Digital Forensics Abstract digital forensics model (ADFM) and the DFRWS investigative model

Abstract digital forensics model (ADFM)

Because the Identification phase of this model presupposes that the incident type has already been correctly identified and defined, this step is crucial because all subsequent processes depend on it. It is then followed by the action of preparation, which is the first phase that has been presented and consists of preparing tools, methods, search warrants, monitoring authorization, and management support. The action of the introduction of the second step then follows this step. Approach Strategy this stage is intended to optimize the evidence gathering while minimizing the impact on the victim by devising various methods and processes to follow.

This step aims to collect as much evidence as possible without hurting the victim. In the next step, called Preservation, all the data obtained has to be compartmentalized and protected so that it may remain in its original form. During the Collection phase, all digital evidence obtained is copied, and a recording is made of the physical scene. These activities are carried out according to established protocols and are conducted as part of the phase.

The following step is called an Examination, and during this phase, an in-depth systemic study is carried out to hunt for evidence related to the present case. During the Analysis phase, the probative value of the evidence that is being evaluated is determined. The next stage is a Presentation, where a process summary is made. After that comes the third step, Returning Evidence, when the investigative process is finished by returning any physical or digital evidence to its rightful owner.

DFRWS investigative model

This model was the foundation for further improvements since it was consistent and standardized. The stages of this model were as follows: identification, preservation, collection, examination, analysis, and presentation (then an additional pseudo step: Decision). At each stage, we test a variety of potential approaches or procedures. The first step is called Identification, and it includes things like the identification of events or crimes, the resolution of signatures, the detection of anomalies, system monitoring, audit analysis, and so on. Next comes the process of preservation, a guarded concept that occurs throughout all phases of forensic work. During this step, proper case management is established, imaging technologies are used, and all measurements are collected to guarantee an exact and appropriate chain of custody.

The next stage, collection, follows immediately after, during which relevant data is gathered based on validated methodologies, software, and hardware; during this step, we use several data recovery techniques and lossless compression. The next step is to perform data mining and create a timeline, both exciting and critical phases that come after this step. Examination and Analysis are the two phases that come after this step.

The examination is the phase in which evidence traceability and pattern matching are guaranteed. The analysis is the phase in which confidential data must be discovered and extracted. The Presentation phase is the most recent step in this approach. Documentation, clarification, an impact statement on the mission, recommendations on what countermeasures should be implemented, and expert testimony are the tasks associated with this stage.

Visit or call 416 471 4545 to enroll in the Security+/CEH/CISSP training course.

Understanding Android Penetration Testing

Our daily lives at home and at work depend on mobile services and apps. They are thus easy prey for bad guys looking for private data. The goal of mobile or Android penetration testing is to find security flaws and make sure that mobile apps are not exposed to threats.

Android apps may be examined manually or with the use of automated technologies. The mobile penetration tester will use a number of ways to mimic attacks, identify security holes in the mobile application, and get access to confidential information throughout this procedure.

The significance of Android penetration testing

Applications for Android nowadays are utilized in business, healthcare, finance, education, and other areas. In addition to containing sensitive data, some mobile apps also have security flaws. These vulnerabilities may be found, fixed, and mitigated security hazards by penetration testers and developers.

Android penetration testing is essential to prevent fraud attempts, malware infections, and data breaches since new vulnerabilities are always being discovered. This is essential for any business that wants to launch new software without worrying about security or legal repercussions.

Due to the fact that tests might uncover vulnerabilities and incorrect setups in the back-end services utilized by the app, mobile penetration testing can also be helpful for assessing the development team’s work and determining the IT team’s response.

Improper use of the platform

This topic includes misusing mobile operating system platform features including TouchID, Keychain, Android Intents, Platform Permissions, and Platform Security Controls. The enterprise must publish a web service or API call that the mobile app uses in order for this vulnerability to be exploited.

Impact of vulnerability: The consequences of exploiting this issue vary in severity from total account penetration to altering the app’s content.

Prevention: The server side of the mobile application has to be coded and configured securely.

Storing data insecurely

It’s not a good idea to keep important information on the device’s local storage since rogue apps could try to obtain it. Additionally, data may be immediately retrieved by attackers from a stolen device.

Impact of vulnerability: Data loss and/or the theft of sensitive information from the application are possible as a consequence of exploiting this vulnerability. Identity theft, fraud, reputational harm, external policy violation (PCI), and monetary loss are all business impacts.

Prevention: You may limit access to the local data storage or encrypt the stored data to stop this sort of attack. Understanding the information assets that the app processes and how the APIs manage those assets are crucial, as suggested by OWASP.

Inadequate cryptography

Malware programs or attackers with physical access have the ability to reverse inadequately encrypted data.

Impact of vulnerability: This vulnerability might allow other parties to access sensitive data on a mobile device without authorization. Additionally, this may have a variety of negative business effects, such as reputational harm, privacy breaches, information theft, code theft, and theft of intellectual property.

Prevention: Avoid keeping sensitive data on mobile devices, use cryptographic standards that will stand the test of time for at least 10 years into the future, and adhere to NIST recommendations for recommended algorithms to prevent this attack.

Improper authorization

To access an application as a genuine user, attackers often employ readily accessible or specially created automated tools. When the mobile app is in “offline” mode, they may undertake binary attacks against it after signing in an attempt to execute privileged functionality that should only be accessible to those with higher privileges.

Impact of vulnerability: Improper authorization may lead to identity theft, fraud, or reputational harm.

Prevention: In order to stop this attack, only data from backend systems should be used to confirm the roles and permissions of an authorized user. The IDs should also be confirmed by the backend code.

Visit or call 416 471 4545 to enroll in the Security+/CEH/CISSP training course.

Is Public Wi-Fi safe to use?

In most cases, using Wi-Fi at home is secure and safe. Unless everyone in your house is simultaneously attempting to stream Netflix, it typically works quickly and effectively since you know who put it up and who is now connected to the network.

Public Wi-Fi hotspots are a different animal. Logging into one is a gamble; it’s probably secure, but there’s no way to be sure. By joining a public network, you run the risk of disclosing your information to random users of the network or, in rarer circumstances, hackers.

Always attempt to connect to well-known networks. For instance, Wi-Fi in a friend’s or family member’s home is probably secure. However, if you need to use Wi-Fi in a strange location, consider a public network like the one at Starbucks.

How to securely use public WiFi

Any public networks you do connect to while you’re out should be constant; the more networks you sign up for with your information, the lower the likelihood that your information will end up someplace you don’t want it to.

In general, avoid joining public networks that request excessive amounts of information. Consider the following: If a network is accessible to everyone, what benefits do its administrators receive?

That advantage is clear for organizations like Starbucks and Comcast, which manages Xfinity hotspots for its clients. If it’s not as evident, it may be because they are mining data from the hotspot.

To that purpose, be careful to understand any terms and conditions that new networks, particularly questionable ones, may have. If you don’t take care, you can sign away your right to privacy. Use your phone as a hotspot instead if all else fails and there are no networks you feel comfortable connecting to.

Ensure HTTPS is used.

Which letters appear before the website URL in your browser don’t actually matter when you access the internet via a secure network. But when it’s a public network, it becomes crucial.

Your connection is not secured, so if the website you’re viewing starts with http, you might be leaving yourself vulnerable to hackers and identity thieves. Secure connections using encryption will start with https rather than simply http.

With other browsers, though, you’ll have to remember to check, particularly when you’re not on a secure network. Google Chrome will notify you if your connection isn’t secure.

Avoid using AirDrop and file sharing.

Without having to send an email or other kind of communication, you may transmit files from your computer to another’s via Wi-Fi by using AirDrop and File Share. This function is fantastic in homes or workplaces but might be risky on a public network.

Even though it’s often amusing to read internet accounts of individuals carelessly sending amusing or intriguing files to strangers’ devices, it’s usually wiser to take precautions to ensure this won’t happen to you. In the settings of your computer, under “Network and Sharing” for PCs or “Sharing” for Macs, you may disable AirDrop or File Share.

Additionally, when you initially join a new network, many computers may ask you whether you want to “trust” it. Only accept the confidence of home networks that you are certain are safe.

Use a VPN for additional security

A VPN, or virtual private network, links you to a private server and encrypts all data going to or from your device. This makes it far more difficult for someone to see or take your info.

There are free VPNs available, but any of them are likely to be a front for data collecting or other perhaps dubious marketing techniques. VPNs are often something you have to pay for. It can be worthwhile to spend money on a VPN if you’re the sort of person who travels often.

Visit or call 416 471 4545 to enroll for the Security+/CEH/CISSP training course.

Understanding String and Data Manipulation

In its simplest form, string manipulation is the management and analysis of strings. It entails a number of processes involving the alteration and parsing of strings in order to utilize and alter their contents. A number of built-in functions in R are available to alter a string’s contents.

In this post, we’ll look at a variety of R methods that deal with string manipulation. String Concatenation String Concatenation is the process of joining two strings together. There are many techniques to do string concatenation:

The paste() method

The paste() method allows you to combine any number of strings into one longer string. This function accepts two arguments: separator, which is used to separate the various string parts, and collapse, which indicates whether we want to print the strings individually or all at once. The value of collapse is NULL by default.

Integrated Methods and Shared Methods

The String class’s methods let you work with strings as well. The string has two different kinds of methods: shared methods and instance methods.

Shared Techniques

A method that derives from the String class itself and doesn’t need an instance of that class to function is referred to as a shared method. Instead of using an instance of the String class, these methods may be qualified with the name of the class (String).

Example Methods

In contrast, instance methods derive from a specific instance of String and need to be qualified with the instance name.


Take the Mid function as an example of a one-based Visual Basic function. It accepts an input that specifies the character position, beginning at position 1, at which the substring will begin. The String of the.NET Framework. The character in the string at which the substring is to begin is indexed by the substring method, beginning at position 0. The individual characters in the string “ABCDE” are thus numbered 1, 2, 3, and 5 for use with the Mid function, but 0, 1, 2, 3, and 5 for use with the String. technique for substrings.


Consider the Split function as an example of a zero-based Visual Basic function. It divides a text into substrings and then returns an array of the substrings. The String of the.NET Framework. The Split function also divides a string into substrings and returns an array of them. The Split method and function must be zero-based since they return.NET Framework arrays.

Dependable programming

The first character of the first occurrence of the substring is returned by the Index Of method. Since the index is 0-based, the first character in a string has index 0.

Proof That Complex Passwords Exist

This function looks for certain features of strong passwords and updates a string argument with details about which tests the password doesn’t pass.

In a secure system, a user may be authorized using a password. The passwords must, however, be challenging for unauthorized users to guess. A dictionary attack software is a tool that attackers may use to cycle over all the words in a dictionary (or many dictionaries in various languages) and see if any of them can be used as a user’s password.

Simple passwords like “Yankees” or “Mustang” are easily guessable. Stronger passwords are significantly less likely to be guessed, such as “?You’L1N3vaFiNdMeyeP@sSWerd!” Users of a password-protected system need to choose secure passwords. A strong password is complicated (not a word) and contains a variety of capital, lowercase, numeric, and special characters.

Visit or call 416 471 4545 to enroll for the Security+/CEH/CISSP training course.

Understanding Wireless Vulnerabilities – Jamming Attacks

Jamming may be a major issue for wireless networks since radio frequency (RF) is basically an open medium. One of the various exploits used to undermine the wireless environment is jamming. By blocking service to authorized users while genuine traffic is slowed down by the enormous amounts of illegal traffic, it operates. A skilled attacker with the appropriate equipment may easily jam the 2.4 GHz frequency such that the signal is reduced to a point where the wireless network is unable to operate.

The intricacy of jamming comes from the fact that other wireless technologies that depend on the 2.4 GHz band may cause it accidentally. Cordless phones, Bluetooth-enabled gadgets, and baby monitors are among common consumer goods that may all degrade traffic and interfere with a wireless network’s signal.

Older wireless local area networks are more susceptible to the jamming problem because they are less prepared to respond to different forms of interference. These networks often need an administrator to manually experiment with each access point’s settings. The best course of action is to invest in a more recent WLAN system to prevent this onerous chore. These settings provide real-time RF management tools that can detect and respond to accidental interference.

Jamming Solutions

The most efficient method for an attacker to compromise your LAN and wireless security would be to broadcast random, unauthenticated packets to every wireless station connected to the network. By buying pre-built gear from an electronics shop and obtaining free software from the internet, this attack may be simply executed. In certain circumstances, it is simply impossible to protect against jamming since a skilled attacker may be able to overwhelm every network frequency.

Your best bet could be an intrusion prevention and detection system if the main worry is malicious jamming. This kind of solution should, at least, be able to identify any approved client devices or RPAs (Rogue Access Points) in your wireless network. Advanced systems may block unauthorized clients from using the system, change settings to preserve network performance while under assault, blacklist specific threats, and locate the exact position of rogue devices to facilitate speedier containment.

Recognize the Jammer’s Presence

It’s crucial to recognize an accidental disruption’s existence in order to lessen its effects. Jamming manifests itself at the network’s physical layer, sometimes referred to as the MAC (Media Access Control) layer. The customer will be informed of the faltered noise-to-signal ratio as a consequence of the elevated noise floor. It could also be possible to measure it at the access point, where network management tools should be able to efficiently report noise floor levels that are higher than a set limit.

After then, in response to the interruption as indicated by adjustments at the physical layer, the access points must dynamically reorganize the transmit channel. Choosing a new channel does not, however, necessarily solve the interference problem. A skilled attacker will often use every channel at their disposal. If this occurs, your only choice could be to track down the perpetrator on foot and confront them directly.

Visit or call 416 471 4545 to enroll for the Security+/CEH/CISSP training course.

Understanding the concept of Hypervisors

Software that builds and manages virtual machines is called a hypervisor, sometimes called a virtual machine monitor or VMM (VMs). A hypervisor enables a single host computer to handle several guest virtual machines (VMs) by essentially sharing its resources, such as memory and computation.

Why use a hypervisor?

Since the guest VMs are independent of the host hardware, hypervisors allow for improved utilization of a system’s resources and more IT mobility. They may therefore be transferred between several servers. A hypervisor reduces: because several virtual machines may operate off of one physical server, space, energy, and maintenance requirements.

Hypervisor types

There are two primary kinds of hypervisors: “Type 1” (also known as “bare metal”) and “Type 2” (also known as “hosted”). While a type 2 hypervisor functions as a software layer over an operating system, much like other computer programs, a type 1 hypervisor operates directly on the host’s hardware.

The type 1 or “bare-metal” hypervisor, in which virtualization software is put directly on the hardware where the operating system is typically installed, is the hypervisor most often used. Bare-metal hypervisors are safe since they are separate from the vulnerable operating system.

Additionally, they often outperform hosted hypervisors in terms of performance and efficiency. For these reasons, bare-metal hypervisors are the preferred option for corporate enterprises’ data center computing requirements.

Hosted hypervisors work on top of the host machine’s operating system (OS), as opposed to bare-metal hypervisors acting directly on the hardware. It is possible to install other (and distinct) operating systems on top of the hosted hypervisor, even though it runs within the OS.

Hosted hypervisors have a higher latency than bare-metal hypervisors, which is a drawback. This is due to the additional OS layer required for communication between the hardware and the hypervisor. Because they are often utilized with end users and software testing, where increased latency is less of an issue, hosted hypervisors are sometimes referred to as client hypervisors.

A cloud hypervisor: what is it?

The hypervisor has become a crucial tool for managing virtual machines and fostering creativity in a cloud environment as cloud computing becomes more prevalent. Hypervisors are a critical component of the technology that makes cloud computing feasible because they are a layer of software that allows one host machine to handle numerous VMs simultaneously.

Users may access cloud-based apps across a virtual environment thanks to hypervisors, but IT can still keep control of the cloud environment’s infrastructure, programs, and sensitive data.

Increasing dependence on cutting-edge apps is driven by digital transformation, raising client expectations. Many businesses are moving their virtual computers to the cloud in response. However, redesigning every current application might use up valuable IT resources and create infrastructure silos.

Fortunately, a hypervisor, an essential component of a virtualization platform, may aid in speedy application migration to the cloud. Consequently, businesses may take advantage of the cloud’s many advantages, such as lower hardware costs, improved accessibility, and better scalability, for a quicker return on investment.

How is a hypervisor put to use?

By separating a computer’s software and hardware, hypervisors enable the development and control of virtual machines (VMs). By converting requests between real and virtual resources, hypervisors allow virtualization. A computer’s operating system may occasionally access and utilize bare-metal hypervisors by being integrated into the firmware at the same level as the motherboard’s basic input/output system (BIOS).

To understand Hypervisors enrolling for Security+/CEH/CISSP training course, call 416 471 4545 or visit

Identification vs Authentication

Most online transactions begin with identification, which calls for the user to “identify” themselves by supplying a name, email address, phone number, or username. This is the procedure through which someone claims to be a specific individual.

However, it may be challenging in an online setting to confirm that a person is providing a legitimate identity and that they are who they claim to be.

More information, often a form of government-issued identification, may be provided to confirm identities. Typically, you only need to go through the verification procedure the first time you register an account or visit a website. After that, your identification will be verified, often by creating a password corresponding to your username.

A kind of authentication is set up when you first sign up for, access, or onboard with a system, service, or business after your identity has been confirmed. This will be necessary every time the service or application is visited.

One of the following is required for digital authentication:

A security question or password that a person knows

a token, smartcard, identification card, or cryptographic key that a person has

biometric information, such as a fingerprint or face scan, is what a person is.

Users may demonstrate their identity during the authentication process if they still say they are at the identification stage. Multi-factor authentication (MFA), which necessitates using several forms of authentication, is one of the safest authentication techniques.

Explaining permission

Giving someone permission to use a service or a system means providing them access to certain rights and privileges depending on the identity and verification they have previously supplied.

Nearly 5 million allegations of fraud and identity theft were filed in 2020. Cybercrime is a problem when criminals steal personal information and impersonate trustworthy individuals.

The authorization component ensures that a person is who they say they are, has the right to use certain services, and is entitled to certain rights. For it to be effective, authorization must occur after identity and authentication.

Use cases for each protocol

In the initial setup phase of a firm’s accounts, services, and onboarding, identification is employed. Personal information must be provided to identify a person and then confirm their identification.

Identification papers, information that only a genuine person would know, or providing personal information like a social security number may all be used to confirm someone’s identity. Every time a user uses an account or service, identification is often required in the form of a username.

The next stage is authentication. It is started to verify that a user is actually who they say they are by comparing them to previously given information. When a user enters a password or provides the specified information, authentication takes place. After that, the system will verify that their saved information matches.

To confirm the validity of the user’s identification, authentication systems may request a one-time verification code. The user is often required to enter the code as an extra authentication factor, frequently supplied through text message to a previously specified email or phone number. Authorization shouldn’t happen until the identity and authentication have been confirmed.

After the user has been authorized, the system will finally offer them access or rights and privileges. By prohibiting illegal usage of passports, authorization may safeguard system resources and specific individuals.

The non-repudiation service may have many components, each of which performs a distinct role. The non-repudiation service with proof of origin may provide the recipient indisputable evidence that the communication was delivered by that specific person if the sender ever disputes sending it.

The non-repudiation service with proof of delivery may provide the sender unquestionable evidence that that particular person received the communication if the recipient ever denies receiving it.

Proof with almost absolute certainty, or indisputable evidence, is a challenging objective in practice. Nothing in the actual world is entirely safe. Managing risk to an acceptable level for the company is more critical than governing security. A more reasonable demand in this situation is for the non-repudiation provider to offer proof that would hold up in court and support your claim.

Enroll for the Security+/CEH/CISSP training course Contact 416 471 4545 or visit for more information.

Understanding MAC Spoofing Attacks

The unique serial number that each interface’s manufacturer assigns to each interface at the manufacturing is known as the MAC Address, or Media Access Control address. To put it another way, it is the unique, global physical identification number assigned to each and every device connected to a network interface, whether wired or wireless.

On every local network, this address is used to identify network interface interactions. The following format describes the 48-bit, or six-byte, MAC address: “XX:XX:XX:YY:YY:YY: YY.” Let’s discover more about Mac spoofing.

The MAC address is used to identify which equipment is on the local network, whereas an IP address identifies your location on the Internet. The seller essentially burns this MAC address into the hardware, thus the end user cannot change or rewrite this address (BIA). On the software side, it is possible to hide the MAC address, and this is how MAC spoofing works.

A MAC spoofing attack is what?

The prevalence of MAC spoofing attacks has increased as a result of rapidly developing technologies. To avoid being a victim of a MAC spoofing attack, however, we must first grasp what it is.

In a MAC address spoofing attack, a hacker or imposter searches the network for authentic and legitimate MAC addresses and gets around access control systems to get the benefit of pretending to be one of the real MAC addresses.

By presenting this as the default gateway and copying all of the data transmitted to the default gateway covertly, the hacker is able to avoid authentication checks and get crucial information about active programs and end-host IP addresses. This sort of attack is known as MAC address spoofing.

Why is MAC spoofing used and what does it entail?

Masking the MAC address, sometimes referred to as MAC ID spoofing, is one of the most crucial tactics employed in MAC spoofing attacks. The many techniques available to manipulate and manage the basic address system in various computer networks are together referred to as spoofing.

Therefore, the answer to the question “what is MAC address spoofing?” is fairly straightforward: it refers to a technique for altering or concealing a device’s network interface’s factory-assigned MAC address.

The purpose of MAC spoofing

People use MAC spoofing for lawful purposes in addition to hackers employing it to get around access restrictions and security measures or for criminal actions. Every network device is assigned a unique number called a MAC address, which is used to identify that network device throughout the globe. As a result, the following are potential justifications for hiding or forging the MAC address:

Respect for privacy

Since MAC addresses are sent via open or public WLAN or LAN networks, they are not encrypted and reveal the hardware addresses and registration information of the devices that are connected to such networks. Some people hide their addresses to safeguard their privacy and stop this information from being easily accessible. It is also important to keep in mind that hackers use the same excuse to mask their identities and access the web secretly while engaging in illicit actions.

Avoiding identity theft

By limiting access to the LAN to approved devices, many administrators and IT Teams adopt security measures to protect IT systems from internal and external threats. On the OSI layer 2 at the network level, connecting elements like Ethernet switches that use port security make it possible to restrict network data flow. When using the white-listing method, an unknown address is immediately prohibited. Access via WLAN networks is also restricted using MAC filters.

Access to software that costs money

In order to access paid software programs or internet services, MAC address spoofing is also used to imitate an approved device. However, sometimes, some users abuse it by changing or masking their MAC address to the one specified in the licensing agreement of the purchased program in order to utilize the software. This kind of MAC spoofing might always be considered a dishonest use of services by the program or internet service provider, who could then pursue legal action.

Enroll in cybersecurity training in Toronto. Get more information at or by calling 416 471 4545.