# FOR610 Knowledge Base

Structured data extracted from the SANS FOR610 (Reverse-Engineering Malware) course materials.

## Files

| File | Description |
|------|-------------|
| `categories.yaml` | Tool category taxonomy (18 categories) |
| `tools.yaml` | Master tool catalog (~110 tools with metadata) |
| `labs.yaml` | All 47 labs with ordered tool sequences |
| `workflows.yaml` | 8 high-level analysis workflow patterns |

## Schema

### tools.yaml

Each tool entry contains:

- `id` — unique kebab-case identifier (used for cross-references)
- `name` — display name as typed on CLI
- `aliases` — alternative names
- `description` — one-line description
- `category` — FK to categories.yaml
- `platform` — `linux` | `windows` | `both` | `online`
- `in_remnux` — boolean, available in REMnux container
- `labs` — list of lab IDs that use this tool
- `typical_usage` — 1-3 command examples
- `for610_sections` — which course sections cover this tool
- `tags` — free-form search tags

### labs.yaml

Each lab entry contains:

- `id` — lab number (e.g., "3.1")
- `section` — course section (1-5)
- `title` — full lab title
- `sample` — malware specimen analyzed
- `analysis_type` — controlled vocabulary
- `tools_used` — **ordered** list with `tool_id`, `platform`, and `purpose`
- `key_techniques` — techniques demonstrated
- `prerequisite_labs` — dependencies (optional)
- `tags` — free-form search tags

### workflows.yaml

Each workflow contains ordered steps with tool references and related labs.

## Generating JSON

```bash
make generate-data
```

This converts all YAML files to JSON under `data/generated/` using `yq`.

## Cross-Reference Integrity

Tool IDs in `labs.yaml` → `tools_used[].tool_id` must exist in `tools.yaml`.
Lab IDs in `tools.yaml` → `labs[]` must exist in `labs.yaml`.
Category IDs in `tools.yaml` → `category` must exist in `categories.yaml`.