CyberCode Academy episodes:

• December 06, 2025Course 13 - Network Forensics | Episode 1: Fundamentals, Attack Vectors, and Digital Tracing

  In this lesson, you’ll learn about: Network Forensics – Key Concepts and Techniques In this lesson, you’ll learn about:
  

  • The fundamentals of networks and physical security risks
  • Common network attack vectors and exploitation techniques
  • Critical protocols, encryption methods, and anonymity technologies
  • Essential tools and methodologies used in network forensic investigations

  1. Network Fundamentals & Physical Security
  

  • Understanding how networks operate is essential for forensic analysis.
  • Physical access = high risk
    • Coax-based networks are insecure.
    • Wiring closets and data closets are prime targets.
    • Example: An MIT associate once accessed a wiring closet, deployed a server, and was only detected via CCTV.
  • Network devices by OSI layer:
    • Hub → Layer 1 repeater
    • Switch → Layer 2 (MAC-based)
    • Router → Layer 3
    • Firewall → Layer 4 (TCP/UDP port filtering)
  • NAT ("poor man's proxy")
    • Multiple internal IPs share one external IP.
    • NAT blocks inbound attacks but is bypassed when an infected internal system creates an outbound tunnel.

  2. Attack Vectors and Network Exploits Wireless as a major weakness
  

  • Wireless signals broadcast publicly, making them easy to attack.
  • Deauthentication attacks can be launched with cheap hardware (e.g., ESP8266 boards for $20-$25).

  Core attack techniques
  

  • MAC Spoofing
    • MAC addresses can be changed easily (e.g., using macchanger).
    • Investigators look for activity stopping on one MAC/IP and continuing on another.
    • Tracking spoofed devices typically requires WIPS and triangulation.
  • ARP Poisoning & MAC Flooding
    • ARP poisoning redirects traffic by impersonating the gateway.
    • MAC flooding forces switches to behave like hubs.
    • Port security can mitigate these attacks.
  • DNS Poisoning
    • Redirects a domain to an attacker-controlled IP.
    • Local host files can be manipulated (e.g., domain → 127.0.0.1).
  • TCP/IP Spoofing
    • Effective spoofing requires MITM positioning to block reset packets.
    • Blind spoofing is used in large-scale DoS to confuse IDS systems.

  3. Protocols, Encryption & Anonymity
  

  • Secure vs. insecure protocols:
    • SSH (22) replaced Telnet (23).
    • FTP sends credentials in plaintext.
    • SNMP (161/162) must never be exposed externally due to sensitive config data.
  • Malware ports commonly observed:
    • 666, 1337, 12345, 54321, 4444, 5555.
  • IPv6 & IPSec:
    • IPv6 often uses IPSec, enabling point-to-point encrypted traffic that is difficult to intercept or spoof.
  • Tor and onion routing:
    • Uses three layers of encryption across multiple nodes.
    • Nearly impossible for a basic investigator to break.
    • Only encrypted inside the Tor network—exit node traffic to non-HTTPS sites is exposed.

  4. Forensic Tools & Investigation Methodology Log-Based Investigation
  

  • External attacks rely on:
    • Router logs
    • Firewall logs
    • IDS logs
  • Internal attacks rely on logs from internal devices and systems.

  Key Tools
  

  • Security Information Management Systems (SIMS)
    • Aggregate logs from thousands of sources.
    • Normalize data and identify correlated attack patterns.
  • Packet Sniffers & Protocol Analyzers
    • Wireshark captures Layer 2 traffic.
    • “Follow stream” helps isolate conversations and manually carve data.
  • Netstat
    • Shows open ports and active network connections.
    • Not forensically sound on original evidence—should be used only on a copy or VM.

  Timestamp Synchronization
  

  • Timestamps are critical for correlating logs.
  • All systems should sync to a trusted NTP server.
  • If timestamps differ, investigators must calculate and apply the correct offset.

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• December 05, 2025Course 12 - Maltego Advanced Course | Episode 4: Custom Entity Design and Implementation in Maltego

  In this lesson, you’ll learn about:

  • How to create custom entities in Maltego
  • How to name entities and assign unique type IDs
  • How entity properties, main properties, and data types work
  • How inheritance allows new entities to reuse transforms
  • How to use advanced features like calculated properties and visual overlays
  • How to build dynamic, visually adaptive entities for specialized investigations

  Summary of the Episode: This episode walks through the full process of designing and implementing custom entities in Maltego, beginning with basic creation and advancing toward powerful features like inheritance, calculated properties, regex parsing, and dynamic icon overlays. It demonstrates how users can tailor Maltego to fit specialized investigation workflows by defining their own data structures and visual representations. 1. Naming and Identifying Custom Entities Creating a custom entity starts with two essential identifiers: Display Name

  • A human-readable name, such as Worker, that appears in the graph.

  Type ID (Unique Identifier)

  • Must be globally unique to avoid conflicts
  • Typically structured with a namespace, e.g.:
    • investitech.worker (organization format)
    • my.worker (personal or training use)

  2. Creating a Basic Custom Entity To create a minimal entity, define:

  • Display name: e.g., worker
  • Short description: Explains its purpose
  • Unique type ID: e.g., my.worker
  • Category: e.g., personal

  Main Property Every entity requires at least one property.
  Example:

  • Property name: worker name
  • Type: string
  • Sample value: John Doe

  The main property appears in bold in the property list and typically identifies the entity on the graph. 3. Using Entity Inheritance Inheritance allows a new entity to reuse all transforms and properties of an existing one. Examples:

  • Website inherits from DNS name to gain transforms like “To IP address”.
  • A custom worker entity inherits from maltego.person to reuse:
    • First/last name properties
    • Person-related transforms

  This makes the new entity more functional without additional configuration. 4. Additional Properties Custom entities can include any number of extra properties. Property types include:

  • Strings
  • Numbers
  • Dates
  • Booleans
  • Images
  • Locations

  Default vs Sample Values

  • Sample value: Appears when dragging the entity from the palette
  • Default value: Used if the property is left empty

  5. Calculated Properties Calculated properties automatically combine or transform other property values. Common annotations:

  • $property(name): Reference another property
  • $trim(): Remove surrounding whitespace

  Example:
  A full name property combining first and last names. Calculated properties can be:

  • Visible
  • Hidden
  • Read-only (evidence-safe)

  6. Display Settings & Overlays Maltego entities can display visual cues based on their property values. Large Image (Icon)

  • Can be chosen dynamically using a calculated property

  Overlays (5 Positions)

  • North
  • Northwest
  • West
  • Southwest
  • South

  Overlays can show:

  • Images
  • Colors
  • Text (e.g., job titles, statuses, labels)

  This gives investigators a quick visual read of key details without inspecting the property panel. 7. Regular Expressions for Parsing Regular expressions help:

  • Automatically match input values to the correct entity type
  • Extract structured data from plain text

  Example:

  • Splitting "40.7128 -74.0060" into latitude/longitude values.

  8. Advanced Example: The Custom Worker Entity The episode demonstrates a feature-rich worker entity: Inheritance

  • Inherits from maltego.person

  Additional Properties

  • gender
  • skin tone
  • job

  Calculated Property

  • A hidden, read-only property called combined:
    gender_skintone_job

  Used to determine the icon dynamically. Dynamic Appearance

  • Large icon changes based on the combined property value
  • Job title appears as a north overlay

  This showcases how custom entities can visually adapt according to their data—ideal for specialized investigative environments. Conclusion By mastering custom entity design, inheritance, calculated properties, regex parsing, and graphical overlays, investigators can transform Maltego into a fully customized platform that models the exact data structures relevant to their cases.
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• December 04, 2025Course 12 - Maltego Advanced Course | Episode 3: The Maltego Transform Hub: Finding, Installing, and Utilizing Data Integrations

  In this lesson, you’ll learn about:

  • What Hub Items are and how they expand Maltego
  • How to navigate, search, filter, and evaluate items in the Transform Hub
  • Pricing models and key requirements used by Maltego data partners
  • How to install free, paid, and trial integrations
  • How to learn and understand newly installed transforms using documentation and the Transform Manager

  Summary of the Episode: This episode provides a full walkthrough of Maltego’s Transform Hub, explaining how investigators can expand Maltego with external data integrations known as hub items. It covers the categories of integrations available, how to browse and install them, the pricing models used by different data sources, and the tools within Maltego that help users understand and effectively use newly added transforms. 1. Understanding Hub Items Maltego is powerful on its own, but it becomes dramatically more capable when combined with external data sources. These integrations are called hub items, and they can introduce:

  • New transforms
  • New entities
  • Machines
  • Transform sets
  • Custom views
  • Icons

  Hub items come from both partners and the community. Detailed information about all integrations is available on Maltego’s website under the “Data Sources” section. 2. Navigating the Transform Hub The Transform Hub is the central interface for adding new capabilities to Maltego. Key UI Features

  • Can be toggled on/off from the Home tab
  • Supports viewing all, installed, or uninstalled items
  • Includes sorting and search functionality
  • Search accepts keywords (e.g., “dark web”, “email”, “financial data”)
  • Offers filters based on:
    • Data category
    • Pricing model
    • Relevant investigation types

  Each hub item displays:

  • Icon
  • Name
  • Maintainer
  • Short summary

  Clicking the item opens a detailed view. 3. Inspecting Hub Item Details & Pricing The details page helps users understand the integration, including:

  • Full description
  • Tags
  • Links to documentation
  • Pricing model
  • Contact details

  Supported Pricing Models

  1. Bring Your Own Key (BYOK)
     • User buys an API key from the provider
  2. Data Bundle
     • Included in certain Maltego subscription plans
  3. Free
     • No payment or key required
  4. Trial
     • Limited free usage
     • Typically rate-limited per hour or per day
  5. Paid Connector
     • Requires provider key + Maltego connector fee

  Multiple models can apply to the same hub item. 4. Installing Hub Items Installation steps depend on the pricing model. 1. Free Hub Items

  • Hover → Click Install
  • Confirm
  • Maltego downloads all resources
  • Installation summary lists added transforms, entities, etc.

  2. Key Required Up Front

  • Clicking Install immediately prompts for a key
  • Details page shows contact information for obtaining a key

  3. Free Trial Items

  • Installs without requiring a key
  • When trial limits are reached, Maltego displays a warning
  • A key can be added later via:
    • Transform Hub → Hub Item → Settings

  5. Learning How to Use New Integrations After installing a hub item, users must determine how its transforms work and which entities they apply to. Three main learning resources: 1. Online Documentation Includes:

  • White papers
  • Showcases
  • Solution briefs
  • Blog posts
  • Examples

  Many hub item detail pages link directly to these resources. 2. Details Page Inside the Transform Hub Provides:

  • Summary of capabilities
  • Tags
  • Description
  • Links to support or documentation

  3. Transform Manager (Most Technical & Useful) Accessible via:
  Transform Tab → Transform Manager Inside the Transform Manager, users can explore:

  • Transform Servers tab
    • Shows all transforms from each data provider
    • Includes transform names
    • Full description
    • Required input entity type
    • Helps determine how to start using the transform
  • All Transforms tab
    • Unified list of every installed transform
  • Transform Sets tab
    • Shows how transforms are grouped into sets
    • Helpful for understanding logical groupings created by the hub item

  This is the primary tool for technically understanding a new integration.
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• December 03, 2025Course 12 - Maltego Advanced Course | Episode 2: Maltego Infrastructure Entities, Transforms, and Footprinting Techniques

  In this lesson, you’ll learn about:

  • The core entities used in Maltego infrastructure investigations
  • How transforms connect Domains, DNS names, IPs, Netblocks, and ASNs
  • The methodology of Level 1, L2, L3, and XL infrastructure footprinting
  • Key transforms for pivoting forwards and backwards in infrastructure graphs
  • The difference between live DNS, passive DNS, and specialized DNS transforms

  Summary of the Episode: This episode provides a structured introduction to infrastructure investigations in Maltego, covering the foundational entities, essential transforms, and the systematic methods used for infrastructure footprinting. It explains how domains, DNS names, IP addresses, Netblocks, and Autonomous Systems interrelate, and how transforms allow analysts to map and attribute online infrastructure. 1. Foundational Entities & Core Concepts Infrastructure investigations rely on a small set of critical entities: Key Entities

  • Domain
    • Public-facing resource
    • Common starting point for discovering related DNS names
  • DNS Name (and variants like Website, NS, MX)
    • Represents a system that can resolve to an IP address
    • Often a gateway to other infrastructure
  • IPv4 Address
    • A central pivot point in investigations
    • Even on shared hosting, IPs remain strong identifiers
  • Netblock
    • A range of IP addresses
    • Useful for clustering infrastructure and linking disparate nodes
  • Autonomous System (AS / ASN)
    • Represents routing ownership over Netblocks
    • Useful for identifying ISPs or large organizations

  Other Useful Entities

  • Email Address — often the strongest pivot in broader investigations
  • Port & Service — show server capabilities (SSH, RDP, HTTP, etc.)
  • Tracking Code — connects different websites to the same operator

  2. Core Infrastructure Transforms The episode divides standard Maltego infrastructure transforms into functional groups. 1. Domain → DNS Name Methods used:

  • To Website (Quick Lookup) — checks common “www” A/AAAA records
  • To Website Using Domain (Bing) — broader search engine discovery
  • Passive DNS (Robtex/Robex) — historic DNS relationships
  • SPF Transform — extracts DNS names and IPs from email policies

  2. DNS Name → IP Address

  • To IP Address
    • Resolves any DNS name to its current IP

  3. IP Address → Netblock / ASN Transforms use:

  • Historic Passive DNS
  • Global routing data
  • WHOIS sources (ARIN, RIPE, APNIC, etc.)

  Important transforms:

  • Using Natural Boundaries — creates typical /24 IP ranges
  • To AS Number — gets ASN from the Robex database
  • To Company Owner — retrieves organization ownership & location

  3. Footprinting Methodology Infrastructure footprinting is a repeatable process across industries. Level 1 Footprinting (L1) Example shown using CIA.gov Steps:

  1. Find all DNS names / Websites for the domain
  2. Resolve all DNS names → IP addresses
  3. Cluster IPs → Netblocks (often with natural boundaries)
  4. Run To AS Number on the Netblocks
  5. Extract ownership using To Company Owner

  This reveals which Netblocks actually belong to the organization and allows deeper exploration (e.g., Wikipedia edits from those IPs). Higher-Level Footprinting L2 & L3 Machines

  • Add more depth
  • Use Reverse DNS (PTR lookups)
  • Provide prompts to filter MX/NS results
  • Reveal additional infrastructure through recursive pivots

  XL Footprint

  • Uses a completely different strategy
  • Heavy focus on reverse DNS on name servers and SPF-derived IPs
  • Requires significant system resources
  • Most thorough automated footprint

  4. Pivoting Techniques Pivoting is how analysts move through an investigation graph. Forward Pivot Domain → DNS Name → IP Address → Netblock → ASN Backward Pivot IP Address → Historic DNS Names → Domains → Tracking Codes
  Used to uncover:

  • Hidden assets
  • Legacy systems
  • Connected infrastructures

  5. DNS Transform Distinctions Two commonly confused transforms: To Website Mentioning Domain

  • Broad search for any website that references the domain
  • Good for OSINT, not for footprinting

  To Website Using Domain

  • Returns websites that end with your domain
  • Ideal for discovering all related organizational websites

  Live vs Passive DNS

  • Reverse DNS (PTR) = current data
  • Passive DNS (Robex/Robtex) = historic and may show old mappings
    • Maltego displays these as dotted links

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• December 02, 2025Course 12 - Maltego Advanced Course | Episode 1: Maltiggo Transforms, Sets, and Essential Menu Actions

  In this lesson, you’ll learn about:
  

  • How transforms work in Maltego
  • Transform sets and how they organize large transform collections
  • Key transform menu actions and shortcuts
  • Essential bottom-row menu actions for efficient workflow

  Summary of the Episode: This episode explains the core mechanics of Maltego transforms, how to run them, how they are organized, and the essential menu actions available when working on a graph. 1. Understanding Transforms
  

  • Transforms are functions that take one or more selected entities as input.
  • They only appear if relevant entity types are selected.
  • Transforms can be run in two ways:
    • Through the right-click transform menu on the graph
    • Through the Run View

  2. Transform Sets Because some entities (like Domain) have very long lists of transforms, Maltego organizes them into transform sets.
  

  • Transform sets help users find transforms more easily.
  • Sets and transforms are grouped first by their hub item, which may introduce new transforms (e.g., Thread Miner included by default).
  • Navigation:
    • Click a group or set to see its contents
    • Use the left bar or right-click → Up to go back a level

  3. Recognizing Items in the Transform List
  

  • Transforms
    • Dark background (near-black)
    • Single play icon ▶
  • Groups/Sets
    • Light background
    • Small plus icon ➕
  • Run All in a Set
    • Double-play icon ▶▶
    • Use with caution due to potentially large output

  4. Special Transform Sets
  

  • All
    • Appears on every level
    • Shows all transforms for the selected entity/entities
  • Favorites
    • Only appears if you starred transforms for the current entity type
  • Machines
    • Appears at the topmost level, at the bottom
    • Shortcut to run Maltego Machines

  5. Customizing Your Transform Experience
  

  • Users can create custom transform sets in the Transform Manager.
  • Hub items can add new transform groups to your environment.

  6. Essential Right-Click Menu Actions (Bottom Row) These are shortcuts to functions available elsewhere in Maltego: Basic Actions
  

  • Delete / Cut / Copy
    • Copy sends entity as GraphML to clipboard
    • Can be pasted into another graph

  Type Actions
  

  • Quickly search the entity value in Google or Wikipedia
  • Used rarely

  Send to URL
  

  • Sends selected entities to a custom HTTP POST endpoint

  Clear / Refresh Images
  

  • Reloads images from original sources
  • Works only in normal privacy mode, not stealth mode

  Copy to New Graph
  

  • Creates a brand-new graph containing the selected entities and their links
  • Useful for:
    • Experimentation
    • Isolating parts of a graph
  • You can later copy results back into the original graph

  Change Type
  

  • Converts entity from one type to another (e.g., DNS name → Website)
  • Crucial when the target transform isn’t available for the current type

  Merge
  

  • Combines two entities that represent the same real-world object
  • Consolidates their links

  Attach
  

  • Adds files (evidence, screenshots, etc.) to an entity
  • Attached images can be displayed on the graph instead of the entity icon

  7. Most Important Actions to Remember
  

  • Copy to New Graph
  • Change Type
  • Merge
  • Attach

  These actions significantly improve workflow efficiency and flexibility when working with complex investigations.
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• December 01, 2025Course 11 - Mobile Forensics Fundamentals | Episode 3: iOS and iPhone Forensics: Security, Acquisition Techniques, and Artifact Analysis

  In this lesson, you’ll learn about: • iOS architecture and security features • Common vulnerabilities and exploit history • Logical and physical acquisition techniques • Key forensic artifacts and analysis methods • Legal constraints and investigative limitations iOS / iPhone Forensics: Summary and Key Concepts 1. iOS Security and Architecture iOS is its own complete operating system and is generally considered more secure than Android due to its standardized hardware/software ecosystem. Any vulnerability or exploit tends to apply consistently across devices, but Apple rapidly patches these issues. iOS architecture is layered, similar to the OSI model:

  • Core OS – Unix-based kernel, security framework, low-level networking.
  • Core Services – TCP/IP communication, iCloud services, file sharing.
  • Media Layer – Audio, graphics, video processing.
  • Cocoa Touch – Application interface layer.

  The file system historically used HFS+, storing data in a B-tree format. Key iOS Security Features

  • Secure Boot Chain
    Verifies every boot stage using Apple’s root certificate. Prevents downgrades and protects against boot-level attacks.
  • Secure Enclave / “Clave”
    A dedicated co-processor using encrypted memory to handle cryptographic keys, making memory dumps extremely difficult.
  • AES-256 Encryption
    Industry-grade (DoD-level) encryption applied at the hardware level to protect user partitions.
  • ASLR (Address Space Layout Randomization)
    Mitigates buffer overflow attacks by randomizing memory locations.
  • Sandboxing / Jailing
    Restricts app access to only their assigned directory, protecting system resources.

  2. Vulnerabilities and Exploit History While secure, iOS has had notable vulnerabilities:

  • Masquerading Attack
    A malicious app with the same internal project name as a legitimate one could overwrite it without signature validation (older versions).
  • IP Box Exploit
    Allowed brute-forcing on older iOS versions by bypassing lockout delays.
  • GrayKey Unlocking Device
    A proprietary law-enforcement tool used to bypass locks; Apple later patched the underlying vulnerabilities.
  • San Bernardino Case
    FBI paid roughly $1M for a one-time exploit to bypass auto-wipe on a locked iPhone.

  Apple consistently patches publicly disclosed vulnerabilities, reducing the lifespan of exploits. 3. Acquisition Techniques and Challenges 1. Logical Acquisition Often performed through iTunes backups.

  • Requires the device to be unlocked.
  • Extracts app data, device configuration, file structure, communications, and certain system logs.

  Tools include:

  • Paraben Device Seizure
  • XRY
  • Cellebrite (UFED)
  • iTunes Backup Analyzer 2 (IPBA2)

  2. Physical Acquisition Attempts to extract raw data, including deleted and unallocated space. However:

  • Modern iOS with full AES-256 encryption makes physical acquisition impossible without the passcode.
  • Often requires a temporary jailbreak or custom exploit.
  • Tools such as Pangu or custom RAM disks may be used on older versions.

  Recovery/Boot Modes Used in Forensics

  • Recovery Mode – Useful for interacting with the firmware and restoring images.
  • DFU Mode – Lower-level access used to load custom tools or initiate exploit chains.

  4. Key Forensic Artifacts and Evidence Sources Plist (Property List) Files Store structured data such as:

  • IMEI, IMSI, ICCID
  • Device GUID
  • Backup details
  • Encryption flags
    Plists are among the most valuable forensic artifacts.

  Timestamps iOS uses Unix Epoch time (seconds since Jan 1, 1970).
  Investigators examine:

  • MAC times (Modified, Accessed, Created)
  • Irregularities (e.g., zeroed milliseconds) that may indicate tampering.

  Location Data

  • Historically stored indefinitely; now encrypted and retained for ~8 days.
  • Still useful for reconstructing user movement.

  Communications

  • Contacts
  • SMS/iMessage databases
  • Call history (including missed/attempted calls)
  • Voicemails
    • Note: Listening to an unheard original voicemail may violate wiretap laws.

  Browser Artifacts (Safari)

  • Bookmarks
  • Cache
  • Search history
  • “Suspend state list”—recently closed tabs and windows

  Ephemeral Data

  • Clipboard contents
  • Dynamic keyboard cache
    • Often contains usernames, passwords, or search terms.

  Image and Media Data (DCIM)

  • Photos/videos include EXIF metadata (sometimes GPS).
  • Deleted images may remain accessible as thumbnails embedded in databases.

  Network Artifacts

  • Wi-Fi Plist files contain auto-join network information, including BSSIDs.
  • Can establish proximity between suspects/devices.

  5. Legal and Procedural Requirements Investigators must remain strictly within legal authorization scopes:

  • Accessing iCloud or any cloud-stored user data requires separate warrants.
  • Overstepping authority can end a forensic career immediately.
  • Under the Plain View Doctrine, unrelated evidence may be reported as long as the investigator stays within the allowed scope of the warrant.

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• November 30, 2025Course 11 - Mobile Forensics Fundamentals | Episode 2: Data Acquisition, Diverse Operating Systems, and Forensic Challenges

  In this lesson, you’ll learn about: • Core forensic methodology and mobile-specific preservation challenges

  • Mobile forensics follows the standard digital forensic phases—collection, examination, analysis, and reporting—but must adapt to mobile-specific risks.
  • Devices must be isolated immediately to prevent remote wiping or network interference using Faraday cages, Stronghold bags, or shielded rooms.
  • Some devices (e.g., BlackBerry) support remote kill commands, making rapid on-scene triage essential before the device locks.
  • Investigators must document the exact state of the device on seizure (powered on/off, locked/unlocked) and any actions taken (e.g., enabling Airplane Mode).

  • Methods of mobile data acquisition and their limitations Acquisition techniques follow a “pyramid of reliability,” balancing forensic soundness with practical access: 1. Manual Extraction

  • Used when automated tools fail or when handling unsupported “feature phones” or burner devices.
  • Often involves photographing each screen manually using tools like Project Phone.
  • Least reliable but sometimes the only option.

  2. Logical Acquisition

  • The most common method for smartphones, performed with forensic tools such as Cellebrite, XRY, and Paraben.
  • Retrieves allocated data, app data, logs, contacts, SMS, and backups.
  • iPhone logical extraction usually requires iTunes to force the device to generate a backup.
  • Android logical extraction may use ADB, especially on rooted devices.

  3. Physical Acquisition (Invasive & Non-Invasive)

  • Targets both allocated and unallocated data, including deleted content.
  • Methods include JTAG, ISP, and Chip-Off forensics.
  • Increasingly limited by full-disk encryption—data may be physically extracted but cryptographically useless without keys.

  4. Volatile Memory Extraction

  • RAM acquisition is highly difficult due to hardware protections, sandboxing, and security mechanisms.
  • Any volatile data disappears once the device powers down.

  • Operating system architectures and forensic implications Android

  • Linux-based and secured with SE Linux for mandatory access control.
  • SE Linux sandboxing has known bypasses through covert channels.
  • Highly fragmented ecosystem creates inconsistent forensic tool performance.

  iOS / iPhone

  • Unix-based, secured by Apple’s robust Secure Boot Chain.
  • Uses APFS (Apple File System) with strong encryption.
  • Extremely resistant to physical extraction on modern versions.

  Windows Phone

  • Historically optimized for usability over security.
  • Weak sandboxing may allow cross-privilege interaction and artifact leakage.

  • Mobile network fundamentals and legal constraints in forensic work Network Technologies & Identifiers

  • GSM: International, open-standard.
  • CDMA: North American, proprietary.
  • Key identifiers:
    • IMEI – device hardware identity
    • IMSI – subscriber identity stored in SIM

  Legal Restrictions

  • Mobile devices fall under Fourth Amendment protections.
  • Accessing cloud data using cached credentials without a warrant violates the Computer Abuse Act (18 USC §1030).
  • Carrier metadata (CDRs, tower location, HLR/VLR info) requires a subpoena or discovery order.
  • Operating signal-jamming equipment without government authorization is illegal under FCC regulations.

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• November 29, 2025Course 11 - Mobile Forensics Fundamentals | Episode 1: Legal Authority, Acquisition Procedures, and Examiner Responsibilities

  In this lesson, you’ll learn about: • The purpose and scope of mobile forensics

  • Introduction to the course structure, online training logistics, and preparation for the Certified Mobile Forensic (CMF) exam.
  • Overview of provided resources such as forensic report templates, chain-of-custody forms, and research platforms like Packetstorm and Exploit-DB.

  • Unique technical challenges in mobile device acquisition

  • Why mobile forensics is inherently less forensically sound due to unavoidable data alteration when powering on or connecting devices.
  • The constant arms race with advanced device encryption and OS security patches that can rapidly render expensive forensic tools (e.g., GrayKey) ineffective.
  • Legal and procedural risks of using exploits: though sometimes necessary, they violate the Daubert standard and require meticulous documentation to avoid evidence dismissal.

  • The full role and responsibilities of the Computer Forensic Examiner (CFE)

  • The CFE oversees the entire forensic process from evidence seizure (“tag and bag”) to courtroom testimony.
  • Understanding the scope of authority through search warrants (under the Fourth Amendment) or corporate policy.
  • Search warrant requirements: establishing probable cause and clearly describing both the place to be searched and the specific items to seize—including hidden storage devices (micro SD cards in coins, poker chips) and altered devices like jailbroken consoles.
  • Situations where the Patriot Act may override the Fourth Amendment in terrorism investigations.

  • Standard forensic procedures for evidence handling and preservation

  • Securing evidence and documenting every action—ideally using methods such as video recording.
  • Preparing systems for acquisition, which often involves shutting down the device and removing storage media.
  • Preventing evidence alteration by using write-blockers, especially with operating systems like Windows that modify metadata upon connection.
  • Performing bitstream (forensic) copies whenever possible, reserving logical copies for time-critical scenarios.

  • Quality assurance, standardization, and avoiding common mistakes

  • Importance of peer review, standardized reporting formats, and consistent workflows to ensure reliability in forensic results.
  • Risks posed by untrained first responders—such as system administrators—who may unintentionally alter timestamps or damage critical evidence when attempting to “fix” systems.

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• November 28, 2025Course 10 - Network Security Fundamentals | Episode 7: Implementing Defense in Depth, Data Integrity, and Zero Trust

  In this lesson, you’ll learn about:
  

  • Defense in Depth (DiD) and layered security controls
  • Data integrity, backup policies, and encryption best practices
  • Securing voice and email communications
  • Social engineering and vishing defense
  • PKI-based email protection (PGP, S/MIME)
  • Zero Trust Networking (ZTN) architecture and IAM principles

  Core Principles of Modern Network Security 1. Defense in Depth (DiD) A security strategy based on creating multiple layers of protection so no single failure leads to compromise.
  

  • Physical Controls: Locks, cameras, facility access controls
  • Administrative Controls: Policies, procedures, user awareness training
  • Perimeter Controls: Firewalls, filtering devices
  • Internal Network Controls: Segmentation, monitoring, endpoint security
  • Goal: an attacker must successfully bypass multiple layers at the same time, reducing overall risk.

  2. Data Integrity, Resilience, and Backup Strategy A. Data Integrity and Availability
  

  • Data must stay complete, accurate, and accessible.
  • Backup policies must consider the entire data lifecycle.

  B. Backup and Retention Best Practices
  

  • Follow regulatory retention requirements (e.g., financial records retained for 7 years in certain industries).
  • Use reliable storage media and ensure off-site storage for disaster recovery.
  • Employ both:
    • On-site backups for fast recovery
    • Off-site backups for catastrophic events
  • Plan for long-term data growth.

  C. Encryption for Data at Rest
  

  • Confidential data should be encrypted using strong symmetric algorithms such as AES-256.
  • Protects against physical theft, insider threats, and unauthorized access.

  3. Securing Voice Communications A. Voice Technologies Covered
  

  • VoIP (Voice over IP)
  • POTS (Plain Old Telephone System)
  • Mobile communications

  B. Key Threats
  

  • Man-in-the-Middle (MitM) attacks
  • Caller ID spoofing
  • “Phone phreaking” and unauthorized system access
  • Social engineering and vishing attacks

  C. Hardening Voice Systems
  

  • Encrypt voice traffic where possible.
  • Disable unnecessary features on phone systems.
  • Change all default passwords and device settings.
  • Use network segmentation (VLANs/subnets) to isolate voice systems from the main LAN.
  • Users with sensitive communications should use encrypted apps such as Signal.

  4. Email Security Essentials A. The Need for Encryption Historically, email was transmitted in clear text—making confidential messages vulnerable to interception. B. Two Primary Encryption Systems Both rely on asymmetric PKI (Public Key Infrastructure):
  

  1. PGP / GPG / OpenPGP
  2. S/MIME (Secure / Multipurpose Internet Mail Extensions)

  C. Additional Email Protections
  

  • Opportunistic TLS for encrypting SMTP connections when possible.
  • SPF (Sender Policy Framework) to validate legitimate email senders.
  • Anti-spam and anti-phishing filters (e.g., Bayesian filtering).
  • User training via phishing simulations to strengthen human defense.

  5. Zero Trust Networking (ZTN) A. Core Philosophy
  

  • “Never trust, always verify.”
  • Assume an attacker may already be inside the network.

  B. Architectural Components
  

  • Strict verification of every user and device before access is granted.
  • Network segmentation using VLANs and subnets to reduce lateral movement.
  • Identification of the “protect surface” — the most critical data and systems.

  C. Identity and Access Management (IAM)
  

  • Strong use of AAA principles:
    • Authentication (verify identity)
    • Authorization (grant the minimum required access)
    • Accounting/Auditing (log all actions)
  • Reduces reliance on perimeter-only defenses.

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• November 27, 2025Course 10 - Network Security Fundamentals | Episode 6: Attack Mitigation, Vulnerability Assessment, and Penetration Testing

  In this lesson, you’ll learn about:
  

  • The top real-world network threats and how to think like an attacker
  • The full process of conducting a vulnerability assessment
  • Tools and methodologies used in modern vulnerability scanning
  • How penetration testing works and its legal, ethical, and operational requirements
  • Red team vs. blue team roles
  • Best practices for reporting and mitigating discovered vulnerabilities

  Modern Network Defense Using an Offensive Security Mindset 1. Thinking Like an Attacker
  

  • Defense is inherently harder than offense, so defenders must understand attacker mindset and methodology.
  • Understanding how attacks work is essential for proper mitigation.
  • A widely referenced list (e.g., from firms like Netrix) highlights the most common network attacks, including:
    • Denial-of-Service (DoS)
    • Man-in-the-Middle
    • Phishing and spear phishing
    • Drive-by attacks
    • Password attacks
    • SQL injection
    • Cross-Site Scripting (XSS), CSRF/XSURF variants
    • Eavesdropping
    • Birthday attacks
    • Malware attacks

  2. Vulnerability Assessment Vulnerability assessments identify weaknesses in an organization’s systems before an attacker does. Definition and Purpose
  

  • A structured evaluation of security policies, controls, and system configurations.
  • A combination of automated scanning and manual analysis.
  • Verifies whether an organization’s defenses align with its intended security posture.

  Assessment Steps
  

  1. Network Discovery
     • Use tools like Nmap or Zenmap to map the environment.
     • Identify open ports, services, and protocols.
     • Establish scope and baseline information.
  2. Vulnerability Scanning
     • Dedicated scanners identify known vulnerabilities in devices and applications.
     • Examples commonly used in labs or controlled learning environments include:
       • Nessus
       • OpenVAS
       • Aunetis
     • Application-level scanners include:
       • Burp Suite
       • Nikto
       • Wapiti
       • SQLMap
     • Many tools are pre-packaged in specialized security testing operating systems (e.g., Kali Linux, Parrot OS).
  3. Analyzing and Validating Results
     • Remove false positives.
     • Evaluate severity and risk.
     • Determine potential impact and remediation urgency.

  3. Penetration Testing (Ethical Hacking) Penetration testing goes beyond vulnerability assessment by attempting controlled exploitation in an authorized test environment. Purpose
  

  • Simulates real-world attacks to evaluate the organization's true security posture.
  • Helps validate defenses, identify exploitable paths, and strengthen systems.

  Key Components A. Tools and Platforms
  

  • Specialized security operating systems like Kali Linux and Parrot OS.
  • Frameworks such as Metasploit provide structured exploit testing in controlled environments.

  B. Penetration Test Types
  

  • White Box: Full internal knowledge (IP ranges, architecture, credentials).
  • Black Box: No prior knowledge, simulating an external attacker.
  • Gray Box: Partial information, simulating an insider or semi-informed adversary.

  C. Teams
  

  • Red Team: Offensive testers simulating adversaries.
  • Blue Team: Defensive personnel monitoring, detecting, and mitigating attacks.

  D. Legal and Ethical Requirements
  

  • A formal contract must define:
    • Scope of testing
    • Rules of engagement
    • Permission to perform active tests
  • Ensures compliance with laws (such as the CFAA in the U.S.) and protects testers from liability.

  E. Final Deliverable
  

  • A structured professional report including:
    • Executive summary
    • Risk-ranked list of vulnerabilities
    • Technical analysis and reproduction details
    • Clear mitigation recommendations for the security team

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---