View RSS Feed

JDMurray's Blog at www.TechExams.Net

Computer Forensics Certifications

Rate this Entry
by , 12-18-2010 at 11:26 PM (98795 Views)
Computer forensics (a.k.a., digital forensics ) is a very highly specialize area of Information Technology used to locate, copy, analyze, and document information present on electronic storage systems for presentation in a court of law. The computer forensic community has a high regard for certifications as a way to demonstrate knowledge and experience with forensic procedures and best practices, and with specific tools related to performing computer forensics investigations.

Many jobs in computer forensics require actual legal and forensics experience, which makes it difficult to break into the field, especially if you have no legal system or law enforcement background. Obtaining training, education, and certification are therefore often necessary prior to gaining actual forensic field experience.

Computer forensic certifications can be categorized as being offered by a professional forensic organization, a commercial training provider, or a commercial product vendor. This article uses the categories of vendor-neutral to indicate if the information in the certification is intended to represent the common body of knowledge of computer forensics, and vendor-specific if the certification is based on a specific commercial product or service (including training) offered to the computer forensics community.

People looking at computer forensics will frequently ask, “Which forensics certifications are the best to get?” That really depends on that you want to do with the certification. If your goal is to get a job in computer forensics, try looking at job requisitions for computer forensics , forensics examiner , and forensic analysis positions on job sites (like and noting which certs are required, which are listed as “nice to have,” and which ones aren't mentioned at all.

Vendor-Neutral Computer Forensics Certifications

Certified Computer Examiner

The Certified Computer Examiner (CCE®) certification offered by the International Society of Forensic Computer Examiners (ISFCE) is a vendor-neutral computer forensics certification used to certify the competency of forensic computer examiners based on their knowledge and proficiency in performing digital forensic examinations. Knowledge is tested using an online multiple choice exam, and proficiency is measured by the successful completion of an ISFCE-approved training course (or here), which includes practical assignments.

Other requirements for CCE certification include performing a valid and verifiable self-study program, having at least 18 months of verifiable professional experience conducting digital forensic examinations, submitting a notarized CCE statement, agreeing to a code of ethics, and passing a criminal background check. Recertification is required every two years.

Additional details and requirements can be found on the application for CCE certification and CCE recertification pages.

Certified Computer Forensics Examiner

The Certified Computer Forensics Examiner (CCFE) certification from the Information Assurance Certification Review Board (IACRB) provides a vendor-neutral certification of a candidate's fundamental knowledge of the computer forensics evidence recovery and analysis process, and the ability to perform a practical computer forensics investigation, examination, and report.

Certification candidates must pass an online multiple choice exam, which covers nine domains of knowledge, including computer forensics tools, investigations, file systems, evidence analysis, and report writing. After passing the written exam, a practical assignment must be completed in which the candidate will be given 60 days to perform a computer forensics examination on evidence files and write up a report that is submissible as evidence in a court of law.

Certified Digital Forensics Examiner

The Certified Digital Forensics Examiner (CDFE) certification from Mile2 is intended to represent a candidate's knowledge of a broad range of knowledge of computer forensics, e-discovery, digital evidence, and related technologies.

CDFE certification is achieved by completing a 100-question exam over two hours and with a passing score of 75%. The objectives of the CDFE exam are based on the modules of the Mile2 Certified Digital Forensics Examiner training program. However, attending the CDFE training program, or purchasing the Mile2 training materials, are not requirements for CDFE certification. Additional information can be found on the CDFE course outline and Certification Exams at Mile2 page.

The Certified E-Discovery Specialist (CEDS) certification from the Association of Certified E-Discovery Specialists (ACEDS) is a new certification for Electronic Discovery examiners. The CEDS designation is intended to validate the competency, knowledge, and expertise of an e-discovery professional. ACEDS itself is a membership-based organization for aiding and promoting the professional interests of the e-discovery community.

The CEDS is administered as a 4-hour, proctored exam at a Kryterion Testing Center. Objectives on the exam include information management, legal framework, project planning data culling, international discovery, ethics, and technology.

Prior to taking the the CEDS exam, candidates must provide proof of having at least 40 credits in e-discovery (or closely related training, education, certification, or experience), two professional references, and have submitted a completed exam application and fee. Attending ACEDS training or a CEDS preparation seminar is optional. Membership in ACEDS is also optional, but results in a reduced exam fee.

Additional details about the CEDS certification can be found on the ACEDS Web site an in the CEDS Examination Candidate Handbook.

Computer Hacking Forensic Investigator

The Computer Hacking Forensic Investigator (CHFI) certification from EC-Council provides proof of a successfully passing a training class and exam that broadly covers the many fields of computer forensics investigation. CHFI certification is commonly acquired by first attending an official CHFI training course followed by passing a single online exam taken at a Prometric testing center. It is possible to waive the training requirements, but only with permission from EC-Council.

The EC-Council CHFI course outline and CHFI brochure lists the considerable number of objectives on the CHFI v4 exam. Investigative techniques, Windows, Mac, Linux, cell phones, Malware, networking, documentation and reports, international laws and legal compliance, and large number of computer forensics tools are just a few of the topics covered.

CHFI training can be obtained from any endorsed training partner as 5-day classroom training or as computer-based training courseware. Study guides for the CHFI include the The Official CHFI Study Guide by Syngress and uCertify Guide for EC-Council Exam 312-49 by

The CHFI requires renewal every three years, or collecting 120 CPEs over the same time. More information and personal testimonials about the CHFI and CEH certifications can be found in the EC-Council CEH and CHFI discussion forum on .

CyberSecurity Forensic Analyst

The CyberSecurity Forensic Analyst (CSFA) certification from CyberSecurity Institute is intended to validate that certification candidates are capable of conducting a thorough forensic analysis using sound examination and handling procedures, and are able to communicate the results of their analysis effectively. The CSFA is therefore a very practical forensics certification.

The CSFA exam contains 50 multiple choice questions and a hands-on lab in which the candidate is given three days to complete a serial of practical assignments. The written test is 30% and the practicals 70% of the total score, and a final score of 85% is required to pass.

The prerequisites for taking the CFSA exam include a recommendation of at least two years of experience with the technical and administrative aspects of conducting forensics examinations and analysis. It is also highly recommended that the candidate already one or more professional forensics certifications. An FBI background check is also required before the testing candidate can take this CSFA certification test.

Additional information can be found on the CSFA application and CSFA FAQ pages.

GIAC Certified Forensic Analyst

The GIAC Certified Forensic Analyst (GCFA) certification from The SANS (System Administration, Networking, and Security) Institute is intended for both law enforcement personnel and corporate and organizational incident response and investigation teams. In addition to the standard technical and legal computer forensics topics, GCFA candidates also require a deep understanding of SOX, GLB, HIPAA, the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the Wiretap Act, and the Daubert and KellyFrye standards.

The GCFA exam consists of 150 questions to be completed over four hours and with a passing score of 70%. Recertification is required every four years using a retest or collecting Certification Maintenance Units (CMU). There is also a certification maintenance fee.

SANS offered a training class for the GCFA, but it is not required to take the certification exam. There are currently 2300 GCFA-certified processionals with over 200 of those being Gold.

GIAC Certified Forensics Examiner

The GIAC Certified Forensics Examiner (GCFE) certification, also from SANS, focuses on core skills required to collect and analyze data from Windows computer systems. The GCFE certifies that candidates have the knowledge, skills, and ability to conduct typical incident investigations, including e-Discovery, forensic analysis and reporting, evidence acquisition, browser forensics, and tracing user and application activities on Windows systems. The GCFE is intended for legal, law enforcement, or information security professionals with a need to understand computer forensic analysis.

The GCFA exam consists of 150 questions to be completed over four hours and with a passing score of 70%. Recertification is required every four years using a retest or collecting Certification Maintenance Units (CMU). There is also a certification maintenance fee.

The GCFE is a new certification with currently very few credentials granted. For more information on the GCFE, refer to the SANS Web site and the GCFE Certification Bulletin.

IACIS Certified Forensic Computer Examiner

The IACIS Certified Forensic Computer Examiner (CFCE) certification from the International Association of Computer Investigative Specialists (IACIS) validates an exam candidate's competencies in the field of computer/digital forensics, and specifically in the acquisition, authentication, reconstruction, examination, and analysis of data stored on electronic media.

Achieving the CFCE certification requires passing both a written exam and a series of practical assignments that are peer reviewed. Only after the successfully passing of the practicals may the candidate be allowed to take the written exam, comprised of 100 questions and requiring a minimum score of 80% to pass. The exam covers six competency domains, which include pre-examination, media examination, and defense and presentation of findings.

The CFCE certification is only available active law enforcement personnel, full-time civilian employees of a law enforcement agency, or people who otherwise qualify for membership in IACIS. For more information, check the CFCE Program FAQ and the IACIS Web site for the latest information on CFCE training.

The Certified Electronic Evidence Collection Specialist (CEECS) certification from the IACIS was available for several number of years, but is no longer offered as a certification. The CEECS training has been incorporated into the IACIS Basic Computer Forensic Examiner (BCFE) Training Program. Check the IACIS Web site for the latest information on BCFE training.

Vendor-Specific Computer Forensics Certifications

AccessData Certified Examiner

The AccessData Certified Examiner (ACE) certification from AccessData Group, LLC validates an exam candidate's proficiency with using AccessData's Forensic Toolkit (FTK), Password Recovery Toolkit (PRTK), FTK Imager, and Registry Viewer products. FTK is one of the more recognized tools in computer forensics. AccessData recommends that anyone needing to demonstrate a proficiency with FTK acquire the ACE certification.

The ACE exam is a 90-minute, multiple choice exam that is free to take either online or at the conclusion of an AccessData training class. The exam contains both written and practical assignments based on a case that is created and processed from an image file provided to the exam candidate. ACE Credential Maintenance requires that a renewal exam be taken every one or two years.

There are free preparation videos and an exam study guide available on the AccessData Web site. AccessData recommends that the certification be taken in conjunction with their AccessData BootCamp and Windows Forensics courses, but it is not required. You can find out more about the ACE certification process at the AccessData Website.

AccessData also offers certifications in its Summation litigation product.

Certified Forensic Investigation Practitioner

Certified Mac Forensics Specialist

Certified Malware Investigator

7safe is a computer forensics company based in the United Kingdom that offers training, certifications, and services in many aspect of computer forensics. The 7safe certifications are awarded after passing an exam at he conclusion of a specific 7safe training course.

The 7safe CFIP course teaches static computer forensics analysis using forensic principles, evidence continuity, and methodologies to employ when conducting a forensic investigation. This 3-day course includes practical exercises associated with computer forensics investigations. For more information, refer to the CFIP course outline.

The 7safe CMFS course teaches forensics for the Apple Macintosh, including data structures, file systems, and collecting digital evidence associated with the OS X operating system. For more information, refer to the CMFS course outline.

The 7safe CMI course teaches the process of conducting network malware analysis using different analysis environments, and 7Safe's malware investigation methodology, for investigating network activity stemming from malicious software infection. For more information, refer to the CMI course outline.

EnCase Certified Examiner

Probably the most well-know of all computer forensic software packages is EnCase® from Guidance Software. The EnCase Certified Examiner (EnCE®) is a training program for learning the use of Guidance Software's EnCase computer forensic software. Computer forensics examiners with the EnCE certification are generally considered experts in the use of EnCase.

A prerequisite for the EnCE certification is having 64 hours of authorized computer forensic training (online or classroom), or having at least 12 months of verifiable computer forensic experience. It is also necessary to submit an EnCE application for approval to attempt the EnCE certification.

The EnCE certification is divided into a written exam and a practical exam. The written portion contains 180 computer-based questions that must be answered in two hours, and covers much of the information found in the Official EnCE EnCase Certified Examiner Study Guide from Sybex. The practical exam includes a exam-licensed copy of EnCase 6 and EnCase evidence files. The EnCE candidate has 60 days to analyzed the evidence and answer a dozen or so questions about procedures, methodology, and report on the findings.

To take the practical exam, the written exam must be passed with a minimum score of 80%. Passing the practical exam require a score of 85%. (Only the author of the EnCase Study Guide, Steve Bunting, has scored 100% on both exams.) Certification renewal is every three years, but collecting a few CPEs each year will satisfy the renewal requirements. There is currently no annual maintenance fee.

If the EnCE certification sounds interesting, have a look at the EnCE Study Guide for more details, or contact

EnCase Certified eDiscovery Practitioner

The EnCase® Certified eDiscovery Practitioner (EnCEP™) program provides certification in the use of Guidance Software's EnCase eDiscovery software. EnCase eDiscovery is the leading eDiscovery solution for the search, collection, preservation, and processing of electronically stored information (ESI). Earning the EnCEP certification illustrates that a practitioner is skilled in the application of the solution to manage and successfully complete all sizes of eDiscovery matters in accordance with the Federal Rules of Civil Procedure.

Requirements for the EnCEP certification include attendance of an EnCase eDiscovery training course ( live or online), or completion of the on-site EnCase eDiscovery implementation training, or the Advanced EnCase eDiscovery Certification training course. Three months experience in eDiscovery collection, processing and/or project management is also required.

Testing for the EnCEP certification is a 100-question written exam and an online scenario exam. Both exams have a passing score of 80%. The EnCEP certification is valid for 3 years and is renewed by attending a minimum of 32 credit hours of eDiscovery education, or attend one CEIC conference and at least 10 eDiscovery laboratory sessions. Additional information can be found in the EnCEP FAQ.

IT Certifications Related to Computer Forensics

For specific job qualifications, a computer forensics examiner may need strong skills in several other areas of IT, including:
  • Troubleshooting desktops, laptops, and servers
  • Expert familiarity with Windows, Apple OSX, Linux, and UNIX
  • Configuration and operation of of wired networking equipment
  • Detection and operation of wireless networks, including cellular
  • Network and endpoint vulnerability analysis
  • Incident investigation, threat management, and Information Security
  • Virtualization (virtual computing, cloud computing)
  • Proficiency with Microsoft Excel, Word, and PowerPoint
  • Scripting, programming, and reverse engineering
These are only a few of the additional skills asked for in in computer forensics job postings. Most every skill in this list has multiple certifications associates with it. Therefore, if you are interested in working in the computer forensics profession, here are some additional certifications you should have a look at:

Computer Hardware
Information Security Security+ , SSCP , CISSP , GSEC
Investigation CFE , ECIH , GCIH , CSIS
Linux Linux+ , LPI , RHCT
Microsoft MCSE , MCITP , MOS
Networking Network+ , CCENT , CCNA , CCNA Security
Reverse engineering GREM , CREA
Virtualization VCP
Wireless Networking CWTS , CWNA , CWSP , CCNA Wireless

It is also worth noting that many colleges, universities, and learning centers offer classes in many of these skill areas. An online or in-person class may be just what you need to get your feet wet in something that you may be very unfamiliar with, such as PC repair, OS X, UNIX/Linux, virtualization, information security, programming, or computer forensics.


  1. rohan.nyayadhish's Avatar
    That's really good collective information but can you provide the detail information regarding the "MOBILE FORENSIC"

  2. Nadzz's Avatar


Total Trackbacks 0
Trackback URL: