Computer forensics is one of the more challenging IT disciplines, and certified professionals remain in high demand. Yet computer forensic certifications remain something of a "wild" frontier. From two dozen available credentials, we list the five best options for 2014.
Today, there are a number of high-quality certification programs that focus on digital investigations and computer forensics. However, there are also certifications and programs in this area that are far less transparent, well-documented and widely known.
What's creating this demand for new programs in computer forensics? Consider the following:
- Computer crime continues to be a major growth area. As more cyber crimes get reported, more investigations and qualified investigators are needed. This is good news for law enforcement and private investigators who specialize in computer forensics.
- There's a high demand for qualified computer forensics professionals as nearly every police department is in need of a trained candidate with suitable credentials.
- IT professionals interested in working for the federal government (either as full-time employees or private contractors) must meet certain minimum training standards in information security.Computer forensics qualifies as part of the mix needed to meet such requirements, which further adds to the demand for certified computer forensics professionals.
As a result, there is a continuing rise of companies that offer computer forensic training and certifications, many of which are "private label" credentials that are not well recognized. Making sense of all the options and finding the certification that's right for you might be more difficult than it seems.
A recent survey we conducted for SearchSecurity.com (June 2013) on available
information security certifications turned up just under
two dozen computer forensics and anti-hacking credentials.And these are all somewhat well-known, and on the up-and-up. But in pulling those materials together, we deliberately ignored programs that didn't publish the sizes of their certified populations or that are associated with mandatory high-dollar training. (A small certified population usually means the program is just getting started or not doing very well. We generally look for programs with no fewer than 5,000 certified professionals, by contrast. Expensive training sometimes indicates there's a strong profit or financial motive in signing people up for certification.)
After a closer analysis of all of the available programs out there, we've identified the five best computer forensics certifications for 2014.
Certified Computer Examiner (CCE)
The
Certified Computer Examiner (CCE) comes from the International Society of Forensic Computer Examiners, aka
ISFCE.
It is well-recognized in the industry and in the law enforcement community as a leading credential for computer forensics professionals. Private-sector holders usually include security officers and managers, IT administrators or managers, security or forensics consultants, systems and data security analysts and investigators, and even some lawyers and HR managers. Law enforcement holders usually serve as forensic investigators, analysts, or technicians, and conduct official investigations to research or prosecute computer crimes.
The certification process for the CCE includes both a proctored online multiple-choice exam and hands-on forensic analysis of a floppy or CD-R optical disk. When the online exam is completed, applicants conduct a thorough forensic examination of the test media with which they are supplied. Together, both written and hands-on portions are intended to verify a candidate’s skills and knowledge in the area of computer forensics.
The CCE training classes usually run for 5 days in the classroom (or 40 hours of online or self-paced materials). Instructor-led versions generally cost $2,500 to $3,500 in North America, and are highly regarded. Online or self-paced versions may be somewhat less expensive but don’t always deliver direct instructor contact.
Table 1: Certified Computer Examiner (CCE)
Certification Name
|
Certified Computer Examiner (CCE)
|
Prerequisites/ Required courses
|
One of the following is required:
- Training at a CCE Bootcamp Authorized Training Center
- Proof of other digital forensics training (can be self-study); must be approved by the Certification Board
- At least 18 months of verifiable experience conducting digital forensic examinations
Candidates cannot have a criminal record.
|
Number of Exams
|
2 exams are required to earn the CCE:
- Online Written Exam (75 questions in 45 minutes; 70% passing score required to proceed to Practical Examination)
- Practical Examination (three actual scenarios to investigate)
Average score of 80% for both exams is required to earn the CCE
|
Cost per Exam
|
$395 USD for both exams in the USA; prices vary by location elsewhere
|
URL
|
|
Self-study Materials
|
There are no books or Exam Crams available for this topic, but the ISFCE publishes a complete list of suggested study materials (books and online materials), all of which are readily available to the public: www.isfce.com/study.htm
|
Certified Hacking Forensic Investigator (CHFI)
The International Council of E-Commerce Consultants, aka EC-Council, is a well-known training and certification organization that specializes in the areas of anti-hacking, computer forensics, and penetration testing.
The Certified Hacking Forensic Investigator (CHFI) certification emphasizes forensics tools, analytical techniques, and procedures involved in obtaining, maintaining, and presenting computer forensic evidence and data in a court of law. EC-Council offers training for this credential but permits candidates to challenge the exam without taking the course, though payment of a non-refundable $100 application fee is required.
The CHFI course runs for 5 days and covers a wide range of topics and tools (a detailed
course description is available). Topics include a comprehensive cyber-crime overview, in-depth coverage of the computer forensics investigation process, search and seizure of computers, working with digital evidence, incident handling and first responder procedures, gathering volatile and non-volatile data from a Windows computer, recovering deleted files and partitions from Windows, Macintosh, and Linux systems, using AccessData FTK and Encase Steganography, password cracking, log capturing tools and techniques, investigating network traffic, wireless attacks, Web attacks, and e-mail crimes. Courseware is available, as well as instructor-led classroom training.
EC-Council also offers numerous other related certifications of potential value to readers interested in the CHFI. These include the Certified Ethical Hacker (CEH), EC-Council Certified Security Analyst (ECSA), EC-Council Certified Incident Handler (ECIH), and Licensed Penetration Tester (LPT). Visit the
EC-Council site for more information on these popular and respected credentials.
Table 2: Certified Hacking Forensic Investigator (CHFI)
Certification Name
|
Certified Hacking Forensic Investigator (CHFI)
|
Prerequisites/Required Courses
|
Training is not mandated to earn the CHFI, but it is both available and recommended. The training class costs about $3,000 for instructor-led classroom training, $1,600 for online self-paced training, or $650 for self-study courseware. Mobile courses are also available, which start at $2,000.
|
Number of Exams
|
1 exam: 312-49 or EC0-349 (150 questions, 4 hours, passing score 70%, multiple choice)
|
Cost per Exam
|
$500 (or local currency equivalent) at either Prometric or Pearson VUE testing centers
|
URL
|
|
Self-study Materials
|
CHFI Study Guide available at Amazon; some practice exams also available.
|
Certified Forensic Computer Examiner (CFCE)
The International Association of Computer Investigative Specialists (
IACIS) is the organization behind the
Certified Forensic Computer Examiner (CFCE) credential. This organization caters primarily to law enforcement personnel (and you must be employed in law enforcement to qualify for regular IACIS membership), but the organization also offers associate membership to retired law enforcement personnel and to full-time contractors to law-enforcement organizations.
A formal application form, along with an application fee, is necessary to join IACIS. Those who are not current or former government or law enforcement employees or are not forensic contractors to a government agency can apply for Associate Membership to IACIS, provided they can pass a background check.
Earning the CFCE requires passing a two-step testing process that includes a Peer Review and CFCE certification testing. Peer Review consists of accepting and completing assigned problems based on core knowledge and skills areas for the credential. These must be solved, and presented to a mentor for initial evaluation (and assistance, where needed) before being presented for peer review. Upon successful conclusion of peer review, candidates must work independently to analyze and report upon a forensic image of a hard drive provided to them. Following specific instructions, a written report is prepared to document the candidate’s activities and findings.
Once that report is accepted and passed, the process concludes with a written examination. A passing score of 80 percent or better is required for both the forensic report and the written exam to earn the CFCE.
Despite the time and expense involved in earning a CFCE, this credential enjoys high value and excellent name recognition in the computer forensics field. Many forensics professionals consider the CFCE to be a necessary "merit badge" to earn, especially for those who work in or for law enforcement.
Table 3: Certified Forensic Computer Examiner (CFCE)
Certification Name
|
Certified Forensic Computer Examiner (CFCE)
|
Prerequisites/Required Courses
|
Training is not mandated to earn the CFCE, but it is both available and recommended. The two-week Basic Computer Forensic Examiner (BCFE) instructor-led classroom training costs $2,795. (IACIS membership is required to take IACIS courses.)
If you choose not to attend the training, you can enter the program by registering and paying the $750 registration fee.
|
Number of Exams
|
The CFCE involves a two-part process, taken in this order: Peer Review problems and practical examination, and a written certification exam. Satisfactory performance on the Peer Review phase is required to advance to the certification exam. Satisfactory completion of both phases is required to earn the CFCE.
|
Cost per Exam
|
$750 for the entire examination process (non-refundable once an application is submitted)
|
URL
|
|
Self-study Materials
|
IACIS is the primary conduit for training and study materials for this certification. No books or practice tests are currently available for the CFCE, but Ed2Go offers an online preparation class.
|
GIAC Certified Forensic Analyst (GCFA)
SANS is the organization behind the Global Information Assurance Certification (GIAC) programs, and is a well-respected and highly regarded player in the information security field in general. SANS not only teaches and researches in this area, it also provides breaking news, operates a security alert service, and serves on all kinds of government, research, and academic information security task forces, working groups, and industry organizations.
The organization's forensics credentials include the intermediate-level GIAC Certified Forensic Analyst (GCFA) and the more senior GIAC Certified Forensic Examiner (GCFE). Neither credential requires taking SANS courses (which enjoy a strong reputation as among the best in the information security community, with high-powered instructors to match) but they are recommended to candidates, and often offered before, during, or after SANS conferences held around the USA at regular intervals.
Both GCFA and GCFE focus on computer forensics in the context of investigation and incident response, and thus also focus on the skills and knowledge need to collect and analyze data from Windows and Linux computer systems in the course of such activities. Candidates must possess the necessary skills, knowledge, and ability to conduct formal incident investigations and advanced incident handling, including dealing with internal and external data breaches, intrusions, and advanced persistent threats, understanding anti-forensic techniques, and building and documenting advanced digital forensic cases.
The SANS GIAC program encompasses more than 60 information security certifications across a broad range of topics and disciplines. IT professionals interested in information security in general, as well as computer forensics in particular, would be well advised to investigate further at the
GIAC home page.
Table 4: GIAC GCFA and GCFE
Certification name
|
GIAC Certified Forensic Analyst ( GCFA)
GIAC Certified Forensic Examiner ( GCFE)
|
Prerequisites/Required Courses
|
None.
Course FOR508: Advanced Computer Forensic Analysis and Incident Response is recommended for the GCFA
Course FOR408: Computer Forensic Investigations – Windows In-Depth is recommended for the GCFE
|
Number of Exams
|
1 exam for each credential (115 questions, 3 hours)
Passing score of 69% for GCFA Passing score of 71% for GCFE
|
Cost per Exam
|
$999 (or local currency equivalent) for challenge exam (no training). GCFA and GCFE certifications taken in conjunction with the SANS training class, which range from $5,000 to $5,500) are $579. Recertification attempts are $399.
|
URL
|
|
Self-study Materials
|
Study guides and practice exams are available for both GCFA and GCFE, through Amazon and other typical channels.
|
Professional Certified Investigator (PCI)
The parent organization for Professional Certified Investigator (PCI), the senior level computer investigations and forensics credential is known as ASIS International.
Founded in 1955, with more than 38,000 members world-wide, the former American Society for Industrial Security (now known simply as ASIS International) is one of the oldest and best-known information security bodies around. The PCI's primary focus is on investigations and includes coverage of case management, investigative techniques and procedures, along with case presentation.
The PCI exam devotes 29% of its coverage to case management (analyze for ethical conflicts, analyze and assess case elements and strategies, determine and develop strategy through review of procedural options, manage and implement necessary investigative resources), 50% to investigative techniques and procedures (electronic and physical surveillance, interviews and interrogations, collect and preserve objects and data, research by physical and electronic means, collect and report relevant information, use computers and digital media to gather information and evidence, and more), and 21% on case presentation (prepare report to substantiate investigative findings, and prepare and present testimony). This is the only credential in this article that really teaches people how to analyze and present information for expert reports and testimony.
For practiced or aspiring computer forensics professionals who wish to work on legal cases involving their expertise, especially if they wish to appear in depositions or at trial, the PCI is THE absolute credential to have. It makes sure holders are ready to withstand the rigors of the legal system, and present themselves and their evidence with best results in the courtroom.
Table 5: Professional Certified Investigator (PCI)
Certification Name
|
Professional Certified Investigator (PCI)
|
Prerequisites/Required Courses
|
Candidates must meet qualification requirements for PCI as well, which include:
- 5 years of investigation experience, with two or more years in case management
- High school diploma or GED equivalent
No course is required but the following training is available from ASIS:
- An online review course ($400 for members, $550 for non-members)
- A CD ($500 for members, $650 for non-members)
- A two-day classroom review ($725 for members, $925 for non-members; discounts apply for early sign-up)
|
Number of Exams
|
1 exam (125 multiple-choice questions, no info about duration)
|
Cost per Exam
|
Computer-based testing: $300 ($450 for non-members); $200 ($350 for non-members) for subsequent retesting
Pencil and paper testing: $200; $100 for subsequent retesting
|
URL
|
|
Self-study Materials
|
Professional Investigator's Manual, ISBN 978-1-934904-02-2 (hardcover $105 member, $175 non-member; softcover $64 member, $93 non-member)
|
Beyond the top 5 computer forensics certifications listed in this article, there are lots of other certification programs that can help to further the careers of IT professionals who work in computer forensics.
In particular, credentials from
Access Data (Access Data Certified Examiner:
ACE) and
EnCase(EnCase Certified Examiner:
EnCE) are worth pursuing for those who already use (or plan to use) the forensics toolsets and platforms available from those vendors. Access is well known for its FTK Forensic Toolkit, which enjoys considerable use in law enforcement and private research and consulting firms. The same goes for the EnCase Guidance software, which is also very widely used in the field as well.
And if you look around online, you'll find numerous other forensics hardware and software vendors that offer certifications and plenty of other organizations that didn't make the cut for the 2014 list of the best computer forensics certifications. But before you wander outside the items already mentioned in this article, you might want to research the sponsoring organization's history, the number of people who've earned its credentials, and determine whether or not the sponsor not only requires training but stands to profit from its purchase.
You might also want to discuss with a practicing computer forensics professional as a final check, to ask them if (a) they've heard of your other candidate and (b) if so, what they think of their offerings.
If you do your homework, you won't get burned. Certified computer forensics professionals are sure to remain in high demand for 2014 and beyond.