340 | vURL
341 | wget
342 | while loop; "while" in page and "loop" in page
343 | WinDbg
344 | Windows Virtual PC
345 | WinGraph32
346 | WinPMEM
347 | WinSCP
348 | Wireshark
349 | WMIC
350 | WM_LBUTTONDOWN
351 | WM_LBUTTONUP
352 | WM_MOUSEMOVE
353 | WPE Pro
354 | WriteProcessMemory
355 | WRITE; "WRITE" in cswordlist
356 | WScriptShell.Run
357 | x64dbg
358 | XCHG; "XCHG" in cswordlist
359 | XML
360 | XML-based Office documents
361 | XML Forms Architecture (XFA); "xml forms architecture" in page or "XFA" in cswordlist
362 | xorBruteForcer.py
363 | XORI
364 | xor-kpa.py
365 | XORSearch
366 | xortool
367 | xrefs window
368 | xxd
369 | zipdump.py
370 | ZwGetContextThread
371 | ZwProtectVirtualMemory
372 | ZwUnmapViewOfSection
373 | ZwWriteVirtualMemory
374 | 


--------------------------------------------------------------------------------