CyberCode Academy episodes:

• December 10, 2025Course 13 - Network Forensics | Episode 5: TCP/IP Layers, Data Flow, and Network Tools

  In this lesson, you’ll learn about:
  

  • The fundamentals of protocol analysis and how data flows through network layers
  • The TCP/IP and OSI networking models
  • Encapsulation and decapsulation processes
  • Key Layer 3 and Layer 4 protocols
  • Essential tools for analyzing network traffic, including Wireshark and Nmap

  1. Introduction to Protocol Analysis This lesson provides foundational knowledge of how network communications work, focusing on:
  

  • The structure and behavior of networking models
  • How data moves across a network
  • How to use analysis tools to understand packet content

  The lesson contrasts:
  

  • The TCP/IP Model (4 layers): Application, Transport, Internet, Network Access
  • The OSI Model (7 layers), widely used in academic settings for conceptual understanding

  2. Data Encapsulation and Flow Encapsulation Explained (“Onion” Model) As data travels down the network stack:
  

  • It starts as the original message (the “core” of the onion)
  • Each layer adds its own headers and sometimes trailers
  • These layers wrap the message to form a complete network frame

  Layer-by-Layer Wrapping
  

  • Transport Layer (Layer 4)
    Adds source/destination ports and TCP flags
  • Internet Layer (Layer 3)
    Adds source/destination IP addresses
  • Network Access Layer
    Adds MAC addresses and prepares data for physical transmission

  At the receiving end, layers are removed one by one (decapsulation) until the message reaches the Application Layer. 3. Key Network Layers and Protocols A. Layer 3 – Internet Layer / IP Layer 3 is responsible for addressing and routing. Core Functions
  

  • Identifying devices using unique IP addresses
  • Adding source/destination IPs to each packet
  • Determining routing paths across networks

  IP Addressing Concepts
  

  • IP addresses use 4 octets (8 bits each → 0–255)
  • Five IP address classes are defined historically
  • Private IP ranges include:
    • 10.x.x.x
    • 172.16.x.x – 172.31.x.x
    • 192.168.x.x

  Subnetting and CIDR
  

  • Subnet Mask: Similar to a zip code that defines network boundaries
  • CIDR / Slash Notation (e.g., /24, /12) provides flexible subnetting
  • Helps efficiently allocate IP space

  Types of IP Transmission
  

  • Unicast – one-to-one
  • Broadcast – one-to-everyone on the network
  • Multicast – one-to-a specific group

  B. Layer 4 – Transport Layer / TCP & UDP Layer 4 provides end-to-end communication. TCP (Transmission Control Protocol)
  

  • Reliable, connection-oriented
  • Ensures order delivery and handles retransmissions
  • Uses the three-way handshake: SYN → SYN-ACK → ACK
  • Session shutdown uses the FIN–ACK process

  UDP (User Datagram Protocol)
  

  • Lightweight, connectionless
  • Suitable for quick bursts of data (e.g., streaming, gaming)

  Ports and Sockets
  

  • Ports = “lanes on a highway” for different services (e.g., port 80 for HTTP)
  • Sockets combine IP + Port to identify unique connections
    • Works with both TCP and UDP

  4. Protocol Analysis Tools A. Wireshark A powerful packet analysis tool used to inspect and dissect network traffic. Key Features
  

  • Captures packets (“network sniffing”)
  • Allows deep packet inspection
  • Supports protocol tree view (mapped to OSI layers)
  • Provides a hex dump showing raw data

  Wireshark can even reconstruct data streams and extract file content from packet captures. B. Nmap (Network Mapper) A widely used open-source tool for network discovery and service enumeration. What Nmap Can Identify
  

  • Port states (open, closed, filtered)
  • Operating system fingerprints
  • Service versions
  • Network topology

  Nmap understands both:
  

  • Traditional subnet masks
  • CIDR notation (e.g., /24, /22)

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• December 09, 2025Course 13 - Network Forensics | Episode 4: Log Analysis, SIM Correlation, and Network Attack Signature Detection

  In this lesson, you’ll learn about:
  

  • Log analysis fundamentals and why logging is essential for security visibility
  • SIM (Security Information and Event Management) correlation and event analysis
  • Network attack signature detection using tools such as Snort and packet capture analysis

  1. Introduction to Logging and Security Visibility Effective security monitoring depends on logging the right information and establishing baselines for normal behavior. A common challenge is that security tools—especially IDS sensors—produce many false positives, which can lead analysts to ignore real threats (as seen in major breaches such as Home Depot). 2. Logging Strategy and Log Integrity Logging Strategy Essentials Organizations must implement:
  

  • A clear logging strategy
  • Structured and normalized log data
  • Centralized logging
  • Real-time and continuous monitoring
  • Long-term storage for historical correlation

  What Must Be Logged
  

  • Unsuccessful authentication attempts
    • Example: 100 → 10,000 attempts indicates brute-force or dictionary attacks
  • Successful authentication attempts
    • Example: 1,000 → 20,000 successful logins indicates compromised credentials being reused

  Maintaining Log Integrity Logs must be treated like financial ledgers:
  

  • Log storage must be read-only
  • Use hashing to ensure logs are not modified
  • Use encryption to protect confidentiality
  • Large storage capacity is required to retain logs for long-term, low-and-slow attack correlation
  • Syslog is the most common centralized log transport and storage method

  3. SIM (Security Information and Event Management) Correlation What SIMs Do SIM systems do not store logs; they:
  

  • Collect and centralize logs from many devices (nodes, routers, switches, appliances)
  • Correlate and analyze events
  • Provide near real-time security violation alerts
  • Reveal attack patterns that individual log sources might not show

  Log Sources for SIM Analysis SIMs typically gather logs from:
  

  • Files (data logs)
  • Operating Systems
  • Network traffic
  • Applications

  Audit Reduction Tools Because audit logs can be massive, tools are used to:
  

  • Eliminate unnecessary data
  • Focus analysts on events of significance

  4. Network Attack Signature Detection Signature detection identifies patterns that indicate malicious activity. Tools such as Snort and packet capture analysis are commonly used. Types of Signatures A. Standard Communication Signatures
  

  • ICMP ping has a predictable payload (A B C D …)
  • TCP three-way handshake (SYN, SYN-ACK, ACK) helps identify typical connections such as FTP (21) or Telnet (23)

  B. Reconnaissance Scans
  

  1. Ping Sweeps
     • Echo requests sent to incrementing IP addresses
  2. Port Scans
     • One source IP sending SYN packets to many ports on one host
     • Modern scanners use non-sequential methods
  3. Stealth Scans (used to evade detection)
     • ACK scans
     • SYN stealth scans
     • FIN scans (only FIN flag)
     • NULL scans (no flags)
  4. Christmas (Xmas) Scans
     • Flags typically set: FIN, URG, PUSH
     • Snort distinguishes traditional Xmas scans from tools like Nmap (which uses only FUP flags)

  C. Denial of Service (DoS) Attacks
  

  • Ping of Death – oversized ICMP packets
  • SYN Flood – large numbers of half-open TCP connections exhausting port capacity

  D. Trojans and Backdoors
  

  • Identified by traffic on known Trojan ports
    • Example:
      • Netbus → port 12345
      • Back Orifice → port 31337

  5. The Objective of Correlation and Detection The primary goal is to:
  

  • Detect attack patterns before they complete
  • Combine behavior-based insight with signature-based detection
  • Continuously update rules and detection logic as threats evolve

  Tools like Snort rely on constantly updated rule sets to stay effective against modern attacks.
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• December 08, 2025Course 13 - Network Forensics | Episode 3: Network Forensics, Security Tools, and Defensive Architecture

  In this lesson, you’ll learn about:
  

  • The purpose and scope of Network Forensics
  • Key evidence sources across a networked environment
  • Essential security tools: scanners, sniffers, IDS/IPS
  • Defensive architecture: firewalls, DMZs, bastion hosts
  • Core security protocols: Kerberos, VPNs, SSH, SSL/TLS
  • Integrity monitoring and log management systems

  1. What Is Network Forensics?
  

  • Network forensics is a branch of digital forensics focused on analyzing network traffic to gather evidence, detect intrusions, and understand attacker behavior.
  • It allows investigators to determine:
    • How an intruder entered
    • The intrusion path taken
    • The techniques used
  • Requires systematic tracking of inbound/outbound traffic and knowledge of “normal” behavior to spot anomalies.
  • Skilled attackers are harder to trace, but all intruders leave artifacts somewhere.

  Key Evidence Sources
  

  • Firewalls
  • Routers
  • IDS/IPS systems
  • Packet sniffers
  • Proxy servers
  • Authentication servers
  • Logs from these devices form the foundation of network investigation.

  Role of Other Forensics
  

  • Network forensics complements computer/memory forensics. Examples:
    • Packet analysis may reveal what to look for on a compromised machine.
    • Memory forensics may indicate specific encrypted packets that require deeper analysis.
  • Tools like tcpdump extract raw packet data.
  • Attacker attribution sometimes requires legal processes (e.g., subpoenas to ISPs or Wi-Fi providers).

  2. Security Tools & OSI Layer Weaknesses
  

  • The OSI model helps identify where vulnerabilities exist.
  • Layers 1, 2, 6, and 7 tend to be weaker than layers 3, 4, and 5.

  Key Security Tools
  

  • Port Scanners
    • Identify open ports and exposed services.
    • Example: Nmap.
  • Packet Sniffers / Analyzers
    • Wireshark (analyzer that can sniff)
    • tcpdump (pure command-line sniffer)
  • Intrusion Detection Systems (IDS)
    • Example: Snort.
    • Works like a sniffer with rules; alerts on malicious patterns.
  • Intrusion Prevention Systems (IPS)
    • Active responses: modify packets, block ports, shut down segments.
    • Must be configured carefully to avoid accidental denial-of-service events.

  3. Defensive Network Architecture Firewalls
  

  • Hardware + software systems controlling access based on packet characteristics.

  Types of Firewalls
  

  1. Packet Filtering (Layer 3)
     • Early model, examines only IP and port.
     • Does not track session state.
  2. Stateful Firewalls (Layer 4)
     • Track session state and connection flows.
     • Prevent forged packets unless the session was legitimately initiated.
  3. Application-Layer Firewalls (Layers 6–7)
     • Deep packet inspection.
     • Can enforce command-level rules (e.g., allow FTP GET but block FTP PUT).

  DMZ (Demilitarized Zone)
  

  • A network segment between internal LAN and the external internet.
  • Hosts public-facing resources (web, mail servers).

  Bastion Host
  

  • Hardened system placed in the untrusted network zone (DMZ).
  • Common examples: web servers, mail servers.

  4. Authentication, Encryption & Secure Protocols Kerberos (SSO Authentication)
  

  • A trusted third-party authentication system.
  • Uses a ticket-granting server to authenticate:
    • Client → Kerberos → Resource (e.g., printer)
  • Commonly used for Single Sign-On.

  VPNs (Virtual Private Networks)
  

  • Encrypt traffic between two endpoints.
  • Important note: VPNs do not create isolated physical paths; they still traverse the same routers.
  • Encryption layers:
    • Layer 2 → L2TP
    • Layer 3 → IPSec
    • Layers 5–7 → SSL/TLS
  • Purpose: privacy, not magical invisibility.

  SSH (Secure Shell)
  

  • Commonly used for encrypted remote access, tunneling, and file transfer.
  • Operates on port 22.

  SSL/TLS Process A hybrid crypto model:
  

  1. Browser creates a secret session key.
  2. Browser encrypts this key using the server’s public key.
  3. Server decrypts it using its private key.
  4. Both sides now share the secret and switch to symmetric encryption for the session.

  5. File Integrity & Log Management File Integrity Checking
  

  • Tools like Tripwire monitor critical files.
  • Use hashing to detect unauthorized changes.
  • Alerts admins when files are modified.

  Log Management & SIEM
  

  • SIEM solutions combine:
    • Security Information Management (SIM)
    • Security Event Management (SEM)
  • Examples: LogRhythm, Splunk.
  • Aggregate logs from across the environment, correlate events, and identify patterns.

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• December 07, 2025Course 13 - Network Forensics | Episode 2: Architecture, Protocols (TCP/UDP), and Evidentiary Value

  In this lesson, you’ll learn about:
  

  • Core networking architectures and components
  • The evidentiary value of network design for forensic investigations
  • MAC vs. IP addressing, IPv4 vs. IPv6
  • Ports, protocols, and how systems communicate
  • TCP (reliable) vs. UDP (unreliable) communication
  • Essential protocols: ICMP, DHCP, DNS

  1. Networking Architecture & Its Forensic Importance
  

  • Network forensics requires a solid understanding of how networks operate.
  • The Internet is defined as a collection of interconnected networks using internet protocols to exchange messages.
  • Key network types:
    • LAN – Local Area Network
    • WAN – Wide Area Network
    • CAN – Campus Area Network
    • MAN – Metropolitan Area Network
  • DMZ (Demilitarized Zone):
    • Positioned between the internal LAN and the internet.
    • Hosts publicly accessible systems (web servers, mail servers).
    • A critical zone for forensic evidence.

  Evidentiary Value Across the Architecture When an attacker moves from the internet → DMZ → internal network, evidence is left in multiple locations, including:
  

  • Point of origin
  • Routers across the internet
  • ISP-facing router
  • Firewalls
  • DMZ switching infrastructure
  • The compromised server
    Understanding these layers allows investigators to reconstruct attacker movement.

  2. Network Components, Addressing & Infrastructure Network Components
  

  • Transmission media: cables, fiber, wireless
  • NICs (Network Interface Cards)
  • Nodes (any device connected to the network)

  MAC vs. IP Addresses
  

  • MAC Address
    • Layer 2
    • Physical/hardware identifier
    • Typically permanent
  • IP Address
    • Layer 3
    • Logical/virtual
    • Changes frequently depending on network

  IPv4 vs. IPv6
  

  • IPv4 → 32-bit addressing
  • IPv6 → 128-bit addressing with IPSec built in (encryption/authentication)

  Public vs. Private Addressing
  

  • Public = Routable on the internet
  • Private = Non-routable (internal networks)
  • NAT (Network Address Translation) is used to map internal private IPs to a public-facing address.

  IP Address Classes
  

  • Class A
  • Class B
  • Class C
  • Class E (experimental)

  3. Ports & Communication Protocols Ports
  

  • Think of ports as "traffic lanes" used for communication.
  • Total: 65,535 ports
    • 1–1024 → Well-known ports
    • 1025+ → Ephemeral or dynamic ports
  • Services (Windows) / Daemons (Linux) bind to these ports.

  Protocols
  

  • Protocols define communication rules between systems.
  • Governed by RFCs (Request for Comments) standards.

  4. TCP – The Reliable Protocol Key TCP Header Elements
  

  • Source port
  • Destination port
  • Sequence number
  • Flags

  Connection Management
  

  • Three-Way Handshake (Start of session)
    • SYN → SYN/ACK → ACK
  • Four-Way Combo (End of session)
    • FIN/ACK → ACK → FIN/ACK → ACK
  • Total overhead: 7 packets for a complete start + close cycle.

  Important TCP Flags
  

  • Urgent Pointer – Marks urgent/priority data
  • Push (PSH) – Forces buffered data to transmit immediately
  • Reset (RST) – Abruptly closes a session

  TCP is reliable because it ensures ordered, confirmed delivery. 5. UDP – The Unreliable Protocol
  

  • Connectionless, no handshake.
  • Faster, lower overhead.
  • Ideal for short or time-sensitive bursts of data.
  • Common uses:
    • DNS queries
    • Audio/video streaming
    • VoIP

  UDP does not guarantee delivery, order, or error correction. 6. Other Essential Protocols ICMP (Internet Control Message Protocol)
  

  • Used for error reporting and network diagnostics.
  • Helps identify optimal routing paths.

  DHCP (Dynamic Host Configuration Protocol)
  

  • Automatically assigns IP addresses, subnet masks, and gateways to clients.

  DNS (Domain Name System)
  

  • Translates human-friendly domain names into IP addresses.
  • Essential for both internal and external connectivity.

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• December 06, 2025Course 13 - Network Forensics | Episode 1: Fundamentals, Attack Vectors, and Digital Tracing

  In this lesson, you’ll learn about: Network Forensics – Key Concepts and Techniques In this lesson, you’ll learn about:
  

  • The fundamentals of networks and physical security risks
  • Common network attack vectors and exploitation techniques
  • Critical protocols, encryption methods, and anonymity technologies
  • Essential tools and methodologies used in network forensic investigations

  1. Network Fundamentals & Physical Security
  

  • Understanding how networks operate is essential for forensic analysis.
  • Physical access = high risk
    • Coax-based networks are insecure.
    • Wiring closets and data closets are prime targets.
    • Example: An MIT associate once accessed a wiring closet, deployed a server, and was only detected via CCTV.
  • Network devices by OSI layer:
    • Hub → Layer 1 repeater
    • Switch → Layer 2 (MAC-based)
    • Router → Layer 3
    • Firewall → Layer 4 (TCP/UDP port filtering)
  • NAT ("poor man's proxy")
    • Multiple internal IPs share one external IP.
    • NAT blocks inbound attacks but is bypassed when an infected internal system creates an outbound tunnel.

  2. Attack Vectors and Network Exploits Wireless as a major weakness
  

  • Wireless signals broadcast publicly, making them easy to attack.
  • Deauthentication attacks can be launched with cheap hardware (e.g., ESP8266 boards for $20-$25).

  Core attack techniques
  

  • MAC Spoofing
    • MAC addresses can be changed easily (e.g., using macchanger).
    • Investigators look for activity stopping on one MAC/IP and continuing on another.
    • Tracking spoofed devices typically requires WIPS and triangulation.
  • ARP Poisoning & MAC Flooding
    • ARP poisoning redirects traffic by impersonating the gateway.
    • MAC flooding forces switches to behave like hubs.
    • Port security can mitigate these attacks.
  • DNS Poisoning
    • Redirects a domain to an attacker-controlled IP.
    • Local host files can be manipulated (e.g., domain → 127.0.0.1).
  • TCP/IP Spoofing
    • Effective spoofing requires MITM positioning to block reset packets.
    • Blind spoofing is used in large-scale DoS to confuse IDS systems.

  3. Protocols, Encryption & Anonymity
  

  • Secure vs. insecure protocols:
    • SSH (22) replaced Telnet (23).
    • FTP sends credentials in plaintext.
    • SNMP (161/162) must never be exposed externally due to sensitive config data.
  • Malware ports commonly observed:
    • 666, 1337, 12345, 54321, 4444, 5555.
  • IPv6 & IPSec:
    • IPv6 often uses IPSec, enabling point-to-point encrypted traffic that is difficult to intercept or spoof.
  • Tor and onion routing:
    • Uses three layers of encryption across multiple nodes.
    • Nearly impossible for a basic investigator to break.
    • Only encrypted inside the Tor network—exit node traffic to non-HTTPS sites is exposed.

  4. Forensic Tools & Investigation Methodology Log-Based Investigation
  

  • External attacks rely on:
    • Router logs
    • Firewall logs
    • IDS logs
  • Internal attacks rely on logs from internal devices and systems.

  Key Tools
  

  • Security Information Management Systems (SIMS)
    • Aggregate logs from thousands of sources.
    • Normalize data and identify correlated attack patterns.
  • Packet Sniffers & Protocol Analyzers
    • Wireshark captures Layer 2 traffic.
    • “Follow stream” helps isolate conversations and manually carve data.
  • Netstat
    • Shows open ports and active network connections.
    • Not forensically sound on original evidence—should be used only on a copy or VM.

  Timestamp Synchronization
  

  • Timestamps are critical for correlating logs.
  • All systems should sync to a trusted NTP server.
  • If timestamps differ, investigators must calculate and apply the correct offset.

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• December 05, 2025Course 12 - Maltego Advanced Course | Episode 4: Custom Entity Design and Implementation in Maltego

  In this lesson, you’ll learn about:

  • How to create custom entities in Maltego
  • How to name entities and assign unique type IDs
  • How entity properties, main properties, and data types work
  • How inheritance allows new entities to reuse transforms
  • How to use advanced features like calculated properties and visual overlays
  • How to build dynamic, visually adaptive entities for specialized investigations

  Summary of the Episode: This episode walks through the full process of designing and implementing custom entities in Maltego, beginning with basic creation and advancing toward powerful features like inheritance, calculated properties, regex parsing, and dynamic icon overlays. It demonstrates how users can tailor Maltego to fit specialized investigation workflows by defining their own data structures and visual representations. 1. Naming and Identifying Custom Entities Creating a custom entity starts with two essential identifiers: Display Name

  • A human-readable name, such as Worker, that appears in the graph.

  Type ID (Unique Identifier)

  • Must be globally unique to avoid conflicts
  • Typically structured with a namespace, e.g.:
    • investitech.worker (organization format)
    • my.worker (personal or training use)

  2. Creating a Basic Custom Entity To create a minimal entity, define:

  • Display name: e.g., worker
  • Short description: Explains its purpose
  • Unique type ID: e.g., my.worker
  • Category: e.g., personal

  Main Property Every entity requires at least one property.
  Example:

  • Property name: worker name
  • Type: string
  • Sample value: John Doe

  The main property appears in bold in the property list and typically identifies the entity on the graph. 3. Using Entity Inheritance Inheritance allows a new entity to reuse all transforms and properties of an existing one. Examples:

  • Website inherits from DNS name to gain transforms like “To IP address”.
  • A custom worker entity inherits from maltego.person to reuse:
    • First/last name properties
    • Person-related transforms

  This makes the new entity more functional without additional configuration. 4. Additional Properties Custom entities can include any number of extra properties. Property types include:

  • Strings
  • Numbers
  • Dates
  • Booleans
  • Images
  • Locations

  Default vs Sample Values

  • Sample value: Appears when dragging the entity from the palette
  • Default value: Used if the property is left empty

  5. Calculated Properties Calculated properties automatically combine or transform other property values. Common annotations:

  • $property(name): Reference another property
  • $trim(): Remove surrounding whitespace

  Example:
  A full name property combining first and last names. Calculated properties can be:

  • Visible
  • Hidden
  • Read-only (evidence-safe)

  6. Display Settings & Overlays Maltego entities can display visual cues based on their property values. Large Image (Icon)

  • Can be chosen dynamically using a calculated property

  Overlays (5 Positions)

  • North
  • Northwest
  • West
  • Southwest
  • South

  Overlays can show:

  • Images
  • Colors
  • Text (e.g., job titles, statuses, labels)

  This gives investigators a quick visual read of key details without inspecting the property panel. 7. Regular Expressions for Parsing Regular expressions help:

  • Automatically match input values to the correct entity type
  • Extract structured data from plain text

  Example:

  • Splitting "40.7128 -74.0060" into latitude/longitude values.

  8. Advanced Example: The Custom Worker Entity The episode demonstrates a feature-rich worker entity: Inheritance

  • Inherits from maltego.person

  Additional Properties

  • gender
  • skin tone
  • job

  Calculated Property

  • A hidden, read-only property called combined:
    gender_skintone_job

  Used to determine the icon dynamically. Dynamic Appearance

  • Large icon changes based on the combined property value
  • Job title appears as a north overlay

  This showcases how custom entities can visually adapt according to their data—ideal for specialized investigative environments. Conclusion By mastering custom entity design, inheritance, calculated properties, regex parsing, and graphical overlays, investigators can transform Maltego into a fully customized platform that models the exact data structures relevant to their cases.
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• December 04, 2025Course 12 - Maltego Advanced Course | Episode 3: The Maltego Transform Hub: Finding, Installing, and Utilizing Data Integrations

  In this lesson, you’ll learn about:

  • What Hub Items are and how they expand Maltego
  • How to navigate, search, filter, and evaluate items in the Transform Hub
  • Pricing models and key requirements used by Maltego data partners
  • How to install free, paid, and trial integrations
  • How to learn and understand newly installed transforms using documentation and the Transform Manager

  Summary of the Episode: This episode provides a full walkthrough of Maltego’s Transform Hub, explaining how investigators can expand Maltego with external data integrations known as hub items. It covers the categories of integrations available, how to browse and install them, the pricing models used by different data sources, and the tools within Maltego that help users understand and effectively use newly added transforms. 1. Understanding Hub Items Maltego is powerful on its own, but it becomes dramatically more capable when combined with external data sources. These integrations are called hub items, and they can introduce:

  • New transforms
  • New entities
  • Machines
  • Transform sets
  • Custom views
  • Icons

  Hub items come from both partners and the community. Detailed information about all integrations is available on Maltego’s website under the “Data Sources” section. 2. Navigating the Transform Hub The Transform Hub is the central interface for adding new capabilities to Maltego. Key UI Features

  • Can be toggled on/off from the Home tab
  • Supports viewing all, installed, or uninstalled items
  • Includes sorting and search functionality
  • Search accepts keywords (e.g., “dark web”, “email”, “financial data”)
  • Offers filters based on:
    • Data category
    • Pricing model
    • Relevant investigation types

  Each hub item displays:

  • Icon
  • Name
  • Maintainer
  • Short summary

  Clicking the item opens a detailed view. 3. Inspecting Hub Item Details & Pricing The details page helps users understand the integration, including:

  • Full description
  • Tags
  • Links to documentation
  • Pricing model
  • Contact details

  Supported Pricing Models

  1. Bring Your Own Key (BYOK)
     • User buys an API key from the provider
  2. Data Bundle
     • Included in certain Maltego subscription plans
  3. Free
     • No payment or key required
  4. Trial
     • Limited free usage
     • Typically rate-limited per hour or per day
  5. Paid Connector
     • Requires provider key + Maltego connector fee

  Multiple models can apply to the same hub item. 4. Installing Hub Items Installation steps depend on the pricing model. 1. Free Hub Items

  • Hover → Click Install
  • Confirm
  • Maltego downloads all resources
  • Installation summary lists added transforms, entities, etc.

  2. Key Required Up Front

  • Clicking Install immediately prompts for a key
  • Details page shows contact information for obtaining a key

  3. Free Trial Items

  • Installs without requiring a key
  • When trial limits are reached, Maltego displays a warning
  • A key can be added later via:
    • Transform Hub → Hub Item → Settings

  5. Learning How to Use New Integrations After installing a hub item, users must determine how its transforms work and which entities they apply to. Three main learning resources: 1. Online Documentation Includes:

  • White papers
  • Showcases
  • Solution briefs
  • Blog posts
  • Examples

  Many hub item detail pages link directly to these resources. 2. Details Page Inside the Transform Hub Provides:

  • Summary of capabilities
  • Tags
  • Description
  • Links to support or documentation

  3. Transform Manager (Most Technical & Useful) Accessible via:
  Transform Tab → Transform Manager Inside the Transform Manager, users can explore:

  • Transform Servers tab
    • Shows all transforms from each data provider
    • Includes transform names
    • Full description
    • Required input entity type
    • Helps determine how to start using the transform
  • All Transforms tab
    • Unified list of every installed transform
  • Transform Sets tab
    • Shows how transforms are grouped into sets
    • Helpful for understanding logical groupings created by the hub item

  This is the primary tool for technically understanding a new integration.
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• December 03, 2025Course 12 - Maltego Advanced Course | Episode 2: Maltego Infrastructure Entities, Transforms, and Footprinting Techniques

  In this lesson, you’ll learn about:

  • The core entities used in Maltego infrastructure investigations
  • How transforms connect Domains, DNS names, IPs, Netblocks, and ASNs
  • The methodology of Level 1, L2, L3, and XL infrastructure footprinting
  • Key transforms for pivoting forwards and backwards in infrastructure graphs
  • The difference between live DNS, passive DNS, and specialized DNS transforms

  Summary of the Episode: This episode provides a structured introduction to infrastructure investigations in Maltego, covering the foundational entities, essential transforms, and the systematic methods used for infrastructure footprinting. It explains how domains, DNS names, IP addresses, Netblocks, and Autonomous Systems interrelate, and how transforms allow analysts to map and attribute online infrastructure. 1. Foundational Entities & Core Concepts Infrastructure investigations rely on a small set of critical entities: Key Entities

  • Domain
    • Public-facing resource
    • Common starting point for discovering related DNS names
  • DNS Name (and variants like Website, NS, MX)
    • Represents a system that can resolve to an IP address
    • Often a gateway to other infrastructure
  • IPv4 Address
    • A central pivot point in investigations
    • Even on shared hosting, IPs remain strong identifiers
  • Netblock
    • A range of IP addresses
    • Useful for clustering infrastructure and linking disparate nodes
  • Autonomous System (AS / ASN)
    • Represents routing ownership over Netblocks
    • Useful for identifying ISPs or large organizations

  Other Useful Entities

  • Email Address — often the strongest pivot in broader investigations
  • Port & Service — show server capabilities (SSH, RDP, HTTP, etc.)
  • Tracking Code — connects different websites to the same operator

  2. Core Infrastructure Transforms The episode divides standard Maltego infrastructure transforms into functional groups. 1. Domain → DNS Name Methods used:

  • To Website (Quick Lookup) — checks common “www” A/AAAA records
  • To Website Using Domain (Bing) — broader search engine discovery
  • Passive DNS (Robtex/Robex) — historic DNS relationships
  • SPF Transform — extracts DNS names and IPs from email policies

  2. DNS Name → IP Address

  • To IP Address
    • Resolves any DNS name to its current IP

  3. IP Address → Netblock / ASN Transforms use:

  • Historic Passive DNS
  • Global routing data
  • WHOIS sources (ARIN, RIPE, APNIC, etc.)

  Important transforms:

  • Using Natural Boundaries — creates typical /24 IP ranges
  • To AS Number — gets ASN from the Robex database
  • To Company Owner — retrieves organization ownership & location

  3. Footprinting Methodology Infrastructure footprinting is a repeatable process across industries. Level 1 Footprinting (L1) Example shown using CIA.gov Steps:

  1. Find all DNS names / Websites for the domain
  2. Resolve all DNS names → IP addresses
  3. Cluster IPs → Netblocks (often with natural boundaries)
  4. Run To AS Number on the Netblocks
  5. Extract ownership using To Company Owner

  This reveals which Netblocks actually belong to the organization and allows deeper exploration (e.g., Wikipedia edits from those IPs). Higher-Level Footprinting L2 & L3 Machines

  • Add more depth
  • Use Reverse DNS (PTR lookups)
  • Provide prompts to filter MX/NS results
  • Reveal additional infrastructure through recursive pivots

  XL Footprint

  • Uses a completely different strategy
  • Heavy focus on reverse DNS on name servers and SPF-derived IPs
  • Requires significant system resources
  • Most thorough automated footprint

  4. Pivoting Techniques Pivoting is how analysts move through an investigation graph. Forward Pivot Domain → DNS Name → IP Address → Netblock → ASN Backward Pivot IP Address → Historic DNS Names → Domains → Tracking Codes
  Used to uncover:

  • Hidden assets
  • Legacy systems
  • Connected infrastructures

  5. DNS Transform Distinctions Two commonly confused transforms: To Website Mentioning Domain

  • Broad search for any website that references the domain
  • Good for OSINT, not for footprinting

  To Website Using Domain

  • Returns websites that end with your domain
  • Ideal for discovering all related organizational websites

  Live vs Passive DNS

  • Reverse DNS (PTR) = current data
  • Passive DNS (Robex/Robtex) = historic and may show old mappings
    • Maltego displays these as dotted links

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• December 02, 2025Course 12 - Maltego Advanced Course | Episode 1: Maltiggo Transforms, Sets, and Essential Menu Actions

  In this lesson, you’ll learn about:
  

  • How transforms work in Maltego
  • Transform sets and how they organize large transform collections
  • Key transform menu actions and shortcuts
  • Essential bottom-row menu actions for efficient workflow

  Summary of the Episode: This episode explains the core mechanics of Maltego transforms, how to run them, how they are organized, and the essential menu actions available when working on a graph. 1. Understanding Transforms
  

  • Transforms are functions that take one or more selected entities as input.
  • They only appear if relevant entity types are selected.
  • Transforms can be run in two ways:
    • Through the right-click transform menu on the graph
    • Through the Run View

  2. Transform Sets Because some entities (like Domain) have very long lists of transforms, Maltego organizes them into transform sets.
  

  • Transform sets help users find transforms more easily.
  • Sets and transforms are grouped first by their hub item, which may introduce new transforms (e.g., Thread Miner included by default).
  • Navigation:
    • Click a group or set to see its contents
    • Use the left bar or right-click → Up to go back a level

  3. Recognizing Items in the Transform List
  

  • Transforms
    • Dark background (near-black)
    • Single play icon ▶
  • Groups/Sets
    • Light background
    • Small plus icon ➕
  • Run All in a Set
    • Double-play icon ▶▶
    • Use with caution due to potentially large output

  4. Special Transform Sets
  

  • All
    • Appears on every level
    • Shows all transforms for the selected entity/entities
  • Favorites
    • Only appears if you starred transforms for the current entity type
  • Machines
    • Appears at the topmost level, at the bottom
    • Shortcut to run Maltego Machines

  5. Customizing Your Transform Experience
  

  • Users can create custom transform sets in the Transform Manager.
  • Hub items can add new transform groups to your environment.

  6. Essential Right-Click Menu Actions (Bottom Row) These are shortcuts to functions available elsewhere in Maltego: Basic Actions
  

  • Delete / Cut / Copy
    • Copy sends entity as GraphML to clipboard
    • Can be pasted into another graph

  Type Actions
  

  • Quickly search the entity value in Google or Wikipedia
  • Used rarely

  Send to URL
  

  • Sends selected entities to a custom HTTP POST endpoint

  Clear / Refresh Images
  

  • Reloads images from original sources
  • Works only in normal privacy mode, not stealth mode

  Copy to New Graph
  

  • Creates a brand-new graph containing the selected entities and their links
  • Useful for:
    • Experimentation
    • Isolating parts of a graph
  • You can later copy results back into the original graph

  Change Type
  

  • Converts entity from one type to another (e.g., DNS name → Website)
  • Crucial when the target transform isn’t available for the current type

  Merge
  

  • Combines two entities that represent the same real-world object
  • Consolidates their links

  Attach
  

  • Adds files (evidence, screenshots, etc.) to an entity
  • Attached images can be displayed on the graph instead of the entity icon

  7. Most Important Actions to Remember
  

  • Copy to New Graph
  • Change Type
  • Merge
  • Attach

  These actions significantly improve workflow efficiency and flexibility when working with complex investigations.
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• December 01, 2025Course 11 - Mobile Forensics Fundamentals | Episode 3: iOS and iPhone Forensics: Security, Acquisition Techniques, and Artifact Analysis

  In this lesson, you’ll learn about: • iOS architecture and security features • Common vulnerabilities and exploit history • Logical and physical acquisition techniques • Key forensic artifacts and analysis methods • Legal constraints and investigative limitations iOS / iPhone Forensics: Summary and Key Concepts 1. iOS Security and Architecture iOS is its own complete operating system and is generally considered more secure than Android due to its standardized hardware/software ecosystem. Any vulnerability or exploit tends to apply consistently across devices, but Apple rapidly patches these issues. iOS architecture is layered, similar to the OSI model:

  • Core OS – Unix-based kernel, security framework, low-level networking.
  • Core Services – TCP/IP communication, iCloud services, file sharing.
  • Media Layer – Audio, graphics, video processing.
  • Cocoa Touch – Application interface layer.

  The file system historically used HFS+, storing data in a B-tree format. Key iOS Security Features

  • Secure Boot Chain
    Verifies every boot stage using Apple’s root certificate. Prevents downgrades and protects against boot-level attacks.
  • Secure Enclave / “Clave”
    A dedicated co-processor using encrypted memory to handle cryptographic keys, making memory dumps extremely difficult.
  • AES-256 Encryption
    Industry-grade (DoD-level) encryption applied at the hardware level to protect user partitions.
  • ASLR (Address Space Layout Randomization)
    Mitigates buffer overflow attacks by randomizing memory locations.
  • Sandboxing / Jailing
    Restricts app access to only their assigned directory, protecting system resources.

  2. Vulnerabilities and Exploit History While secure, iOS has had notable vulnerabilities:

  • Masquerading Attack
    A malicious app with the same internal project name as a legitimate one could overwrite it without signature validation (older versions).
  • IP Box Exploit
    Allowed brute-forcing on older iOS versions by bypassing lockout delays.
  • GrayKey Unlocking Device
    A proprietary law-enforcement tool used to bypass locks; Apple later patched the underlying vulnerabilities.
  • San Bernardino Case
    FBI paid roughly $1M for a one-time exploit to bypass auto-wipe on a locked iPhone.

  Apple consistently patches publicly disclosed vulnerabilities, reducing the lifespan of exploits. 3. Acquisition Techniques and Challenges 1. Logical Acquisition Often performed through iTunes backups.

  • Requires the device to be unlocked.
  • Extracts app data, device configuration, file structure, communications, and certain system logs.

  Tools include:

  • Paraben Device Seizure
  • XRY
  • Cellebrite (UFED)
  • iTunes Backup Analyzer 2 (IPBA2)

  2. Physical Acquisition Attempts to extract raw data, including deleted and unallocated space. However:

  • Modern iOS with full AES-256 encryption makes physical acquisition impossible without the passcode.
  • Often requires a temporary jailbreak or custom exploit.
  • Tools such as Pangu or custom RAM disks may be used on older versions.

  Recovery/Boot Modes Used in Forensics

  • Recovery Mode – Useful for interacting with the firmware and restoring images.
  • DFU Mode – Lower-level access used to load custom tools or initiate exploit chains.

  4. Key Forensic Artifacts and Evidence Sources Plist (Property List) Files Store structured data such as:

  • IMEI, IMSI, ICCID
  • Device GUID
  • Backup details
  • Encryption flags
    Plists are among the most valuable forensic artifacts.

  Timestamps iOS uses Unix Epoch time (seconds since Jan 1, 1970).
  Investigators examine:

  • MAC times (Modified, Accessed, Created)
  • Irregularities (e.g., zeroed milliseconds) that may indicate tampering.

  Location Data

  • Historically stored indefinitely; now encrypted and retained for ~8 days.
  • Still useful for reconstructing user movement.

  Communications

  • Contacts
  • SMS/iMessage databases
  • Call history (including missed/attempted calls)
  • Voicemails
    • Note: Listening to an unheard original voicemail may violate wiretap laws.

  Browser Artifacts (Safari)

  • Bookmarks
  • Cache
  • Search history
  • “Suspend state list”—recently closed tabs and windows

  Ephemeral Data

  • Clipboard contents
  • Dynamic keyboard cache
    • Often contains usernames, passwords, or search terms.

  Image and Media Data (DCIM)

  • Photos/videos include EXIF metadata (sometimes GPS).
  • Deleted images may remain accessible as thumbnails embedded in databases.

  Network Artifacts

  • Wi-Fi Plist files contain auto-join network information, including BSSIDs.
  • Can establish proximity between suspects/devices.

  5. Legal and Procedural Requirements Investigators must remain strictly within legal authorization scopes:

  • Accessing iCloud or any cloud-stored user data requires separate warrants.
  • Overstepping authority can end a forensic career immediately.
  • Under the Plain View Doctrine, unrelated evidence may be reported as long as the investigator stays within the allowed scope of the warrant.

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---