1. Get the Job
  2. Get Ahead
  3. Office Life
  4. Work-Life Balance
  5. Home Office
Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.
Build Your Career Get Ahead

Best Digital Forensics Certifications

Best Digital Forensics Certifications
Credit: Shutterstock/TrifonenkoIvan

There is an appreciable number of available, high-quality certification programs that focus on digital investigations and forensics. However, there are also many certifications and programs in this area that are far less transparent, well documented and widely known.

There's been a steady demand for digital forensics certifications for several years, mainly due to the following:

  • Computer crime continues to escalate. As more cybercrimes get reported, more investigations and qualified investigators are needed. This is good news for law enforcement and private investigators who specialize in digital forensics.
  • There's a high demand for qualified digital forensics professionals because nearly every police department needs trained candidates with suitable credentials.
  • IT professionals interested in working for the federal government (either as full-time employees or private contractors) must meet certain minimum training standards in information security. Digital forensics qualifies as part of the mix needed to meet them, which further adds to the demand for certified digital forensics professionals.

As a result, there is a continuing rise of companies that offer digital forensics training and certifications. Alas, many of these are "private label" credentials that are not well recognized. Making sense of all options and finding the certification that's right for you may be trickier than it seems.

To help choose our top five certifications for 2018, we looked at several popular online job boards to determine the number of advertised positions that require these certifications. While the actual results vary from day to day (and job board to job board), this should give you an idea of the number of digital forensic jobs with specific certification requirements.

 

SimplyHired

Indeed

LinkedIn Jobs

Linkup

Total

Vendor Neutral

CFCE (IACIS)

65

69

64

44

242

CHFI (EC-Council)

86

107

100

49

342

GCFA (SANS GIAC)

239

285

201

165

890

GCFE (SANS GIAC)

191

213

175

122

701

Vendor Specific

ACE (AccessData)

33

35

20

19

107

EnCE (EnCase)

115

132

147

97

491

* We covered two GIAC credentials, which are presented together in the GIAC section. The AccessData Certified Examiner (ACE) and EC-Council Computer Hacking Forensic Investigator (CHFI) are new to the top five list for 2018, bumping the Certified Computer Examiner (CCE) from ISFCE and CyberSecurity Forensic Analyst (CSFA) by the CyberSecurity Institute, based in part on job board survey results.

It's a relatively lucrative space for practitioners. The average salary for intermediate-level digital forensic jobs in the U.S. – $71,562, according to SimpyHired – trails that of network engineers, system administrators and project managers. However, a senior specialist or forensic analyst can command more than $90,000, whether in private industry or working in government channels.

AccessData is the maker of the popular Forensic Toolkit (FTK) solution for digital investigations. The company also offers a variety of related products and services, such as AD Lab, AD eDiscovery, AD Enterprise, Risk Toolkit (RTK) and more.

The AccessData Certified Examiner (ACE) is worth pursuing for those who already use, or plan to use, FTK, which enjoys considerable use in law enforcement and private research and consulting firms. The certification requires one exam, which covers the FTK Imager, Registry Viewer, PRTK (Password Recovery Tool Kit) and FTK Examiner Application/Case Management Window tools in detail. AccessData recommends basic to moderate forensic knowledge before attempting the exam. This includes an understanding of digital artifacts, Registry files, encrypting/decrypting files, hashing, attack types, using live and index searching, and other topics. See the latest ACE Study Guide for details.

Recertification is required every two years. Credential holders must pass the current ACE exam, which focuses on the most current versions of FTK and other tools, to maintain their credential.

Certification Name

AccessData Certified Examiner (ACE)

Prerequisites & Required Courses

None; training recommended:

  • AccessData BootCamp (three-day classroom or live online)
  • Advanced FTK

Number of Exams

One exam (ACE 6); includes knowledge-based and practical portions

Registration required to receive a join code to access the testing portal

Cost per Exam

Free

URL

http://accessdata.com/training/computer-forensics-certification

Self-Study Materials

A link to the free ACE Study Guide is on the certification webpage. The testing portal includes study videos, lessons in PDF format and a practice test (with an image file).

 

The International Association of Computer Investigative Specialists (IACIS) is the organization behind the Certified Forensic Computer Examiner (CFCE) credential. This organization caters primarily to law enforcement personnel, and you must be employed in law enforcement to qualify for regular IACIS membership.

A formal application form, along with an application fee, is necessary to join IACIS. Regular membership include current computer/digital forensic practitioners who are current or former government or law enforcement employees or forensic contractors to a government agency. All other practitioners can apply for Associate membership to IACIS, provided they can pass a background check. IACIS membership is not required to obtain the CFCE credential.

To obtain the CFCE credential, candidates must demonstrate proficiency with CFCE core competencies. One option is IACIS' Basic Computer Forensic Examiner (BCFE) two-week training course; it meets the 72-hour training requirement, costs $2,795, includes a free laptop and waives some IACIS fees. Candidates completing the training course can enroll directly in the CFCE program at the completion of the course. Those not attending the BCFE course may meet the 72-hour training requirement with a comparable course (subject to IACIS approval), pay a $750 registration fee, and successfully pass a background check to enroll in the CFCE program and sit for the exam.

The CFCE exam is a two-step testing process that includes a peer review and CFCE certification testing:

  1. The peer review consists of accepting and completing four assigned practical problems based on core knowledge and skills areas for the credential. These must be solved, and then presented to a mentor for initial evaluation (and assistance, where needed) before being presented for peer review. Candidates have 30 days to complete each of the practical problems.
     
  2. Upon successful conclusion of the peer review, candidates may progress to the certification phase:
    • Candidates work independently to analyze and report upon a forensic image of a hard drive provided to them. Just 40 days can complete the hard drive practical problem. Following specific instructions, a written report is prepared to document the candidate's activities and findings.
       
    • Once that report is accepted and passed, the process concludes with a 100-question written examination (which includes true/false, multiple-choice, matching and short answer questions). Candidates have 14 days to complete the written examination. A passing score of 80 percent or better is required for both the forensic report and the written exam to earn the CFCE.

Upon completion of both the peer review and the certification phase, candidates must submit a notarized form certifying that the practical and written exams were completed independently without assistance from anyone else.

Certificants must recertify every three years to maintain the CFCE credential. Recertification requires proof of at least 60 hours of professional education, a passing score on a proficiency test in the third year, proof of computer/digital forensics work experience or passing scores on three proficiency tests within three years, and either three years of IACIS membership or payment of a $150 recertification fee.

Despite the time and expense involved in earning a CFCE, this credential enjoys high value and excellent name recognition in the computer forensics field. Many forensics professionals consider the CFCE to be a necessary merit badge to earn, especially for those who work in or for law enforcement.

Certification Name

Certified Forensic Computer Examiner (CFCE)

Prerequisites & Required Courses

Basic Computer Forensics Examiner (BCFE) training course is recommended, ($2,795)
72 hours of training in computer/digital forensics comparable to CFCE core competencies; BCFE training course meets training requirement

Without BCFE training: take a comparable course, pay $750 registration fee and pass a background check

Number of Exams

Two-part process: Peer review (must pass to proceed to subsequent phase) and certification phase (includes hard drive practical and written examination)

Cost per Exam

Included in BCFE training; $750 for the entire testing process for those not attending BCFE training

URL

www.iacis.com/certifications/cfce

Self-Study Materials

IACIS is the primary conduit for training and study materials for this certification.

The EC-Council is a well-known training and certification organization that specializes in the areas of anti-hacking, digital forensics and penetration testing. The organization's Computer Hacking Forensic Investigator (CHFI) v9 certification emphasizes forensics tools, analytical techniques and procedures involved in obtaining, maintaining and presenting digital forensic evidence and data in a court of law.

EC-Council offers training for this credential but permits candidates to challenge the exam without taking the course, provided they possess a minimum of two years of information security experience and pay a non-refundable $100 eligibility application fee.

The CHFI course covers a wide range of topics and tools (click the Course Outline tab here). Topics include an overview of digital forensics, in-depth coverage of the computer forensics investigation process, working with digital evidence, anti-forensics, database and cloud forensics, investigating network traffic, and mobile and email forensics. Courseware is available, as well as instructor-led classroom training.

EC-Council also offers numerous other related certifications of potential value to readers interested in the CHFI. These include the Certified Ethical Hacker (CEH), EC-Council Certified Security Analyst (ECSA), Certified Network Defender (CND) and Licensed Penetration Tester (LPT). The EC-Council also offers credentials in related areas such as disaster recovery, encryption, security analysis and the like. Visit the EC-Council site for more information on these popular and respected credentials.

Certification Name

Computer Hacking Forensic Investigator (CHFI) v9

Prerequisites & Required Courses

None; training recommended but not required:

  • Live, online instructor-led training (includes courseware, labs, exam voucher and test prep program)
  • iLearn self-paced class (includes courseware, labs and exam voucher)
  • Self-study courseware
  • Mobile training

Training prices start at $600 (courseware) and increases to more than $2,000

Number of Exams

One exam: EC0 312-49 (150 questions, 4 hours, passing score 70 percent, multiple choice)

Available through the ECC exam portal

Cost per Exam

$500

URL

https://www.eccouncil.org/programs/computer-hacking-forensic-investigator-chfi/

Self-Study Materials

Visit the EC-Council Store and search for "CHFI" for preparation materials, including labs. Study guide and exam guides available at Amazon, as well as some practice exams.

Guidance Software, acquired by OpenText in 2017, is a leader in the forensics tools and services arena. Its well-known and highly used EnCase Forensic software helps professionals acquire data from many different types of devices, complete disk-level examinations and produce reports of findings. The company also sells software for remote investigations (EnCase Endpoint Investigator), eDiscovery, risk management, mobile investigations and endpoint security.

The company's certification program includes the Certified Forensic Security Responder (CFSR), EnCase Certified eDiscovery Practitioner (EnCEP) and the EnCase Certified Examiner (EnCe). Available to public and private sector professionals, the EnCE recognizes an individual's proficiency using EnCase Forensic software and mastery of computer investigation methodology, including evidence collection, preservation, file verification, file signatures and hashing, first responder activities and much more.

To achieve EnCe certification, candidates must show proof of a minimum of 64 hours of authorized computer forensic training or 12 months of qualified work experience, complete an application, and then successfully complete a two-phase exam that includes a written portion and a practical.

EnCE certifications are valid for three years from the date obtained. Recertification requires one of the following:

  • 32 credit hours of continuing education in computer forensics or incident response
  • A computer forensics or incident-response related certification
  • Attendance at an Enfuse conference (at least 10 sessions)

Certification Name

EnCase Certified Examiner (EnCe)

Prerequisites & Required Courses

Required:

  • 64 hours of authorized computer forensic training or 12 months of work experience in computer forensics
    • Training options through Guidance Software:
      • EnCE Prep Course (DF310), classroom, virtual classroom or on demand $2,195
      • EnCE Certification Bootcamp (aimed at new digital investigators) includes DF120 (Foundations in Digital Forensics), DF210 (Building an Investigation) and DF310; $5,085 for the bundle
  • Completion of the EnCE application

Number of Exams

One two-phase exam:

  • Phase I written exam (180 questions, two hours, minimum passing score is 80 percent), delivered via ExamBuilder
  • Phase II practical exam (18 questions, 60 days, minimum passing score is 85 percent)

Passing the Phase I exam earns an electronic license to complete the Phase II exam.

Cost per Exam

$200 total, or $300 international
$75 renewal fee

URL

https://www2.guidancesoftware.com/training/Pages/ence-certification-program.aspx

Self-Study Materials

Study materials provided in Guidance Software courses. Check Amazon for availability of current and practice exams.

SANS is the organization behind the Global Information Assurance Certification (GIAC) program, and is a well-respected and highly regarded player in the information security field in general. SANS not only teaches and researches in this area, it also provides breaking news, operates a security alert service and serves on all kinds of government, research and academic information security task forces, working groups and industry organizations.

The organization's incident response and forensics credentials include the following:

  • GIAC Certified Forensic Examiner (GCFE)
  • GIAC Certified Forensic Analyst (GCFA)
  • GIAC Reverse Engineering Malware (GREM)
  • GIAC Network Forensic Analyst (GNFA)
  • GIAC Advanced Smartphone Forensics (GASF)
  • GIAC Cyber Threat Intelligence (GCTI)

The intermediate-level GCFE and the more senior GCFA are the focus of this section. Neither credential requires taking SANS courses (which enjoy a strong reputation as among the best in the information security community, with high-powered instructors to match), but they are recommended to candidates, and often offered before, during or after SANS conferences held around the U.S. at regular intervals.

Both the GCFE and GCFA focus on computer forensics in the context of investigation and incident response, and thus also focus on the skills and knowledge needed to collect and analyze data from Windows and/or Linux computer systems during such activities. Candidates must possess the necessary skills, knowledge and ability to conduct formal incident investigations and advanced incident handling, including dealing with internal and external data breaches, intrusions and cyber threats, collecting and preserving evidence, understanding anti-forensic techniques, and building and documenting advanced digital forensic cases.

Most SANS GIAC credentials are valid for four years. Candidates may recertify for the GCFE and GCFA by earning 36 continuing professional experience (CPE) credits. In addition, credential holders must pay a certification maintenance fee of $429 every 4 years.

The SANS GIAC program encompasses more than 30 information security certifications across a broad range of topics and disciplines. IT professionals interested in information security in general, as well as digital forensics, would be well advised to investigate further at the GIAC home page.

Certification Name

GIAC Certified Forensic Examiner (GCFE)
GIAC Certified Forensic Analyst (GCFA)

Prerequisites & Required Courses

None
GCFE recommended course: FOR500: Windows Forensic Analysis, $5,910
GCFA recommended course: FOR508: Advanced Digital Forensics and Incident Response, $5,910

Number of Exams

One exam for each credential (115 questions, 3 hours, passing score of 71 percent)

Exams proctored by Pearson VUE. Registration with GIAC required to schedule an exam.

Cost per Exam

$729 if part of training/bootcamp

$1,699 (no training – referred to as a certification challenge)
Additional details available here.

URL

www.giac.org

Self-Study Materials

Practice tests available on the GIAC exam preparation page (two tests included in exam fee; additional practice tests are $149 each). Study guides and practice exams can be found on Amazon and other typical channels.

There are lots of other certification programs that can help to further the careers of IT professionals who work in digital forensics.

One certification that we've featured several years in a row, but that didn't make the top five list for 2018, is the CyberSecurity Institute's CyberSecurity Forensic Analyst (CSFA). The Institute provides digital forensic services aimed at law firms, businesses and individuals, and administers a small but well-respected certification program. The CSFA is designed for security professionals with at least two years of experience performing digital forensic analysis on computers and devices running the Windows operating system and creating investigative reports. Although the certification didn't generate as many job board hits as our other featured certifications, the CSFA is still worth your attention.

The same goes for the Certified Computer Examiner (CCE) from the International Society of Forensic Computer Examiners, also known as ISFCE. The CCE is well recognized in the industry and in the law enforcement community as a leading credential for digital forensics professionals, but it fell a little short on job board hits during our review this year.

Other good certifications include the Professional Certified Investigator (PCI), a senior-level, vendor-neutral computer investigations and forensics credential available through ASIS International. The organization also offers the Certified Protection Professional (CPP), which includes an investigation component, and the Physical Security Professional (PSP) in its certification program. Forensics candidates can also pursue one of the High Tech Crime Network vendor-neutral certifications — the Certified Computer Crime Investigator or Certified Computer Forensic Technician — both of which have a Basic and an Advanced credential.

And if you look around online, you'll find numerous other forensics hardware and software vendors that offer certifications and plenty of other organizations that didn't make the cut for the 2018 list of the best digital forensics certifications. But before you wander outside the items already mentioned in this article, you might want to research the sponsoring organization's history and the number of people who've earned its credentials, and then determine whether the sponsor not only requires training but stands to profit from its purchase.

You might also want to ask a practicing digital forensics professional if (a) they've heard of the certifications you found on your own and (b) if so, what that professional thinks of those offerings.