Afleveringen
-
In this lesson, you’ll learn about: Ruby on Rails internals and how its integrated components process a web request from start to response1. Rails as a “Framework of Frameworks”Ruby on Rails is built as a collection of tightly integrated components:
Routing systemControllersORM (database layer)View rendering engineAsset management🔹 Key Idea
Rails combines multiple subsystems into one unified development ecosystem2. Request Lifecycle (High-Level Flow)User request → Router → Controller → Model → View → Response👉 Key Insight
Every web request travels through a structured pipeline inside Rails3. Action Pack & Routing (Entry Point)🔹 What it does
Handles incoming HTTP requests🔹 Key components:
Router → maps URL to controller actionControllers → process request logic🔹 RESTful routing:
Standard URL patterns for resourcesExample:/posts → index/posts/1 → show👉 Key Insight
Routing connects the outside world to internal application logic4. Controllers (Application Logic Layer)🔹 Responsibilities:
Receive requestsInteract with modelsPrepare data for views🔹 Data passing:
Uses instance variables (e.g., @user)👉 Key Insight
Controllers act as the decision-making layer in MVC5. Active Record (ORM & Data Layer)🔹 What it is
Rails’ built-in ORM system🔹 Core functions:
Maps Ruby objects to database tablesHandles CRUD operations automatically🔹 Key FeaturesDatabase Migrations
Version-controlled schema changesValidations
Ensure data integrity before savingCallbacks
Trigger logic during lifecycle events (create, update, delete)👉 Key Insight
Active Record eliminates the need to write raw SQL in most cases6. Models (Business Logic + Data Rules)🔹 What models do:
Represent database entitiesEnforce rules and relationships👉 Key Insight
Models combine data + logic into a single layer7. Action View (Response Rendering)🔹 What it does
Generates the final output (usually HTML)🔹 Uses:
Embedded Ruby (ERB) templatesDynamic content rendering🔹 Key ComponentsLayouts
Shared page structurePartials
Reusable view components👉 Key Insight
Views transform raw data into user-facing interfaces8. Asset Pipeline (Frontend Assets)🔹 Manages:
CSSJavaScriptImages🔹 Features:
CompressionMinificationOrganization👉 Key Insight
Rails optimizes frontend assets automatically9. Modern Frontend Integration**🔹 Tools used:
WebpackerTurbolinks🔹 What they doWebpacker
Bundles JavaScript modules and dependenciesTurbolinks
Speeds up navigation by avoiding full page reloads👉 Key Insight
Rails blends backend power with modern frontend performance10. Full Request Flow (Step-by-Step)
User sends request (URL)Router maps it to a controllerController processes logicModel interacts with databaseData returned to controllerView renders responseFinal HTML/JSON sent to userKey Takeaways
Rails is built as multiple integrated frameworksRouting directs requests to controllersActive Record handles database interactionViews generate dynamic user interfacesFrontend tools enhance performance and usabilityBig PictureRails works as a complete system to:👉 Transform user requests into structured responses
👉 Automate repetitive development tasks
👉 Maintain clean separation of concerns using MVCMental ModelHTTP request → routing → controller logic → database interaction → view rendering → response output
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy -
In this lesson, you’ll learn about: Ruby on Rails, its architecture, philosophy, and how it simplifies modern web development 1. What Is Ruby on Rails? Ruby on Rails is a full-stack web framework used to build:
Web applicationsAPIsDatabase-driven platforms🔹 Key Idea
Rails is a complete development toolkit that handles everything from backend logic to routing and database interaction. 2. Ruby vs Rails (Core Difference) 🔹 Ruby
A dynamic, object-oriented programming language🔹 Rails
A framework built on top of Ruby👉 Key Insight
Ruby provides the power, Rails provides the structure and automation 3. MVC Architecture (Core Design Pattern) 🔹 MVC stands for:
Model → Handles data and database logicView → Handles UI and presentationController → Handles request/response logic👉 Key Insight
MVC separates responsibilities, making applications easier to manage and scale. 4. Rails as a Full-Stack Framework Rails can:
Render HTML pages (server-side)Serve JSON APIsHandle routing, sessions, and authentication👉 Key Insight
Rails acts like a multi-tool for building complete applications 5. The Power of Ruby (Why Rails Feels “Magic”) 🔹 Ruby features:
Highly expressive syntaxObject-oriented designFlexible and dynamic behavior🔹 Example:
.2.days.ago → human-readable time calculation👉 Key Insight
Ruby allows Rails to write less code while doing more work 6. Convention Over Configuration 🔹 What it means:
Rails follows predefined conventions instead of requiring manual setup🔹 Example:
Person model → automatically maps to people table👉 Key Insight
Developers don’t waste time making small decisions—Rails handles them 7. The Rails Doctrine Created by David Heinemeier Hansson 🔹 Core principles:
Optimize for developer happinessEmbrace convention over configurationFavor integrated systems👉 Key Insight
Rails is opinionated to make development faster and more enjoyable 8. Routing and RESTful Design 🔹 Rails automatically generates:
Predictable URLsREST-based routes🔹 Example:
/users → list users/users/1 → show user👉 Key Insight
Routing becomes standardized and easy to understand 9. Monolith vs Microservices 🔹 Rails philosophy:
Prefer monolithic architecture (everything in one app)🔹 Real-world usage:
Companies like GitHub and Shopify scaled successfully using Rails👉 Key Insight
A well-structured monolith can scale efficiently without microservices complexity Key Takeaways
Rails is a full-stack framework built on RubyMVC architecture organizes application structureRuby enables expressive and powerful codeConvention over configuration speeds up developmentRails favors integrated systems over complexityBig Picture Rails helps developers: 👉 Build applications faster with less code
👉 Focus on logic instead of configuration
👉 Scale applications using structured conventions Mental Model Ruby language → Rails framework → MVC structure → conventions applied → rapid web development
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy -
Zijn er afleveringen die ontbreken?
-
In this lesson, you’ll learn about: email forensics and how investigators trace the origin and authenticity of emails using technical artifacts and server data1. What Is Email Forensics?Email forensics is the process of analyzing emails to:Identify the real senderDetect tampering or spoofingReconstruct the path an email traveledGather evidence for cyber investigations🔹 Key Idea
Every email leaves behind a traceable digital trail, even if the content is altered or deleted.2. Email Lifecycle (How Emails Travel)An email typically moves through several systems:MUA (Mail User Agent): The email client (e.g., Outlook, webmail)MTA (Mail Transfer Agent): Servers that route emails across the internetMultiple intermediate mail servers before reaching the recipient👉 Key Insight
Each hop adds metadata that becomes part of the email’s permanent record.3. Email Headers (The “Gold Mine”)🔹 What email headers contain:Sender and recipient informationServer IP addressesTime stamps for each relayAuthentication results👉 Key Insight
Headers cannot easily be faked completely, making them crucial for investigations.4. Header Analysis (Bottom-to-Top Method)Investigators analyze headers starting from the bottom:🔹 Why bottom-to-top?The bottom shows the original sourceEach line above shows the email’s path through servers🔹 What you can find:Original sender IPFirst mail server usedPath of email delivery👉 Key Insight
This method helps uncover the true origin of suspicious emails.5. Detecting Email AttacksEmail forensics helps identify:🔹 SpoofingFake sender addresses🔹 PhishingDeceptive emails designed to steal credentials🔹 Internal leaksUnauthorized data sent outside an organization👉 Key Insight
Even carefully crafted malicious emails often leave traceable technical evidence.6. Supporting Evidence SourcesInvestigators also use:Mail server logsNetwork device logs (firewalls, proxies)Authentication records👉 Key Insight
Cross-checking multiple logs increases investigation accuracy.7. Forensic Tools Used in Email Analysis🔹 Common tools include:Email tracking and analysis utilitiesDigital forensic suites (e.g., FTK-based tools)🔹 What they help with:Header decodingAttachment analysisPassword recovery (in some cases)Evidence extraction and reporting👉 Key Insight
Tools automate complex parsing but rely on human interpretation.Key TakeawaysEmail headers contain the most critical forensic evidenceEmails pass through multiple servers, each leaving tracesBottom-to-top header analysis reveals the original senderServer logs help validate email authenticityTools assist, but analysis logic is what finds the truthBig PictureEmail forensics helps investigators:👉 Identify real attackers behind fake identities
👉 Trace communication paths across servers
👉 Prove or disprove email authenticity in cyber incidentsMental ModelEmail sent → passes through servers → headers accumulate → forensic analysis reconstructs origin and path
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy -
In this lesson, you’ll learn about: steganography and how hidden data is embedded inside digital files without raising suspicion1. What Is Steganography?Steganography is the practice of hiding information inside other non-suspicious data such as images, audio, or video files.🔹 Key Idea
Unlike encryption, which hides the content of a message, steganography hides the existence of the message itself.2. Steganography vs Encryption🔹 EncryptionScrambles data into unreadable formClearly shows that secret communication exists🔹 SteganographyHides data inside another fileMakes the communication look completely normal👉 Key Insight
Steganography is about stealth, not just security.3. How Digital Steganography WorksHidden data is embedded inside a cover file, such as:Images (PNG, JPG)Audio filesVideo files🔹 Common techniqueModifying least significant bits (LSB) of pixelsUsing unused or redundant data space👉 Key Insight
Small changes are visually or audibly unnoticeable but can store hidden data.4. Types of Steganography Uses🔹 Legitimate uses:Digital watermarking (copyright protection)Metadata taggingSecure communication channels🔹 Malicious uses:Hiding malware payloadsCommand-and-control communicationEvading security detection5. Steganography Workflow (Conceptual)Cover file → Hidden data embedded → Stego file created → Extraction with key/password👉 Key Insight
Only someone with the correct method or password can extract the hidden content.6. OpenStego Tool (Practical Implementation)🔹 What it is
An open-source tool used to embed and extract hidden data in images🔹 Main capabilities:Hide text or files inside imagesApply password-based protectionExtract embedded content later7. Hiding Data Process🔹 Steps involved:Select cover image (e.g., PNG file)Choose secret file (text or document)Apply password encryption (optional)Generate stego image👉 Key Insight
The output file looks identical to the original image.8. Extracting Hidden Data🔹 Requirements:Original stego imageCorrect password (if used)🔹 Process:Run extraction toolRecover hidden file or message👉 Key Insight
Without the key/password, extraction becomes extremely difficult.9. Forensic Detection of Steganography🔹 Indicators investigators look for:Unexpected file size increaseImage metadata inconsistenciesPixel-level anomaliesSuspicious compression patterns👉 Key Insight
Steganography often leaves subtle but detectable digital traces.Key TakeawaysSteganography hides the existence of data, not just its contentIt works by embedding information inside cover filesImages are the most commonly used carrierTools like OpenStego allow both embedding and extractionDetection requires careful forensic analysisBig PictureSteganography is used to:👉 Create invisible communication channels
👉 Evade detection systems
👉 Protect or hide sensitive informationMental ModelSecret data → embedded into normal file → stego file appears harmless → hidden extraction reveals message
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy -
In this lesson, you’ll learn about: Windows USB forensics and how external device activity is tracked through the Windows Registry1. What Is Windows USB Forensics?USB forensics focuses on identifying and analyzing traces left by:
USB flash drivesExternal hard drivesDigital cameras and mobile storage devices🔹 Key Idea
Even after a device is unplugged or removed, Windows keeps permanent evidence of its connection.2. Why USB Devices Leave Forensic EvidenceWhen a USB device is connected, Windows automatically:
Logs device identityStores serial numbersRecords connection historyLinks devices to specific users🔹 Forensic Value
This allows investigators to reconstruct:
Who used the deviceWhen it was connectedWhat machine it was connected to3. USBSTOR Registry Key (Device Identity Tracking)🔹 What it is
A registry location that stores details of USB storage devices🔹 What it records
Vendor name (e.g., SanDisk, Kingston)Product modelUnique serial number👉 Key Insight
This is the digital fingerprint of every USB device ever connected4. MountedDevices Key (Drive Letter Mapping)🔹 What it is
Links physical USB devices to assigned drive letters (E:, F:, etc.)🔹 What it reveals
Which USB got which drive letterHow Windows mapped the storage at connection time👉 Key Insight
Helps reconstruct how the system interacted with external storage5. MountPoints2 Key (User-Level Evidence)🔹 What it is
Stores per-user information about mounted devices🔹 What it reveals
Which user connected the deviceAccess history from user profile perspective👉 Key Insight
Connects USB activity directly to a specific Windows user account6. Forensic Significance of USB Artifacts🔹 What investigators can determine:
First time a device was plugged inLast time it was usedFrequency of usagePossible data transfer activity👉 Key Insight
USB history helps build a complete behavioral timeline of data movement7. USBDeview Tool (Practical Analysis)🔹 What it does
Automatically extracts USB history from the system🔹 What it shows
Device name and modelSerial numberFirst/last connection timePlug/unplug events👉 Key Insight
Turns raw registry data into readable forensic evidence8. Live System Analysis Considerations🔹 When analyzing active systems:
Registry must be extracted carefullyEvidence integrity must be preservedAvoid modifying timestamps or device traces👉 Key Insight
Live analysis requires strict forensic discipline to avoid contamination9. Linking USB Devices to Real-World Activity🔹 Investigation process:
USB device → Registry traces → User account → Timeline reconstruction👉 Key Insight
This allows investigators to connect a physical device to a specific suspect machineKey Takeaways
Windows permanently records USB device history in the registryUSBSTOR stores device identity and serial numbersMountedDevices maps USBs to drive lettersMountPoints2 links devices to specific usersTools like USBDeview simplify forensic extraction
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy -
In this lesson, you’ll learn about: Windows user artifacts and forensic activity tracking1. What Are Windows User Artifacts?System-generated traces of user behaviorCreated automatically by Windows and applications🔹 Key IdeaEven if a user deletes files, system artifacts often remain2. Evolution of User Profiles🔹 Older vs Modern WindowsWindows XP:Documents and SettingsWindows 7 / 10 / 11:C:\Users🔹 Why it changedImproved structureBetter separation of user dataEasier forensic navigation3. NTUSER.DAT (Core User Hive)🔹 What it isMain registry file for user-specific settings🔹 What it revealsLast login activityUser preferencesRecently used programs👉 Key Insight:It is the digital identity record of a Windows user4. AppData Folder🔹 LocationStored inside user profile directory🔹 What it containsApplication settingsCached dataLocal program databasesAddress books and configurations👉 Key Insight:Applications silently store deep behavioral data here5. Cookies and Web Tracking🔹 What cookies revealLogin sessionsBrowsing behaviorWebsite preferences👉 Forensic value:Helps reconstruct web activity patterns6. Recent Files (User Activity Tracking)🔹 “Recent” folder behaviorStores shortcuts (.lnk files) to opened files🔹 What it tracksFiles openedExecution pathsAccess timestamps👉 Key Insight:Even if original file is deleted, shortcut evidence remains7. Desktop, Favorites, and Start Menu🔹 DesktopVisible + hidden user activity area🔹 FavoritesStored browsing shortcuts🔹 Start MenuApplication execution history👉 Key Insight:These locations reflect user intent and behavior patterns8. Send To Folder🔹 PurposeProvides quick file transfer options🔹 Forensic valueShows interaction with:External drivesApplicationsSystem tools9. Junction Points🔹 What they areAdvanced Windows links between directories🔹 Why they matterReveal hidden system relationshipsHelp map user navigation paths10. Public vs User Data Structure🔹 Windows design conceptCombines:Public shared foldersPrivate user folders👉 Key Insight:Helps identify what was shared vs personally accessed11. Forensic Importance🔹 What investigators reconstructUser behavior timelineFile access historyApplication usage patternsDevice interaction historyKey TakeawaysWindows generates extensive hidden user artifactsNTUSER.DAT is central to user behavior trackingAppData stores deep application-level evidenceRecent files and shortcuts reveal file access historySystem folders reflect real user activity, not just file storageBig PictureUser artifacts help investigators:👉 Move from “files on disk” → “human actions behind the system”Mental ModelUser action → system artifact → hidden record → forensic reconstruction
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy -
In this lesson, you’ll learn about: forensic authentication using metadata and browser artifacts1. What is Digital Forensic Authentication?A process of verifying user activity and file origin using hidden dataFocuses on:DocumentsImagesWeb browsing activity🔹 Key IdeaFiles contain more than visible content—they carry hidden identity traces2. File Metadata (Documents & Office Files)🔹 What metadata revealsAuthor nameCreation machineEditing historyLast modified timestamps🔹 Why it mattersHelps identify:Who created a fileWhen it was editedWhether it was tampered with👉 Key Insight:Metadata can contradict user claims3. Image Metadata (EXIF Data)🔹 What is EXIF?EXIF data🔹 What EXIF containsCamera modelGPS location (if enabled)Date and timeExposure settingsDevice information👉 Key Insight:Images act like a digital fingerprint of the camera and environment4. Forensic Value of ImagesLink images to:Physical locationsDevices usedTimeline of events5. Browser History Persistence🔹 Common misconceptionUsers think deleting history removes all traces🔹 RealityBrowsers store persistent artifacts in system files6. Internet History Storage Locations🔹 Legacy Systemsindex.dat files🔹 Modern SystemsWebCacheV01.dat7. What WebCacheV01.dat StoresVisited URLsDownload historyBrowsing timestampsCached session data👉 Key Insight:Even private browsing leaves traces in system databases8. Forensic Tools🔹 Example toolESE Database View🔹 What it doesExtracts data from browser history databasesReconstructs user activity timelinesReveals deleted browsing records9. Private Browsing Myths🔹 Important factInPrivate / Incognito:Hides local history in UIDoes NOT fully remove system-level traces10. Forensic Applications🔹 Investigators can recoverVisited websitesDownloaded filesSearch behaviorHidden browsing sessionsKey TakeawaysMetadata reveals hidden details about files and imagesEXIF data acts as a digital fingerprint for photosBrowser activity is stored in system-level databasesDeleting history does not guarantee deletion of evidenceSpecialized tools can reconstruct full browsing behaviorBig PictureThis topic helps investigators:👉 Move from visible files → hidden behavioral evidenceMental ModelFile/Image → Metadata layer → System storage → Forensic reconstruction
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy -
In this lesson, you’ll learn about: Windows Recycle Bin forensics and deleted file recovery1. Why the Recycle Bin Matters in ForensicsDeleting a file in Windows does not immediately erase itInstead, Windows:Moves it to a hidden system structureRenames itKeeps both metadata and data intact🔹 Key IdeaThe Recycle Bin is often a hidden evidence repository2. Core Forensic InsightDeleted files usually remain:On disk (physically intact)With modified references only👉 Result:Investigators can often recover:FilesPathsDeletion timestamps3. Legacy Windows Recycle Bin (Windows XP and earlier)🔹 Structure UsedINFO2 fileStored inside:Recycler folder🔹 What it containsOriginal file pathFile sizeDeletion order👉 Key Insight:Acts as an index of deleted files4. Modern Windows Recycle Bin (Vista → Windows 10)🔹 Structure Used$Recycle.Bin🔹 File Pair SystemEach deleted file creates two entries:$R fileContains actual file data$I fileContains metadata:Original namePathDeletion timestamp👉 Key Insight:Data and metadata are split for tracking integrity5. Windows 10 Forensic Markers🔹 Version Identification$I file headers contain version indicators:01 → older Windows versions02 → Windows 10 era🔹 Why it mattersHelps investigators determine:Operating system versionTimeline of deletion activity6. Hex-Level Analysis🔹 Tools usedHex editorsForensic analysis tools🔹 What investigators extractFile pathsDeletion timestampsFile size metadataOriginal filenames👉 Key Insight:Even “deleted” files can be reconstructed byte-by-byte7. Forensic Workflow🔹 Step-by-step processAccess $Recycle.BinMatch $R and $I filesDecode metadataReconstruct original file structureExtract evidence8. Investigative Value🔹 What can be recoveredDeleted documentsMalware payloadsSensitive user filesEvidence of file wiping attempts👉 Key Insight:Attackers often forget the Recycle Bin still holds tracesKey TakeawaysRecycle Bin does not permanently delete data immediatelyLegacy systems use INFO2 index filesModern systems use $R and $I file pairsMetadata and file content are separatedHex analysis allows full reconstruction of deleted activityBig PictureRecycle Bin forensics helps investigators:👉 Move from “deleted file” → “recoverable digital evidence”Mental ModelDelete action → Recycle Bin redirect → hidden storage → forensic recovery
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy -
In this lesson, you’ll learn about: Windows System Restore Points in digital forensics1. What Are System Restore Points?A Windows feature that creates snapshots of system stateDesigned for recovery after:System failuresBad updatesSoftware issues🔹 Key IdeaThey act as a historical snapshot of system behavior2. Why They Matter in ForensicsRestore points preserve evidence that may be:DeletedWipedModified🔹 Forensic ValueHelps reconstruct:System changesMalware introductionConfiguration modifications3. What Is Stored in Restore PointsRegistry snapshotsSelected system filesConfiguration dataLogs and application traces👉 Important Insight:They preserve system state, not just individual files4. Metadata Preservation🔹 Key ConceptRestore points preserve MAC times:ModifiedAccessedCreated🔹 Why it mattersEnables accurate timeline reconstructionHelps detect tampering or backdating attempts5. Trigger Events for Restore Points🔹 When Windows creates themSoftware installationSystem updatesEvery ~24 hours of uptimeManual user trigger👉 Key Insight:Restore points are often created during high system activity periods6. Internal Structure of Restore Points🔹 Storage LocationHidden directory:C:\System Volume Information 🔹 Folder StructureStored as sequential folders:RP1RP2RP3etc.7. File Tracking Mechanism🔹 Key Componentfilelist.xml🔹 PurposeDefines:Which file types are monitoredWhich directories are included👉 Key Insight:Acts as a control map for snapshot creation8. Change Tracking System🔹 Important Filechange.log🔹 FunctionRecords:Original filenamesFile locationsSnapshot changes👉 Forensic Value:Helps reconstruct original file paths even after renaming9. System Management and Registry Control🔹 Registry RoleControls:Enable/disable restore pointsStorage allocationBehavior settings🔹 Storage ManagementUses FIFO (First-In, First-Out) ruleOlder restore points are deleted first10. Forensic Applications🔹 What investigators can uncoverMalware presence in past statesDeleted filesSystem configuration changesEvidence of cleanup attempts👉 Key Insight:Restore points can reveal what was intentionally removedKey TakeawaysSystem Restore Points are system snapshots used for recoveryThey preserve registry and file state over timeStored in hidden System Volume Information directoryInclude logs that track file changes and metadataCan reveal deleted or tampered forensic evidenceBig PictureRestore points help investigators:👉 Move from current system state → historical system reconstructionMental ModelSystem snapshot → stored RP folder → logs + registry + files → forensic timeline
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy -
In this lesson, you’ll learn about: Windows Prefetch and forensic execution tracking1. What is Windows Prefetch?A Windows performance feature designed to:Speed up application startupReduce disk access time🔹 Key IdeaIt becomes a forensic artifact that records program execution2. How Prefetch WorksWindows monitors the first seconds of an application launchIt records:Files accessedExecution behavior patterns👉 Result:A cached “startup map” is created for faster future runs3. Prefetch File Structure🔹 Naming FormatApplication name + hashThe hash is an 8-character hexadecimal value🔹 Purpose of the HashDerived from the application pathHelps differentiate:Same program in different locations👉 Key Insight:Same executable in different folders = different Prefetch file4. Forensic Value of Prefetch🔹 What investigators can determineWhen a program was executedHow many times it was runWhether it ran from unusual locations5. The “Who, What, When” of Forensics🔹 Key Questions AnsweredWho: Which program was executedWhat: Which executable was runWhen: Last execution timestamp👉 Important:Prefetch is one of the strongest execution evidence sources in Windows6. Detecting Evidence Tampering🔹 Critical InsightPresence of cleanup tools is itself evidence🔹 ExampleIf a wiping tool appears in Prefetch:It proves the tool was executed👉 Key Idea:“Trying to hide evidence” becomes evidence itself7. Hidden Activity Discovery🔹 Prefetch can reveal:Hidden directoriesExternal storage usageEncrypted container activity🔹 Example targetsTrueCrypt volumesExternal USB drivesObfuscated folders8. System Evolution🔹 Related Windows TechnologiesSuperfetchReadyBoost👉 Purpose:Improve system responsiveness and memory usage9. Registry Control of Prefetch🔹 Key ConceptPrefetch behavior can be enabled/disabled via registry settings🔹 Forensic ImportanceInvestigators check registry keys to see:If Prefetch was disabled intentionallyIf someone tried to hide activity10. Investigation Workflow🔹 How analysts use PrefetchLocate Prefetch filesExtract execution metadataAnalyze timestamps and countsCorrelate with other artifactsKey TakeawaysPrefetch records application execution behavior for performanceIt is a powerful forensic artifact for tracking user activityFile names include hashed execution pathsIt can reveal hidden tools, drives, and user behaviorDisabling Prefetch may itself indicate suspicious activityBig PicturePrefetch helps investigators:👉 Move from “what exists on disk” → “what was actually executed”Mental ModelProgram run → Prefetch created → Execution metadata stored → Timeline reconstructed
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy -
In this lesson, you’ll learn about: Windows Registry artifacts and UserAssist forensics1. Why Registry Artifacts MatterThe Windows Registry stores hidden traces of user activityInvestigators use it to reconstruct:User behaviorApplication usageSystem timelines🔹 Key IdeaEvery click and execution leaves a forensic footprint2. Common Digital Footprints in Windows🔹 Types of artifactsInternet browsing historyEmail attachmentsSkype / communication logsRecently used files (MRU lists)Executed programs👉 Key Insight:Even deleted actions often remain in registry traces3. The UserAssist Key🔹 What is it?A Windows Registry key that tracks program execution history🔹 What it recordsApplication nameRun count (how many times launched)Last execution timestampUsage frequency👉 Why it matters:Shows what a user actually ran, not just what exists on disk4. ROT13 Obfuscation🔹 What Windows doesUserAssist entries are encoded using a simple cipher:ROT13 cipher🔹 PurposeObscures readable program namesPrevents casual inspection👉 Important Insight:It is not encryption, just basic encoding5. Decoding UserAssist Data🔹 Tools used by investigatorsUserAssistViewMagnet Forensics tools🔹 What they doDecode ROT13 valuesConvert registry entries into readable formatDisplay execution history clearly6. Building a Forensic Timeline🔹 What investigators reconstructWhen programs were openedHow often they were usedSequence of user actions🔹 Why it mattersHelps establish:IntentBehavior patternsPossible malicious activity7. Investigative Value of UserAssist🔹 What it revealsUser activity patternsApplication usage frequencyTime-based behavior analysis👉 Key Insight:It helps answer: “What did the user actually do on the system?”8. Forensic ImportanceSupports legal investigationsHelps detect insider threatsBuilds evidence timelinesKey TakeawaysWindows Registry contains deep user activity artifactsUserAssist tracks executed programs and usage behaviorData is encoded using ROT13, not securely encryptedSpecialized tools are needed to decode and analyze entriesIt is essential for building accurate forensic timelinesBig PictureUserAssist helps investigators:👉 Move from static system data → real user behavior reconstructionMental ModelProgram run → Registry entry → Encoded record → Decoded timeline
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy -
In this lesson, you’ll learn about: Windows Registry structure and forensic analysis1. What is the Windows Registry?A centralized configuration database in WindowsStores system, user, and application settings🔹 Core IdeaThink of it as the brain of Windows configuration2. Registry StructureThe registry is organized in a strict hierarchy:🔹 ComponentsHivesKeysSubkeysValues🔹 AnalogyHive → main database fileKey → folderValue → actual data entry3. Main Root Keys🔹 Key Windows Registry RootsHKEY_LOCAL_MACHINE (HKLM)HKEY_CURRENT_USER (HKCU)🔹 What they representHKLM → system-wide settingsHKCU → settings for the logged-in user4. Physical Storage of Registry HivesStored on disk in:C:\Windows\System32\config 🔹 Why this mattersInvestigators can extract registry data directly from diskEven if Windows is not bootable5. Core HKLM Sub-Hives🔹 SAM (Security Accounts Manager)Stores:User accountsPassword hashes🔹 SECURITY HiveStores:Local security policyLSA secretsAuthentication data🔹 SOFTWARE HiveStores:Installed applicationsConfiguration settings🔹 SYSTEM HiveStores:DriversServicesBoot configuration👉 Key Insight:These hives are critical for system and user reconstruction6. Modern Windows Registry Extensions🔹 Newer HivesBCD (Boot Configuration Data)Controls boot processELAM (Early Launch Anti-Malware)Protects early boot stageBrowser-related application data hives👉 Purpose:Improve security and system initialization7. Forensic Extraction Tools🔹 Common ToolsFTK ImagerUsed to extract registry hives from diskRegistry viewers (offline analysis tools)🔹 Why FTK Imager mattersBypasses OS restrictionsWorks on live or dead systems8. Registry Analysis Workflow🔹 Step-by-step processAcquire disk imageExtract registry hivesLoad into analysis toolExamine keys and values9. What Investigators Look For🔹 Key Evidence TypesUser activityInstalled softwareSystem boot historyMalware persistence mechanismsKey TakeawaysThe registry is a central configuration database for WindowsIt is structured into hives, keys, and valuesCritical hives include SAM, SECURITY, SOFTWARE, SYSTEMRegistry files are physically stored on diskTools like FTK Imager enable offline forensic extractionBig PictureRegistry analysis helps you:👉 Move from system configuration → user and attacker behavior reconstructionMental ModelRegistry = Windows “black box” of system activity
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy -
In this lesson, you’ll learn about: Windows Security Identifiers (SIDs) and user tracking1. What is a Security Identifier (SID)?A SID (Security Identifier) is a unique value assigned to every:UserGroupSecurity principal (system accounts, services)🔹 Core IdeaIt acts like a permanent digital fingerprint in WindowsUsed internally instead of usernames👉 Key Property:A SID is never reused, even if the account is deleted2. Why SIDs ExistWindows needs a stable way to identify identitiesUsernames can changeSIDs cannot🔹 Example UsePermissions are assigned to SIDs, not namesAccess control checks rely on SID matching3. SID in Access Tokens🔹 What happens at login?Windows creates an access tokenThis token contains:User SIDGroup SIDsPrivileges👉 Key Insight:Every process inherits this tokenThis determines what the user can do4. Structure of a SIDA SID is not random—it has a strict format:🔹 Main ComponentsIdentifier AuthoritySub-authority valuesRelative Identifier (RID)5. SID Breakdown Explained🔹 Identifier AuthorityDefines the system or domain originExample:Local machineDomain controller🔹 Sub-authoritiesRepresent hierarchical security structureProvide organizational uniqueness🔹 Relative Identifier (RID)The most specific partIdentifies the actual account6. Important RID Examples🔹 Common Built-in Accounts500 → Built-in Administrator501 → Guest account512 → Domain Admins group513 → Domain Users group🔹 Special Group“Everyone” group → universal access SID👉 Key Insight:RID tells you exactly what type of account it is7. How SIDs Are Used in Security🔹 Access ControlFile permissions are assigned to SIDsNot usernames🔹 Authentication FlowLogin → SID loaded → permissions applied8. Forensic Importance of SIDs🔹 What investigators can learnWhich user performed an actionWhether an account was deleted or renamedPrivilege escalation attempts🔹 Why it mattersEven if usernames change, SID stays the sameEnables long-term tracking of user behaviorKey TakeawaysSIDs are permanent unique identifiers in WindowsThey are used instead of usernames for security decisionsStored inside access tokens during loginStructured into authority, sub-authority, and RIDEssential for forensic tracking and access controlBig PictureSIDs help you:👉 Move from “who is the user?” → “what identity is truly behind the action?”Mental ModelUsername → Human labelSID → System truth
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy -
In this lesson, you’ll learn about: memory forensics and RAM analysis1. Why Memory Forensics MattersRAM (volatile memory) is one of the most valuable forensic sourcesIt contains data that disappears after shutdown🔹 What RAM can revealRunning processesActive network connectionsCommand historyEncryption keysMalware behavior in real time👉 Key Idea:If disk is “history,” RAM is live truth2. Memory Acquisition (Capturing RAM)🔹 What is memory acquisition?Creating a snapshot of physical RAM for analysis🔹 Common ToolsDumpItSimple one-click RAM dump toolUsed widely in field forensicsNotMyFaultForces system crashGenerates full kernel memory dump👉 Key Tradeoff:DumpIt → fast and simpleCrash dump → deeper but disruptive3. Types of Memory Evidence🔹 What investigators look forProcess objectsSuspicious threadsInjected codeHidden malware artifacts🔹 Why it’s importantMalware often exists only in memoryDisk analysis alone may miss it4. Memory Forensic Techniques🔹 String SearchingLook for:PasswordsURLsCommandsAPI keys🔹 Process InspectionIdentify:Legitimate processesSuspicious or orphaned processes🔹 Thread AnalysisDetect:Code injectionHidden execution paths5. Deep Analysis with Volatility🔹 What is Volatility?A powerful memory forensics framework for analyzing RAM dumps🔹 Key CapabilityExtracts structured evidence from raw memory images6. Core Volatility Commands🔹 pslistShows active processesBased on system process list🔹 psscanFinds hidden or terminated processesScans memory directly🔹 psxviewCross-checks multiple process sourcesDetects rootkits and hidden malware👉 Key Insight:If a process appears in psscan but not pslist, it may be hidden7. OS ProfilingFirst step in analysis is identifying:Operating system versionMemory structure layout👉 Why it matters:Correct profile = accurate results in Volatility8. Malware Detection in Memory🔹 What investigators look forInjected DLLsSuspicious network activityHidden execution threads🔹 Key ConceptMalware often hides better in RAM than on disk9. Reporting Findings🔹 Output processExtract evidenceConvert results into structured reportsDocument every forensic step👉 Goal:Make results repeatable and legally defensibleKey TakeawaysRAM is the most dynamic and valuable forensic sourceMemory acquisition must be done carefully to preserve evidenceTools like DumpIt and crash dumps capture volatile dataVolatility enables deep inspection of memory structuresCross-checking process lists helps detect hidden malwareBig PictureMemory forensics helps you:👉 Move from live system behavior → hidden system truthMental ModelCapture RAM → Identify OS → Analyze processes → Detect anomalies → Report findings
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy -
In this lesson, you’ll learn about: forensic imaging using the DD utility1. What is DD (Data Dumper)?A low-level command-line tool used for bit-by-bit copyingCommonly used in digital forensics imaging🔹 Core FunctionCopies data from:Input → OutputWithout interpreting or modifying it👉 Key Idea:It creates an exact raw duplicate of data2. Basic DD Syntax🔹 Core Parametersif= → input sourceof= → output destinationbs= → block sizecount= → number of blocks🔹 Example ConceptInput disk → output image file👉 Important Insight:DD does not “understand” filesIt works at raw byte level3. Block Size Optimization🔹 Why it mattersControls how much data is copied per operation🔹 Performance TradeoffLarger block size:Faster imagingToo large:Can exhaust system memory👉 Best Practice:Balance speed vs system stability4. Imaging Storage Devices🔹 Workflow StepsIdentify storage deviceFind volume/drive identifierRun DD imaging commandSave output as forensic image🔹 Supported MediaUSB drivesHard disksOptical media (CD/DVD ISO extraction)👉 Key Technique:Use size limits to avoid reading past device boundaries5. RAM (Memory) Acquisition🔹 What is it?Capturing live system memory (volatile data)🔹 Why it mattersContains:Running processesActive network connectionsEncryption keys🔹 DD AdvantageNo kernel driver required in some casesDirect raw memory capture🔹 LimitationData may be inconsistent ("blurred")Because system is actively changing6. Windows Security Restrictions🔹 Modern Windows BehaviorBlocks direct access to physical memory🔹 Affected SystemsWindows XP 64-bitWindows Server 2003+🔹 RequirementsAdministrator privileges requiredOften requires alternative forensic tools7. Forensic Integrity Principles🔹 Key GoalsBit-for-bit accuracyNo modification of original evidence🔹 Why DD is importantEnsures raw acquisition of evidencePreserves original disk structureKey TakeawaysDD is a powerful low-level forensic imaging toolIt works by copying raw bytes from source to destinationBlock size directly affects performance and stabilityIt can be used for disks, USBs, CDs, and even RAMModern Windows systems restrict physical memory accessBig PictureDD helps you:👉 Move from live system → raw forensic imageMental ModelSelect device → set parameters → raw copy → verify integrity
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy -
In this lesson, you’ll learn about: Windows forensic imaging and data structure fundamentals1. What is Forensic Imaging?A bit-by-bit, sector-by-sector copy of a storage deviceCaptures everything, not just visible files🔹 What it IncludesActive files and foldersDeleted filesUnallocated spaceSlack space👉 Key Difference:Not a backup → it is an exact forensic replica2. Why Forensic Imaging MattersPreserves original evidencePrevents modification of:File timestampsMetadata👉 Legal Importance:Required for court-admissible investigations3. Physical vs Logical Drives (Windows Naming)🔹 Physical DrivesIdentified as:Disk 0Disk 1Represent actual hardware🔹 Logical DrivesRepresent partitions using letters:C:D:E:👉 Analogy:Physical disk → entire cabinetLogical drives → drawers inside the cabinet🔹 Historical NoteA: and B: reserved for floppy disks4. File System Hierarchy🔹 Structure LevelsVolume (highest level)PartitionDirectory (folder)File🔹 File DefinitionA logical grouping of related data👉 Key Insight:Understanding hierarchy helps in locating and analyzing evidence5. Processes and Threads (Execution Basics)Process → running programThread → smallest execution unit within a process👉 Why it matters:Helps track:Program executionMalicious activity6. Data Integrity & Verification🔹 Hashing ConceptGenerate a unique fingerprint for data🔹 Algorithm ExampleMD5 hash🔹 Key PropertiesSame file → same hashRename file → hash unchangedChange 1 bit → completely different hash👉 Use Case:Verify forensic image integrity7. Chain of Trust in ForensicsAcquire image → generate hashAnalyze copy → compare hash again👉 Goal:Ensure no tampering occurredKey TakeawaysForensic imaging captures complete disk data, including hidden contentPhysical and logical drives represent different abstraction layersFile systems follow a structured hierarchyHashing ensures data integrity and authenticityEven a tiny change in data invalidates evidenceBig PictureForensic imaging helps you:👉 Move from raw disk → verified evidence copyMental ModelDisk → Image → Hash → Analyze → Verify
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy -
In this lesson, you’ll learn about: digital forensics in Windows environments1. What is Digital Forensics?Also known as computer forensicsThe application of scientific methods to digital investigations🔹 Core ObjectivesIdentify digital evidencePreserve its integrityAnalyze findingsPresent results for legal use👉 Key Idea:Evidence must be accurate, repeatable, and legally admissible2. Why Focus on Windows?Majority of systems run WindowsWidely used in:Personal computingEnterprise environments🔹 ChallengesUndocumented internal featuresLimited low-level accessComplex system structure👉 Result:Windows forensics requires specialized knowledge and tools3. Investigation Methodology (SANS Framework)Developed by the SANS Institute🔹 The 8-Step ProcessStep 1: Initial AssessmentConfirm incidentDefine scopeIdentify affected systems👉 Goal:Understand what happened and whereStep 2: System DescriptionDocument:Hardware specsOS configurationNetwork role👉 Importance:Provides context for analysisStep 3: Evidence Acquisition🔹 Types of DataVolatile Data:RAMRunning processesNetwork connectionsNon-Volatile Data:Hard drivesLogsFiles🔹 Critical ConceptsChain of custodyData integrity verification (hashing)👉 Rule:Never alter original evidenceStep 4: Timeline AnalysisReconstruct system activity over time👉 Helps answer:When did the attack happen?What actions were performed?Step 5: Media AnalysisExamine:File systemsProgram executionDeleted files👉 Insight:Reveals user and attacker behaviorStep 6: String & Byte SearchSearch for:KeywordsSignaturesBinary patterns👉 Use Case:Detect malware traces or hidden dataStep 7: Data RecoveryRecover data from:Unallocated spaceSlack space👉 Importance:Deleted ≠ goneStep 8: ReportingCreate formal report🔹 Must IncludeVerified findingsMethods usedEvidence references👉 Requirement:Must be clear, objective, and defensible in court4. Windows Artifacts (Key Evidence Sources)🔹 Common ArtifactsRegistryPrefetch filesRestore pointsRecycle Bin👉 What they reveal:Program execution historyUser activitySystem changes5. Cybersecurity Use Case🔹 When Digital Forensics is UsedIncident responseMalware analysisLegal investigations👉 Outcome:Understand:Attack methodsImpactResponsible actionsKey TakeawaysDigital forensics applies scientific investigation to digital systemsWindows analysis is complex but essentialSANS methodology ensures structured and reliable investigationsEvidence handling must preserve integrityArtifacts reveal hidden user and attacker activityBig PictureDigital forensics helps you:👉 Move from incident → evidence → truthMental ModelCollect → Preserve → Analyze → Report
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy -
In this lesson, you’ll learn about: social engineering attacks and spear-phishing execution1. What is Social Engineering?A psychological attack techniqueTargets human behavior instead of systemsExploits trust, urgency, and curiosity👉 Goal:Trick the victim into revealing information or executing malicious actions2. Phase 1: Reconnaissance (Information Gathering)🔹 Target ProfilingCollect Personally Identifiable Information (PII):Job roleRelationship statusDaily habitsInterests (e.g., pets, hobbies)🔹 Data SourcesSocial media platforms (e.g., mock “mybook”)👉 Why it matters:Enables highly targeted (spear-phishing) attacksHelps guess:PasswordsSecurity questions3. Phase 2: Attack Setup🔹 Tools UsedSocial Engineering ToolkitKali Linux🔹 Attack MethodSpear-phishing email with malicious attachment🔹 Payload TechniqueFile disguised as:PCFIX.zip.pdf👉 Deception Strategy:Double extension trick to:Bypass user suspicionAppear as a legitimate document4. Phase 3: Delivery & Execution🔹 Email DeliveryConfigure SMTP serverSend high-priority message🔹 Social Engineering TacticsCreate urgency:“Suspicious internet activity detected”👉 Objective:Force the victim to act without thinking5. System Compromise🔹 Victim InteractionDownloads the fileOpens the attachment🔹 ResultExecution of hidden payloadAttacker gains access via:Metasploit Framework🔹 OutcomeRemote command shell accessFull system control6. Cybersecurity Impact🔹 Attack ChainReconnaissanceWeaponizationDeliveryExploitationAccess👉 Key Insight:A simple phishing email can lead to complete system compromise7. Defense & Awareness🔹 Common Weak PointsHuman trustLack of awarenessPoor email inspection🔹 PreventionSecurity awareness trainingEmail filtering & sandboxingAvoid opening suspicious attachmentsVerify sender authenticityKey TakeawaysSocial engineering targets people, not systemsReconnaissance makes attacks more effectiveFile disguise techniques increase success ratePhishing can lead to full system compromiseAwareness is the strongest defenseBig PictureThis attack demonstrates:👉 How information gathering → targeted phishing → system takeoverMental ModelRecon → “Know the victim”Phishing → “Exploit trust”Payload → “Gain access”
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy -
In this lesson, you’ll learn about: reconnaissance using Recon-ng1. What is Recon-ng?A full-featured web reconnaissance frameworkPre-installed on Kali LinuxDesigned to automate OSINT and domain reconnaissance🔹 Core ConceptWorks like a framework (similar to Metasploit)Uses modules to perform different recon tasks👉 Purpose:Build a structured database of target intelligence2. Tool OverviewRecon-ng🔹 Key CapabilitiesDomain intelligence gatheringContact harvestingSubdomain discoveryFile and directory enumeration👉 Advantage:Organizes results into a workspace database3. Workspace & Domain Setup🔹 Initial StepsCreate a workspaceAdd target domain👉 Why it matters:Keeps recon data organized and reusable4. Contact Harvesting🔹 Module: whois_pocsExtracts:NamesEmail addressesLocations👉 Use Case:Build a target profileUseful for:Social engineeringOSINT correlation5. Host Discovery & Stealth🔹 Module: bing_domain_webFinds:HostsIndexed subdomains🔹 Stealth FeatureRecon-ng introduces delays (sleep) between requests👉 Benefit:Mimics human browsingReduces detection riskAvoids IP blocking6. Subdomain Brute-Forcing🔹 Module: brute_hostsUses wordlists to guess subdomains🔹 OutputHidden subdomainsAssociated IP addresses👉 Importance:Expands the attack surfaceReveals hidden infrastructure7. Sensitive File Discovery🔹 Module: interesting_filesSearches for:robots.txtBackup filesConfig files👉 Why it matters:May expose:Hidden directoriesInternal pathsMisconfigurations8. Analyzing Server Responses🔹 HTTP Status Codes404 → Resource not found (client-side issue)300-series → Redirection👉 Insight:Helps understand:Server behaviorApplication structure9. Cybersecurity Use Case🔹 Reconnaissance PhaseEarly stage of:Penetration testingBug bounty hunting🔹 What You AchieveMap:DomainsSubdomainsContactsInfrastructure👉 Outcome:Clear view of the target environmentKey TakeawaysRecon-ng is a modular recon frameworkUses workspaces to organize intelligenceAutomates multiple OSINT tasksIncludes stealth techniques to avoid detectionProvides structured data for further testingBig PictureRecon-ng helps you:👉 Move from raw data → structured intelligence databaseMental ModelRecon-ng → “Collect + organize recon data”Analysis → “Turn data into actionable insights”
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy -
In this lesson, you’ll learn about: information gathering using theHarvester1. What is theHarvester?
A reconnaissance tool used for Open Source Intelligence (OSINT)Built into Kali LinuxDesigned to collect publicly available data about a target🔹 Core Function
Gathers:Email addressesSubdomainsIP addressesHostnames👉 Purpose:
Build a digital footprint of the target before active testing2. Tool Overview
theHarvester🔹 Data Sources
Search engines:GoogleBingExternal services:Shodan👉 Value:
Combines multiple sources into one unified result set3. Basic Command Usage🔹 Essential Flags
-d → Target domain-l → Limit number of results-b → Data source (e.g., google, bing, shodan)-f → Save output to file🔹 Example CommandtheHarvester -d microsoft.com -l 100 -b google -f results 👉 What this does:
Searches GoogleCollects up to 100 resultsSaves output locally4. Advanced Querying🔹 Additional Flags
-s → Start position of search results👉 Use Case:
Continue collecting data beyond initial resultsAvoid duplicate data🔹 Shodan IntegrationtheHarvester -d microsoft.com -b shodan 👉 Benefit:
Finds:Exposed devicesServicesTechnical infrastructure5. Analyzing Results🔹 Key Findings
Subdomains:news.microsoft.comsupport.microsoft.comIP Addresses:Associated with infrastructure🔹 Why It Matters
Reveals:Attack surfaceEntry pointsHidden assets6. Cybersecurity Use Case🔹 Reconnaissance Phase
First step in:Penetration testingBug bounty hunting🔹 What You Gain
Target structure understandingIdentification of:Weak subdomainsExposed services👉 Impact:
Better planning for:ScanningExploitationKey Takeaways
theHarvester is a powerful OSINT toolUses multiple public sources for data collectionCommand-line flags control precision and scopeResults reveal critical reconnaissance insightsForms the foundation of ethical hacking workflowsBig PicturetheHarvester helps you:👉 Move from no knowledge → mapped digital footprintMental Model
theHarvester → “Collect target data”Analysis → “Understand the attack surface”
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy - Laat meer zien
