Digital forensics

The Certified Computer Forensics Examiner (CCFE)

Hashim Shaikh
October 31, 2017 by
Hashim Shaikh

Do You Need Computer Forensics Certification?

If you are keen being part of a criminal examination group or working with organizations to examine and recoup digital evidence, your first move will likely be to get your computer forensics certification. You should have a solid foundation in software engineering or information technology to succeed in this profession. Many classes required for different types of computer forensics certifications require you to manipulate different operating systems and learn how different programs and software applications work. Certified Computer Forensics Examiner is one such certification.

The Certified Computer Forensics Examiner, as the name specifies, is for candidates who have knowledge of computer forensics concepts.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Tested domains girdle "Hard skills," computer forensics as well as "soft skills," relevant legal issues.

All candidates must pass online and practical exam to achieve certified status.

CCFE Core Competencies

  • Procedures and Legal Issues
  • Computer Fundamentals
  • Partitioning Schemes
  • Data Recovery
  • Windows File Systems
  • Windows Artifacts
  • Report writing (Presentation of Finding)
  • Procedures and Legal issues
  1. Knowledge of search and subjection and rules for evidence as applicable to computer forensics.
  2. Ability to explain the on-scene action taken for evidence preservation.
  3. Ability to maintain and document an environment consolidating the computer forensics.
  • Computer Fundamentals
  1. Understand BIOS
  2. Computer hardware
  3. Understanding of numbering system (Binary, hexadecimal, bits, bytes).
  4. Knowledge of sectors, clusters, files.
  5. Understanding of logical and physical files.
  6. Understanding of logical and physical drives.
  • Partitioning schemes
  1. Identification of current partitioning schemes.
  2. Understanding of primary and extended partition.
  3. Knowledge of partitioning schemes and structures and system used by it.
  4. Knowledge of GUID and its application.
  • Windows file system
  1. Understanding of concepts of files.
  2. Understanding of FAT tables, root directory, subdirectory along with how they store data.
  3. Identification, examination, analyzation of NTFS master file table.
  4. Understanding of $MFT structure and how they store data.
  5. Understanding of Standard information, Filename, and data attributes.
  • Data Recovery
  1. Ability to validate forensic hardware, software, examination procedures.
  2. Email headers understanding.
  3. Ability to generate and validate forensically sterile media.
  4. Ability to generate and validate a forensic image of media.
  5. Understand hashing and hash sets.
  6. Understand file headers.
  7. Ability to extract file metadata from common file types.
  8. Understanding of file fragmentation.
  9. Ability to extract component files from compound files.
  10. Knowledge of encrypted files and strategies for recovery.
  11. Knowledge of Internet browser artifacts.
  12. Knowledge of search strategies for examining electronic
  • Windows Artifacts
  1. Understanding the purpose and structure of component files that create the windows registry.
  2. Identify and capability to extract the relevant data from the dead registry.
  3. Understand the importance of restore points and volume shadow copy services.
  4. Knowledge of the locations of common Windows artifacts.
  5. Ability to analyze recycle bin.
  6. Ability to analyze link files.
  7. Analyzing of logs
  8. Extract and view windows logs
  9. Ability to locate, mount and examine VHD files.
  10. Understand the Windows swap and hibernation files.
  • Report Writing (Presentation of findings)
  1. Ability to conclude things strongly based on examination observations.
  2. Able to report findings using industry standard technically accurate terminologies.
  3. Ability to explain the complex things in simple and easy terms so that non-technical people can understand clearly.
  4. Be able to consider legal boundaries when undertaking a forensic examination

Format of Exam

The exam consists of two parts:

  • Traditional multiple choice, true/false, and multiple-choice answer examination.
    1. Set of 50 Questions to be completed in 2 hrs. duration, those who clear this are then given access to the practical examination files.
  • Take home practical exam.
    1. Files are case files from a mock computer forensics case which includes the whole scenario description.
    2. The candidate needs to perform the forensics examination and submit a report which is used as evidence in a court of law.
  • Time duration: 60 days.

It is possible. You can definitely pass it.

Practical Exam

Intake home practical exam, you may have to perform the following to complete the task:

  • Gather OS details, version, etc.
  • Identify system owner or any aliases used
  • Identify who last logged in.
  • List networks, IP address, MAC address
  • Identify whether the computer was used for hacking activity or was a victim of hacking.
  • Capture communication of the user on different portals such as IRC, social media, etc.
  • Determine whether malware has been installed on the system.
  • A complete list with proper explanation considering scenario can be found on the URL http://hetzellconsulting.com/CCFE%20Certification%20Practical%20Exam.pdf

Study Material or References

Cost of CCFE

To obtain CCFE certificate, you have to purchase the CFE exam application along with documentation which is necessary to take the CFE examination.

The CFE examination application fee is $499 per exam, and the on-site proctored exams are $399 per voucher

CCFE Job Outlook and Salary Info

  1. Those who are employed in the field may work with law enforcement or with private firms.
  2. Part of the computer forensics job description could be to testify in court and to relate the evidence found during investigations.
  3. Those who are into this will work with members of attorneys, law enforcement to see how the evidence fits together in the case.
  4. According to BLS in 2012 median salary for CFE was around $75,660 those in highest 10 % earns $ 119,940 annually.

Benefits

A most important piece of information security puzzle is skilled professionals. There is need today for people who know beyond the book knowledge. So here comes the role of certification which is a valuable method of differentiating skill levels of information assurance professionals.

  • Strong technical background capability is developed.
  • Hands on experience with live assessment.
  • Digital forensics expert personal circuit is created.
  • Well reputed among industry professional.

Training Course and Resources

To receive best and practical training for CCFE certification is through Infosec Institute. Infosec Institute facilitate Training centers, on-demand, and On-site training. You can connect with Infosec Institute through email-exams@infosecinstitute.com or Call at 1-708-689-0550.

Many computer forensics training programs can be completed entirely online and can prepare you for a degree or advanced training in the field. For example, check out InfoSec Institute's accredited computer forensics training. You will need to complete both college level training in computer forensics and a certification program to secure an attractive position in this field. Most employers only hire computer forensic specialists who have at least a bachelor's degree and at least one certificate in computer forensics.

References:

https://www.acfe.com/become-cfe-qualifications.aspx

https://www.infosecinstitute.com/courses/computer-forensics-boot-camp/?utm_source=resources&utm_medium=infosec%20network&utm_campaign=course%20pricing&utm_content=hyperlink

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

http://www.forensicscolleges.com/programs/computer-forensics/ccfe-certified-computer-forensics-examiner

Hashim Shaikh
Hashim Shaikh

Hashim Shaikh currently works with Aujas Networks. Possessing a both OSCP and CEH, he likes exploring Kali Linux. Interests include offensive security, exploitation, privilege escalation and learning new things. His blog can be found here: http://justpentest.blogspot.in and his LinkedIn Profile here: https://in.linkedin.com/in/hashim-shaikh-oscp-45b90a48