CyberCode Academy episodes:

• February 08, 2026Course 22 - Digital Forensics: RAM Extraction Fundamentals | Episode 5: Forensic Access and RAM Extraction with Inception

  In this lesson, you’ll learn about:

  • The forensic purpose of Inception for accessing live, locked systems without powering them down
  • Why volatile memory preservation makes Inception valuable during on-scene triage
  • How the DMA exploit works via FireWire and Thunderbolt interfaces
  • The concept of planting a temporary RAM-based authentication bypass that disappears after reboot
  • How Inception is integrated into the Paladin forensic suite
  • The practical setup process, including booting Paladin, escalating privileges with sudo -s, and running incept
  • The importance of selecting the correct operating system signature for a successful attack
  • Indicators of successful execution, such as “patch verified”
  • Legal and ethical considerations when using memory-writing exploits in forensic work
  • Why validation testing and thorough documentation are critical for courtroom defensibility
  • How Inception enables subsequent RAM acquisition and live system analysis

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• February 07, 2026Course 22 - Digital Forensics: RAM Extraction Fundamentals | Episode 4: RAM Capture via Magnet and FTK Imager

  In this lesson, you’ll learn about:

  • A technical overview of memory acquisition using Magnet RAM Capture and FTK Imager
  • How RAM footprint size affects evidence integrity during live memory collection
  • The key features of Magnet RAM Capture, including custom output paths and memory image splitting
  • Why file segmentation is operationally important when handling large RAM captures
  • The role of FTK Imager as a multifunctional triage and imaging tool
  • FTK Imager’s additional capabilities, such as registry collection, hexadecimal viewing, and logical drive preview
  • Performance benchmarking results, including memory dump speed for large RAM sizes
  • Strategic considerations for tool selection and justification in forensic investigations
  • A professional workflow approach combining lightweight tools first and heavier tools later based on investigative needs

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• February 06, 2026Course 22 - Digital Forensics: RAM Extraction Fundamentals | Episode 3: Comparing Belkasoft and Magnet Tools

  In this lesson, you’ll learn about:
  

  • The role of RAM acquisition in digital forensics and why volatile memory is critical evidence
  • How benchmarking RAM extraction tools helps investigators make defensible tactical decisions
  • A technical comparison between Belkasoft RAM Capturer and Magnet RAM Capture
  • The trade-offs between system footprint and extraction speed during live memory capture
  • How both tools operate in kernel mode and why this matters for bypassing OS protections
  • Differences in output formats (.mem vs .dmp) and their forensic implications
  • Practical factors for tool selection, including execution method, performance on large RAM sizes, and operational impact on the target system

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• February 05, 2026Course 22 - Digital Forensics: RAM Extraction Fundamentals | Episode 2: Benchmarking Tools and Using MoonSols DumpIt

  In this lesson, you’ll learn about:

  • Why Benchmarking RAM Extraction Tools Matters
    • How benchmarking supports defensible tool selection in forensic investigations.
    • Using measurable metrics to justify decisions during reports or court testimony.
    • Understanding that different systems and environments can affect tool behavior.
  • Key Benchmarking Criteria
    • RAM Footprint: Measuring how much memory the tool consumes while running and how much evidence it overwrites.
    • Extraction Speed: Evaluating how fast a full memory dump can be completed, especially when using high-speed media like USB 3.0 drives.
    • Execution Context: Distinguishing between kernel-mode and user-mode tools, with kernel-mode execution preferred for bypassing OS-level protections such as anti-debugging and anti-dumping mechanisms.
  • MoonSols DumpIt: Technical Evaluation
    • Why DumpIt is favored for live response and incident handling.
    • Its portable design, allowing execution directly from removable media without installation.
    • An exceptionally small memory footprint (under 1 MB), minimizing evidentiary impact.
    • Proven efficiency, capable of dumping large memory sizes (e.g., ~9 GB) in a matter of minutes.
    • Automatic output as a raw memory image, simplifying downstream analysis and tool compatibility.
  • Live Benchmarking and Verification
    • Observing DumpIt in real time using Task Manager to confirm actual memory usage.
    • Correlating observed performance with documented benchmarks.
    • Recognizing the significance of the final success confirmation and proper storage of the raw memory image for triage and analysis.

  By the end of this episode, you’ll be able to benchmark RAM acquisition tools systematically, understand why DumpIt is often chosen as a primary option, and confidently explain your tool selection based on measurable, repeatable criteria rather than preference alone.
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• February 04, 2026Course 22 - Digital Forensics: RAM Extraction Fundamentals | Episode 1: Value, Strategy, and Technical Preparation

  In this lesson, you’ll learn about:

  • Why RAM Is Critical Forensic Evidence
    • How volatile memory captures data that never touches disk and is lost on shutdown.
    • Recovering private browsing sessions, chat data, webmail content, and remnants of failed wiping attempts.
    • Identifying in-memory malware, including rootkits, injected code, and hidden processes that evade disk-based scanners.
    • Extracting encryption keys and credentials (e.g., BitLocker, TrueCrypt, cached passwords) that unlock otherwise inaccessible evidence.
  • The “RAM Debate”: When to Capture vs. When to Skip
    • Understanding how missing RAM evidence can be argued as exculpatory in court.
    • Evaluating the forensic footprint: every capture tool overwrites some memory.
    • Making defensible decisions to omit RAM collection when:
      • The suspect has confessed.
      • Disk artifacts already answer the investigative questions.
      • Live triage indicates the system was likely uninvolved.
    • Learning how to justify your decision either way in reports and testimony.
  • RAM Footprint and Evidentiary Integrity
    • What a RAM footprint is and why courts care about it.
    • Minimizing contamination by selecting lightweight, trusted tools.
    • Documenting tool choice, execution order, and system state to maintain credibility.
  • Hardware Preparation for Live Memory Capture
    • Why USB 3.0 magnetic hard drives are preferred over flash drives:
      • Faster acquisition times.
      • Higher capacity for large memory dumps.
      • Reduced risk of incomplete captures.
    • Planning storage capacity based on installed system RAM.
  • Tool Redundancy and Operational Readiness
    • Why investigators should maintain 2–4 validated RAM tools.
    • Handling failures caused by OS updates, drivers, or endpoint security controls.
    • Understanding that redundancy is a professional requirement, not overkill.
  • Recommended Free RAM Capture Tools
    • DumpIt – simple, fast, minimal user interaction.
    • Belkasoft Live RAM Capturer – reliable and widely court-tested.
    • Magnet RAM Capture – integrates cleanly with Magnet analysis workflows.
    • FTK Imager – versatile option when already deployed on-scene.

  By the end of this episode, you’ll understand not just how to extract RAM, but when, why, and how to defend your decision under scrutiny—turning volatile memory into some of the most powerful evidence in a live forensic investigation.
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• February 03, 2026Course 21 - Digital Forensics: Windows Shellbags | Episode 5: Shellbags Forensics: Validating Network Drive Activity

  In this lesson, you’ll learn about:

  • Validating Network Drive Activity with Shellbags
    • How Windows Shellbags act as a silent witness for user interaction with network shares and mapped drives.
    • Why UsrClass.dat is a critical artifact for proving access to remote resources, even when permissions are restricted.
  • Recording Remote Folder Access
    • How accessing a mapped network drive (e.g., Z:) generates Shellbag entries.
    • Capturing exact remote folder paths (such as administrative or restricted directories) that a user navigated to.
    • Demonstrating that Shellbags records navigation, not just file creation or modification.
  • Timestamp Behavior in Network Shellbags
    • Understanding how remote MAC times are copied and stored locally:
      • Last Accessed Time: Often reflects the precise moment the user viewed or entered the network folder.
      • Last Written Time: May indicate when the network drive was first connected or when folder view settings were changed.
      • Created Time: Represents the state of the folder metadata at the moment it was first recorded in Shellbags.
    • Recognizing that all timestamps must be interpreted in UTC and converted to local time for reporting.
  • Event Reconstruction and Attribution
    • Reconstructing timelines that show who accessed which network location and when.
    • Correlating Shellbag entries with other evidence to confirm intentional user interaction rather than background system activity.
    • Differentiating between mere drive connection and active navigation into specific subfolders.
  • Investigative and Evidentiary Value
    • Using Shellbag evidence to prove file awareness and knowledge, not just theoretical access.
    • Supporting cases involving unauthorized access, insider threat activity, or data exfiltration.
    • Reinforcing why Shellbags are especially powerful when files no longer exist or access logs are unavailable.

  By the end of this episode, you’ll be able to confidently analyze Shellbag artifacts related to network drives, interpret their timestamps accurately, and use them to demonstrate user knowledge and interaction with remote file systems in a forensic investigation.
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• February 02, 2026Course 21 - Digital Forensics: Windows Shellbags | Episode 4: Shellbag Forensics: Tracking USB Device History and Artifact Validation

  In this lesson, you’ll learn about:

  • USB Forensics Using Shellbag Artifacts
    • How Windows Shellbags can be leveraged to reconstruct user interaction with removable media.
    • Why Shellbags are valuable for determining whether files were copied to or from USB devices, even when the media is no longer connected.
  • Initial Evidence Generation and Collection
    • Creating controlled forensic artifacts by moving test files onto a FAT16-formatted USB drive.
    • Exporting relevant registry hives (such as USRCLASS.DAT) using FTK Imager.
    • Loading these hives into Shellbag Explorer for structured analysis.
  • Understanding File System Timestamp Behavior
    • Recognizing FAT16 limitations, where Last Accessed timestamps record only the date, not the time.
    • Interpreting Created timestamps as the moment files or folders were moved onto the USB device.
    • Understanding why Modified timestamps often remain unchanged during copy or move operations.
  • Shellbag Data Merging and Ghost Artifacts
    • Learning how Windows may merge Shellbag data when a USB device is reformatted, renamed, or reused.
    • Understanding how previously accessed folders can still appear in Shellbag Explorer due to reuse of the same drive letter or volume identifiers.
    • Identifying “ghost” directories and avoiding false assumptions about current device contents.
  • Handling Multiple Removable Devices
    • Observing how Windows assigns new drive letters (e.g., E:, then F:) when multiple USB devices are connected.
    • Using Last Write Time values to infer when a USB device was inserted or when its folder view preferences were modified.
  • Forensic Validation and Reporting
    • Evaluating whether timestamps and folder structures logically align with expected user behavior.
    • Understanding why investigators must not rely solely on automated tool output.
    • Emphasizing manual validation to prevent misinterpretation caused by merged or residual Shellbag data.

  By the end of this episode, you’ll be able to analyze Shellbag artifacts related to USB devices, accurately interpret file system timestamps, and validate whether removable media activity supports or contradicts suspected data exfiltration or injection events.
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• February 01, 2026Course 21 - Digital Forensics: Windows Shellbags | Episode 3: ShellBag Forensics: Practical Validation and Timestamp Analysis

  In this lesson, you’ll learn about:

  • Practical ShellBag Forensics Workflow
    • How ShellBags function as registry-based artifacts that record user folder interaction and view preferences.
    • The full investigative cycle: evidence creation, acquisition, analysis, and validation.
  • Registry Hive Acquisition
    • Creating controlled user activity (e.g., test folders) to deliberately generate ShellBag evidence.
    • Exporting NTUSER.DAT from the root of the user profile and USRCLASS.DAT from the AppData directory using FTK Imager.
    • Required system configuration steps, including enabling hidden files and protected operating system files, to access locked registry hives.
  • Interpreting ShellBag Timestamps
    • Understanding the forensic meaning of Last Write Time, which reflects either the first folder access or a change in folder view settings.
    • Differentiating embedded MAC times (Created, Modified, Accessed) as historical snapshots captured when the ShellBag entry was first generated.
    • Correctly handling UTC/GMT timestamps and applying local time offsets to ensure accurate forensic timelines.
  • Validation Through Controlled Experiments
    • Demonstrating that changing folder view options (such as switching to large icons) updates the Last Write Time without altering embedded MAC timestamps.
    • Recognizing normal conditions where certain directories—such as system folders or hard-coded shortcuts—do not contain MAC times.
  • Evidence Location Awareness
    • Knowing where user-specific ShellBag data resides within the Windows registry structure.
    • Understanding how these locations support user attribution and timeline reconstruction during forensic investigations.

  By the end of the episode, you’ll be able to confidently extract ShellBag-related registry hives, correctly interpret their timestamps, and validate user activity findings through repeatable forensic testing.
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• January 31, 2026Course 21 - Digital Forensics: Windows Shellbags | Episode 2: Forensic System Setup and Local Drive Integration

  In this lesson, you’ll learn about:

  • Preparing a Forensic Workstation
    • The purpose of using a controlled forensic setup to safely extract and analyze system artifacts.
    • Why working from an acquired drive or image is critical for maintaining evidentiary integrity.
  • Essential Tools for Shellbag and Registry Analysis
    • Shellbags Explorer: Used to parse and analyze shellbag artifacts associated with user folder navigation.
    • FTK Imager (Lite): A portable, self-contained tool for accessing drives and exporting forensic artifacts without installing software on the target system.
  • Loading a System Drive as Evidence
    • How to use “Add Evidence Item” in FTK Imager to load a local physical drive (e.g., the C: drive).
    • Understanding the evidence tree and how FTK represents the file system for forensic browsing.
  • Navigating the File System for Forensic Artifacts
    • Traversing the directory structure within FTK Imager to locate user-specific data.
    • Focusing on the Users directory and individual user home folders, which contain critical registry files.
  • Target Registry Files for Analysis
    • Identifying user-specific registry hives stored within the home directory.
    • Understanding why these files are essential inputs for tools like Shellbags Explorer when reconstructing user activity.

  By the end of the episode, you’ll be able to set up the required forensic tools, load a system drive as evidence, and confidently locate the registry hives needed to analyze shellbags and other user activity artifacts.
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• January 30, 2026Course 21 - Digital Forensics: Windows Shellbags | Episode 1: Windows Shellbags: Forensic Fundamentals and Deep Dive Analysis

  In this lesson, you’ll learn about:
  

  • What Windows Shellbags Are and Why They Matter
    • How shellbags are registry-based artifacts created by Windows Explorer to store folder view preferences.
    • Why they are a powerful source of user activity evidence, even when files or folders no longer exist.
  • How Shellbags Are Created and Updated
    • The specific user actions that trigger shellbag updates, such as resizing windows or changing icon views.
    • Why even casual folder browsing can leave long-lasting forensic traces.
  • Forensic Value of Shellbags
    • How shellbags persist even after folders are deleted or external/network drives are removed.
    • How they enable user attribution, allowing investigators to determine which user accessed which path and when.
  • Registry Locations and Data Sources
    • The role of NTUSER.DAT and USRCLASS.DAT in storing shellbag data.
    • The importance of the BagMRU registry key for tracking hierarchical folder navigation.
  • Manual Reconstruction and Validation
    • How investigators can manually “walk” BagMRU subkeys to reconstruct exact directory paths.
    • Using hex and Unicode analysis to identify drive letters and folder names.
    • Why manual validation is essential for evidence verification and expert testimony, even when automated tools are used.

  By the end of the episode, you’ll understand how Windows Shellbags record user navigation activity, where this data lives in the registry, and how to manually reconstruct folder paths to validate forensic findings with confidence.
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---