1. Get the Job
  2. Get Ahead
  3. Office Life
  4. Work-Life Balance
  5. Home Office
Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.
Build Your Career Get Ahead

Best Digital Forensics Certifications

Best Digital Forensics Certifications
Credit: Shutterstock/TrifonenkoIvan

There is an appreciable number of available, high-quality certification programs that focus on digital investigations and forensics. However, there are also many certifications and programs in this area that are far less transparent and widely known.

There's been a steady demand for digital forensics certifications for the past several years, mainly owing to the following:

  • Computer crime continues to escalate. As more cybercrimes are reported, more investigations and qualified investigators are needed. This is good news for law enforcement and private investigators who specialize in digital forensics.
  • There's high demand for qualified digital forensics professionals because nearly every police department needs trained candidates with suitable credentials.
  • IT professionals interested in working for the federal government (either as full-time employees or private contractors) must meet certain minimum training standards in information security. Digital forensics qualifies as part of the mix needed to meet them, which further adds to the demand for certified digital forensics professionals.

As a result, there is a continuing rise of companies that offer digital forensics training and certifications. Alas, many of these are "private label" credentials that are not well recognized. Making sense of all options and finding the right certification for you may be trickier than it seems.

To help choose our top five certifications for 2019, we looked at several popular online job boards to determine the number of advertised positions that require these certifications. While the actual results vary from day to day and by job board, this should give you an idea of the number of digital forensic jobs with specific certification requirements.

 

SimplyHired 

 Indeed 

 LinkedIn Jobs 

 LinkUp 

Total

Vendor neutral

CFCE (IACIS)

63

82

117

46

308

CHFI (EC-Council)

106

140

253

68

567

GCFA (SANS GIAC)

 422

489

857

294

2,062

GCFE (SANS GIAC)

 203

226

433

143

1,005

Vendor specific

ACE (AccessData)

25

29

31

12

97

EnCE (EnCase)

110

154

237

114

615

*We covered two GIAC credentials, presented together in a single GIAC section below.

Digital forensics is a relatively lucrative space for practitioners. The average salary for intermediate digital forensic jobs in the U.S. – $63,959, according to SimpyHired – trails that of network engineers, system administrators and project managers. However, a senior specialist or forensic analyst, whether working in the private industry or government channels, will often earn six figures in major metro areas. We found salaries on the high end running almost $107,000 for forensic analysts and more than $127,000 for digital forensic roles.

AccessData is the maker of the popular Forensic Toolkit (FTK) solution for digital investigations. The company also offers a variety of related products and services, such as AD Lab, AD eDiscovery, AD Enterprise and AD Triage.

The AccessData Certified Examiner (ACE) is worth pursuing for those who already use or plan to use FTK, which enjoys widespread use in law enforcement and private research and consulting firms. The certification requires one exam, which covers the FTK Imager, Registry Viewer, PRTK (Password Recovery Toolkit) and FTK Examiner Application/Case Management Window tools in detail. AccessData recommends basic to moderate forensic knowledge before attempting the exam. This includes an understanding of digital artifacts, Registry files, encrypting and decrypting files, hashing, attack types, using live and index searching, and other topics. See the latest ACE Study Guide for details.

Recertification is required every two years. Credential holders must pass the current ACE exam, which focuses on the most current versions of FTK and other tools, to maintain their credentials.

Certification name

AccessData Certified Examiner (ACE)

Prerequisites and required courses

None; training recommended:

AccessData FTK BootCamp (three-day classroom or live online)

FTK Intermediate courses

Number of exams

One exam (ACE 6); includes knowledge-based and practical portions

Registration required to receive a join code to access the testing portal

Cost per exam

$100 (exam fee includes retakes and recertification exams)

URL

http://accessdata.com/training/computer-forensics-certification

Self-study materials

There is a link to the free ACE Study Guide is on the certification webpage. The testing portal includes study videos, lessons in PDF and a practice test (with an image file).

 

The International Association of Computer Investigative Specialists (IACIS) is the organization behind the Certified Forensic Computer Examiner (CFCE) credential. This organization caters primarily to law enforcement personnel, and you must be employed in law enforcement to qualify for regular IACIS membership.

A formal application form, along with an application fee, is necessary to join IACIS. Regular membership includes current computer/digital forensic practitioners who are current or former government or law enforcement employees or forensic contractors to a government agency. All other practitioners can apply for Associate membership to IACIS, provided they can pass a background check. Membership fees and annual renewal fees are required. IACIS membership is not required to obtain the CFCE credential.

To obtain the CFCE credential, candidates must demonstrate proficiency with CFCE core competencies. One option is IACIS' Basic Computer Forensic Examiner (BCFE) two-week training course; it meets the 72-hour training requirement, costs $2,995, includes a free laptop and waives the IACIS membership fee for nonmembers. IACIS membership is required to attend the course. Candidates completing the training course can enroll directly in the CFCE program upon completion of the course. Those not attending the BCFE course may meet the 72-hour training requirement with a comparable course (subject to IACIS approval), pay a $750 registration fee, and successfully pass a background check to enroll in the CFCE program and sit for the exam.

The CFCE exam is a two-step testing process that includes a peer review and CFCE certification testing:

  1. The peer review consists of accepting and completing four assigned practical problems based on core knowledge and skills areas for the credential. These must be solved and then presented to a mentor for initial evaluation (and assistance, where needed) before being presented for peer review. Candidates have 30 days to complete each of the practical problems.
  2. Upon successful conclusion of the peer review, candidates automatically progress to the certification phase.
    • Candidates must begin work on a hard-drive practical problem within seven days of the completion of the peer review phase. Forty days are allotted to candidates to independently analyze and report upon a forensic image of a hard drive provided to them. Following specific instructions, a written report is prepared to document the candidate's activities and findings.
    • Once that report is accepted and passed, the process concludes with a 100-question written exam (which includes true/false, multiple-choice, matching and short-answer questions). Candidates have 14 days to complete the written examination. A passing score of 80 percent or better is required for both the forensic report and the written exam to earn the CFCE.

Upon completion of both the peer review and the certification phase, candidates must submit a notarized form certifying that the practical and written exams were completed independently without assistance from anyone else.

Certificants must recertify every three years to maintain the CFCE credential. Recertification requires proof of at least 40 hours of professional education, a passing score on a proficiency test in the third year, proof of computer/digital forensics work experience, or passing scores on three proficiency tests within three years, and either three years of IACIS membership or payment of a $150 recertification fee.

Despite the time and expense involved in earning a CFCE, this credential has high value and excellent name recognition in the computer forensics field. Many forensics professionals consider the CFCE a necessary merit badge to earn, especially for those who work in or for law enforcement.

Certification name

Certified Forensic Computer Examiner (CFCE)

Prerequisites and required courses

Basic Computer Forensics Examiner (BCFE) training course recommended ($2,995)

72 hours of training in computer/digital forensics comparable to CFCE core competencies; BCFE training course meets training requirement

Without BCFE training: take a comparable course, pay $750 registration fee and pass a background check

Number of exams

Two-part process: Peer review (must pass to proceed to subsequent phase) and certification phase (includes hard-drive practical and written examination)

Cost per exam

Included in BCFE training; $750 for the entire testing process for those not attending BCFE training

URL

https://www.iacis.com/certification-2/cfce/

Self-study materials

IACIS is the primary conduit for training and study materials for this certification.

The EC-Council is a well-known training and certification organization that specializes in the areas of anti-hacking, digital forensics and penetration testing. The organization's Computer Hacking Forensic Investigator (CHFI) certification emphasizes forensics tools, analytical techniques, and procedures involved in obtaining, maintaining, and presenting digital forensic evidence and data in a court of law.

The EC-Council offers training for this credential but permits candidates to challenge the exam without taking the course, provided they have a minimum of two years of information security experience and pay a non-refundable $100 eligibility application fee.

The CHFI course covers a wide range of topics and tools (click the exam Blueprint button on the certification webpage). Topics include an overview of digital forensics, in-depth coverage of the computer forensics investigation process, working with digital evidence, anti-forensics, database and cloud forensics, investigating network traffic, mobile and email forensics, and ethics, policies and regulations. Courseware is available, as well as instructor-led classroom training.

The EC-Council offers numerous other certifications of potential value to readers interested in the CHFI. These include the Certified Ethical Hacker (CEH), CEH (Practical), EC-Council Certified Security Analyst (ECSA), ECSA Practical, Certified Network Defender (CND) and Licensed Penetration Tester (LPT), Certified Application Security Engineer (CASE), and Certified Chief Information Security Officer (CCISO). It also offers credentials in related areas such as disaster recovery, encryption and security analysis. Visit the EC-Council site for more info on its popular and respected credentials.

Certification name

Computer Hacking Forensic Investigator (CHFI) v9

Prerequisites and required courses

 

Application with resume and current or previous employer info required.

Candidates must agree to the EC-Council Non-Disclosure, Candidate Application and Candidate Certification agreement terms.

Training recommended but not required:

  • Live, online instructor-led training (includes courseware, six months of iLabs access, exam voucher and test prep program; contact EC-Council directly for pricing)
  • iLearn self-paced class (includes one year of access to instructor-led training videos, courseware, six months of lab access and exam voucher; $1,899)
  • Self-study courseware ($677)
  • Mobile training (contact EC-Council for pricing information)

To challenge the exam without training, you must have two years of information security work experience and/or education to reflect specialization, pay a non-refundable application fee of $100, and complete the Exam Eligibility Application Form.

More information on the application process is located on the Application Eligibility Process webpage. 

Number of exams

One exam: EC0 312-49 (150 questions, four hours, passing score 70 percent, multiple choice). Available through the ECC exam portal.

Cost per exam

$500 (plus $100 application fee; candidates who do not participate in training must pay a $650 exam fee plus $100 application fee)

URL

https://www.eccouncil.org/programs/computer-hacking-forensic-investigator-chfi/

Self-study materials

Visit the EC-Council Store and search for "CHFI" for preparation materials, including labs. Study guide and exam guides are available on Amazon, as well as some practice exams.

Guidance Software, acquired by OpenText in 2017, is a leader in the forensics tools and services arena. Its well-known and widely used EnCase Forensic software helps professionals acquire data from many different types of devices, complete disk-level examinations and produce reports of their findings. The company also sells software for remote investigations (EnCase Endpoint Investigator), eDiscovery, risk management, mobile investigations and endpoint security.

The company's certification program includes the Certified Forensic Security Responder (CFSR), EnCase Certified eDiscovery Practitioner (EnCEP) and EnCase Certified Examiner (EnCe). Available to professionals in the public and private sector, the EnCE recognizes an individual's proficiency using EnCase Forensic software and mastery of computer investigation methodology, including evidence collection, preservation, file verification, file signatures and hashing, first responder activities, and much more.

To achieve EnCe certification, candidates must show proof of a minimum of 64 hours of authorized computer forensic training or 12 months of qualified work experience, complete an application, and then successfully complete a two-phase exam that includes a written and practical portion.

EnCE certifications are valid for three years from the date obtained. Recertification requires one of the following:

  • 32 credit hours of continuing education in computer forensics or incident response
  • A computer forensics or incident response-related certification
  • Attendance at an Enfuse conference (at least 10 sessions)

Certification name

EnCase Certified Examiner (EnCe)

Prerequisites and required courses

Required: 64 hours of authorized computer forensic training or 12 months of work experience in computer forensics

Training options through Guidance Software:

  • EnCE Prep Course (DF310), classroom, virtual classroom or on demand ($2,195)
  • EnCE Certification Bootcamp (aimed at new digital investigators) – includes DF120 (Foundations in Digital Forensics), DF210 (Building an Investigation) and DF310 ($5,085 for the bundle)

Completion of the EnCE application

Number of exams

One two-phase exam:

  • Phase I written exam (180 questions, two hours, minimum passing score 80 percent), delivered via ExamBuilder
  • Phase II practical exam (18 questions, 60 days, minimum passing score 85 percent)

Passing the Phase I exam earns an electronic license to complete the Phase II exam.

Cost per exam

$200 total, or $300 international
$75 renewal fee

URL

https://www2.guidancesoftware.com/training/Pages/ence-certification-program.aspx

Self-study materials

Study materials provided in Guidance Software courses. Check Amazon for availability of current and practice exams.

Learning On Demand subscription provides access to 400 courses across the OpenText Learning Services platform.  

SANS is the organization behind the Global Information Assurance Certification (GIAC) program. It is a well-respected and highly regarded player in the information security field in general. SANS not only teaches and researches in this area, it also provides breaking news, operates a security alert service, and serves on all kinds of government, research and academic information security task forces, working groups, and industry organizations.

The organization's incident response and forensics credentials include the following:

  • GIAC Certified Forensic Examiner (GCFE)
  • GIAC Certified Forensic Analyst (GCFA)
  • GIAC Reverse Engineering Malware (GREM)
  • GIAC Network Forensic Analyst (GNFA)
  • GIAC Advanced Smartphone Forensics (GASF)
  • GIAC Cyber Threat Intelligence (GCTI)

The intermediate GCFE and the more senior GCFA are the focus of this section. Neither credential requires taking SANS courses (which have a strong reputation for being among the best in the cybersecurity community, with high-powered instructors to match), but they are recommended to candidates and often offered before, during or after SANS conferences held around the U.S. at regular intervals.

Both the GCFE and GCFA focus on computer forensics in the context of investigation and incident response, and thus also focus on the skills and knowledge needed to collect and analyze data from Windows and/or Linux computer systems during such activities. Candidates must possess the necessary skills, knowledge, and ability to conduct formal incident investigations and advanced incident handling, including dealing with internal and external data breaches, intrusions, and cyberthreats; collecting and preserving evidence; understanding anti-forensic techniques; and building and documenting advanced digital forensic cases.

Most SANS GIAC credentials are valid for four years. Candidates may recertify for the GCFE and GCFA by earning 36 continuing professional experience (CPE) credits. In addition, credential holders must pay a certification maintenance fee of $429 every four years.

The SANS GIAC program encompasses more than 36 information security certifications across a broad range of topics and disciplines. IT professionals interested in information security in general, as well as digital forensics, would be well advised to investigate further on the GIAC homepage.

Certification name

GIAC Certified Forensic Examiner (GCFE)
GIAC Certified Forensic Analyst (GCFA)

Prerequisites and required courses

None

GCFE recommended course: FOR500: Windows Forensic Analysis ($6,210)

GCFA recommended course: FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting ($6,210)

Number of exams

One exam for each credential (115 questions, three hours, passing score of 71 percent)

Exams proctored by Pearson VUE. Registration with GIAC required to schedule an exam.

Cost per exam

$769 if part of training/bootcamp

$1,899 (no training – referred to as a certification challenge)

Additional details available here.

URL

www.giac.org

Self-study materials

Practice tests available on the GIAC exam preparation page (two tests included in exam fee; additional practice tests are $159 each). Study guides and practice exams can be found on Amazon and other typical channels.

There are lots of other certification programs that can help to further the careers of IT professionals who work in digital forensics.

One certification we've featured in the past is the CyberSecurity Institute's CyberSecurity Forensic Analyst (CSFA). The CyberSecurity Institute provides digital forensic services aimed at law firms, businesses and individuals, and administers a small but well-respected certification program. The CSFA is designed for security professionals with at least two years of experience performing digital forensic analysis on computers and devices running the Windows operating system and creating investigative reports. Although the certification didn't generate as many job board hits as our other featured certifications, the CSFA is still worth your attention.

The same goes for the Certified Computer Examiner (CCE) from the International Society of Forensic Computer Examiners, also known as ISFCE. The CCE is well recognized in the industry and in the law enforcement community as a leading credential for digital forensics professionals, but it fell a little short on job board hits during our review this year.

Other good certifications include the Professional Certified Investigator (PCI), a senior-level, vendor-neutral computer investigations and forensics credential available through ASIS International. The organization also offers the Certified Protection Professional (CPP), which includes an investigation component, and the Physical Security Professional (PSP) in its certification program. Forensics candidates can also pursue one of the High Tech Crime Network vendor-neutral certifications – the Certified Computer Crime Investigator or Certified Computer Forensic Technician, both of which have a Basic and an Advanced credential.

If you look around online, you'll find numerous other forensics hardware and software vendors that offer certifications and plenty of other organizations that didn't make the cut for the 2019 list of the best digital forensics certifications. But before you wander outside the items mentioned in this article, you might want to research the sponsoring organization's history and the number of people who've earned its credentials, and then determine whether the sponsor not only requires training but stands to profit from its purchase.

You might also want to ask a practicing digital forensics professional if they've heard of the certifications you found on your own and, if so, what that professional thinks of those offerings.