There is an appreciable number of available, high-quality certification programs that focus on digital investigations and forensics. However, there are also many certifications and programs in this area that are far less transparent and widely known.
There’s been a steady demand for digital forensics certifications for the past several years, mainly owing to the following:
- Computer crime continues to escalate. As more cybercrimes are reported, more investigations and qualified investigators are needed. This is good news for law enforcement and private investigators who specialize in digital forensics.
- There’s high demand for qualified digital forensics professionals because nearly every police department needs trained candidates with suitable credentials.
- IT professionals interested in working for the federal government (either as full-time employees or private contractors) must meet certain minimum training standards in information security. Digital forensics qualifies as part of the mix needed to meet them, which further adds to the demand for certified digital forensics professionals.
As a result, there is a continuing rise of companies that offer digital forensics training and certifications. Alas, many of these are “private label” credentials that are not well recognized. Making sense of all options and finding the right certification for you may be trickier than it seems.
To help choose our top five certifications for 2019, we looked at several popular online job boards to determine the number of advertised positions that require these certifications. While the actual results vary from day to day and by job board, this should give you an idea of the number of digital forensic jobs with specific certification requirements.
Job board search results (in alphabetical order, by certification)*
| Certification | SimplyHired | Indeed | LinkedIn Jobs | LinkUp | Total |
|---|---|---|---|---|---|
| Vendor neutral | |||||
| CFCE (IACIS) | 63 | 82 | 117 | 46 | 308 |
| CHFI (EC-Council) | 106 | 140 | 253 | 68 | 567 |
| GCFA (SANS GIAC) | 422 | 489 | 857 | 294 | 2,062 |
| GCFE (SANS GIAC) | 203 | 226 | 433 | 143 | 1,005 |
| Vendor specific | |||||
| ACE (AccessData) | 25 | 29 | 31 | 12 | 97 |
| EnCE (EnCase) | 110 | 154 | 237 | 114 | 615 |
*We covered two GIAC credentials, presented together in a single GIAC section below.
Digital forensics is a relatively lucrative space for practitioners. The average salary for intermediate digital forensic jobs in the U.S. – $63,959, according to SimpyHired – trails that of network engineers, system administrators and project managers. However, a senior specialist or forensic analyst, whether working in the private industry or government channels, will often earn six figures in major metro areas. We found salaries on the high end running almost $107,000 for forensic analysts and more than $127,000 for digital forensic roles.
ACE: AccessData Certified Examiner
AccessData is the maker of the popular Forensic Toolkit (FTK) solution for digital investigations. The company also offers a variety of related products and services, such as AD Lab, AD eDiscovery, AD Enterprise and AD Triage.
The AccessData Certified Examiner (ACE) is worth pursuing for those who already use or plan to use FTK, which enjoys widespread use in law enforcement and private research and consulting firms. The certification requires one exam, which covers the FTK Imager, Registry Viewer, PRTK (Password Recovery Toolkit) and FTK Examiner Application/Case Management Window tools in detail. AccessData recommends basic to moderate forensic knowledge before attempting the exam. This includes an understanding of digital artifacts, Registry files, encrypting and decrypting files, hashing, attack types, using live and index searching, and other topics. See the latest ACE Study Guide for details.
Recertification is required every two years. Credential holders must pass the current ACE exam, which focuses on the most current versions of FTK and other tools, to maintain their credentials.
ACE facts and figures
| Certification name | AccessData Certified Examiner (ACE) |
|---|---|
| Prerequisites and required courses | None; training recommended:
AccessData FTK BootCamp (three-day classroom or live online) FTK Intermediate courses |
| Number of exams | One exam (ACE 6); includes knowledge-based and practical portions
Registration required to receive a join code to access the testing portal |
| Cost per exam | $100 (exam fee includes retakes and recertification exams) |
| URL | http://accessdata.com/training/computer-forensics-certification |
| Self-study materials | There is a link to the free ACE Study Guide is on the certification webpage. The testing portal includes study videos, lessons in PDF and a practice test (with an image file). |
CFCE: Certified Forensic Computer Examiner
The International Association of Computer Investigative Specialists (IACIS) is the organization behind the Certified Forensic Computer Examiner (CFCE) credential. This organization caters primarily to law enforcement personnel, and you must be employed in law enforcement to qualify for regular IACIS membership.
A formal application form, along with an application fee, is necessary to join IACIS. Regular membership includes current computer/digital forensic practitioners who are current or former government or law enforcement employees or forensic contractors to a government agency. All other practitioners can apply for Associate membership to IACIS, provided they can pass a background check. Membership fees and annual renewal fees are required. IACIS membership is not required to obtain the CFCE credential.
To obtain the CFCE credential, candidates must demonstrate proficiency with CFCE core competencies. One option is IACIS’ Basic Computer Forensic Examiner (BCFE) two-week training course; it meets the 72-hour training requirement, costs $2,995, includes a free laptop and waives the IACIS membership fee for nonmembers. IACIS membership is required to attend the course. Candidates completing the training course can enroll directly in the CFCE program upon completion of the course. Those not attending the BCFE course may meet the 72-hour training requirement with a comparable course (subject to IACIS approval), pay a $750 registration fee, and successfully pass a background check to enroll in the CFCE program and sit for the exam.
The CFCE exam is a two-step testing process that includes a peer review and CFCE certification testing:
- The peer review consists of accepting and completing four assigned practical problems based on core knowledge and skills areas for the credential. These must be solved and then presented to a mentor for initial evaluation (and assistance, where needed) before being presented for peer review. Candidates have 30 days to complete each of the practical problems.
- Upon successful conclusion of the peer review, candidates automatically progress to the certification phase.
- Candidates must begin work on a hard-drive practical problem within seven days of the completion of the peer review phase. Forty days are allotted to candidates to independently analyze and report upon a forensic image of a hard drive provided to them. Following specific instructions, a written report is prepared to document the candidate’s activities and findings.
- Once that report is accepted and passed, the process concludes with a 100-question written exam (which includes true/false, multiple-choice, matching and short-answer questions). Candidates have 14 days to complete the written examination. A passing score of 80 percent or better is required for both the forensic report and the written exam to earn the CFCE.
Upon completion of both the peer review and the certification phase, candidates must submit a notarized form certifying that the practical and written exams were completed independently without assistance from anyone else.
Certificants must recertify every three years to maintain the CFCE credential. Recertification requires proof of at least 40 hours of professional education, a passing score on a proficiency test in the third year, proof of computer/digital forensics work experience, or passing scores on three proficiency tests within three years, and either three years of IACIS membership or payment of a $150 recertification fee.
Despite the time and expense involved in earning a CFCE, this credential has high value and excellent name recognition in the computer forensics field. Many forensics professionals consider the CFCE a necessary merit badge to earn, especially for those who work in or for law enforcement.
CFCE facts and figures
| Certification name | Certified Forensic Computer Examiner (CFCE) |
|---|---|
| Prerequisites and required courses | Basic Computer Forensics Examiner (BCFE) training course recommended ($2,995)
72 hours of training in computer/digital forensics comparable to CFCE core competencies; BCFE training course meets training requirement Without BCFE training: take a comparable course, pay $750 registration fee and pass a background check |
| Number of exams | Two-part process: Peer review (must pass to proceed to subsequent phase) and certification phase (includes hard-drive practical and written examination) |
| Cost per exam | Included in BCFE training; $750 for the entire testing process for those not attending BCFE training |
| URL | https://www.iacis.com/certification-2/cfce/ |
| Self-study materials | IACIS is the primary conduit for training and study materials for this certification. |
CHFI: Computer Hacking Forensic Investigator
The EC-Council is a well-known training and certification organization that specializes in the areas of anti-hacking, digital forensics and penetration testing. The organization’s Computer Hacking Forensic Investigator (CHFI) certification emphasizes forensics tools, analytical techniques, and procedures involved in obtaining, maintaining, and presenting digital forensic evidence and data in a court of law.
The EC-Council offers training for this credential but permits candidates to challenge the exam without taking the course, provided they have a minimum of two years of information security experience and pay a non-refundable $100 eligibility application fee.
The CHFI course covers a wide range of topics and tools (click the exam Blueprint button on the certification webpage). Topics include an overview of digital forensics, in-depth coverage of the computer forensics investigation process, working with digital evidence, anti-forensics, database and cloud forensics, investigating network traffic, mobile and email forensics, and ethics, policies and regulations. Courseware is available, as well as instructor-led classroom training.
The EC-Council offers numerous other certifications of potential value to readers interested in the CHFI. These include the Certified Ethical Hacker (CEH), CEH (Practical), EC-Council Certified Security Analyst (ECSA), ECSA Practical, Certified Network Defender (CND) and Licensed Penetration Tester (LPT), Certified Application Security Engineer (CASE), and Certified Chief Information Security Officer (CCISO). It also offers credentials in related areas such as disaster recovery, encryption and security analysis. Visit the EC-Council site for more info on its popular and respected credentials.
CHFI facts and figures
| Certification name | Computer Hacking Forensic Investigator (CHFI) v9 |
|---|---|
| Prerequisites and required courses | Application with resume and current or previous employer info required.
Candidates must agree to the EC-Council Non-Disclosure, Candidate Application and Candidate Certification agreement terms. Training recommended but not required:
To challenge the exam without training, you must have two years of information security work experience and/or education to reflect specialization, pay a non-refundable application fee of $100, and complete the Exam Eligibility Application Form. More information on the application process is located on the Application Eligibility Process webpage. |
| Number of exams | One exam: EC0 312-49 (150 questions, four hours, passing score 70 percent, multiple choice). Available through the ECC exam portal. |
| Cost per exam | $500 (plus $100 application fee; candidates who do not participate in training must pay a $650 exam fee plus $100 application fee) |
| URL | https://www.eccouncil.org/programs/computer-hacking-forensic-investigator-chfi/ |
| Self-study materials | Visit the EC-Council Store and search for “CHFI” for preparation materials, including labs. Study guide and exam guides are available on Amazon, as well as some practice exams. |
EnCe: EnCase Certified Examiner
Guidance Software, acquired by OpenText in 2017, is a leader in the forensics tools and services arena. Its well-known and widely used EnCase Forensic software helps professionals acquire data from many different types of devices, complete disk-level examinations and produce reports of their findings. The company also sells software for remote investigations (EnCase Endpoint Investigator), eDiscovery, risk management, mobile investigations and endpoint security.
The company’s certification program includes the Certified Forensic Security Responder (CFSR), EnCase Certified eDiscovery Practitioner (EnCEP) and EnCase Certified Examiner (EnCe). Available to professionals in the public and private sector, the EnCE recognizes an individual’s proficiency using EnCase Forensic software and mastery of computer investigation methodology, including evidence collection, preservation, file verification, file signatures and hashing, first responder activities, and much more.
To achieve EnCe certification, candidates must show proof of a minimum of 64 hours of authorized computer forensic training or 12 months of qualified work experience, complete an application, and then successfully complete a two-phase exam that includes a written and practical portion.
EnCE certifications are valid for three years from the date obtained. Recertification requires one of the following:
- 32 credit hours of continuing education in computer forensics or incident response
- A computer forensics or incident response-related certification
- Attendance at an Enfuse conference (at least 10 sessions)
EnCE facts and figures
| Certification name | EnCase Certified Examiner (EnCe) |
|---|---|
| Prerequisites and required courses | Required: 64 hours of authorized computer forensic training or 12 months of work experience in computer forensics
Training options through Guidance Software:
Completion of the EnCE application |
| Number of exams | One two-phase exam:
Passing the Phase I exam earns an electronic license to complete the Phase II exam. |
| Cost per exam | $200 total, or $300 international
$75 renewal fee |
| URL | https://www2.guidancesoftware.com/training/Pages/ence-certification-program.aspx |
| Self-study materials | Study materials provided in Guidance Software courses. Check Amazon for availability of current and practice exams.
Learning On Demand subscription provides access to 400 courses across the OpenText Learning Services platform. |
GCFA And GCFE Certifications
SANS is the organization behind the Global Information Assurance Certification (GIAC) program. It is a well-respected and highly regarded player in the information security field in general. SANS not only teaches and researches in this area, it also provides breaking news, operates a security alert service, and serves on all kinds of government, research and academic information security task forces, working groups, and industry organizations.
The organization’s incident response and forensics credentials include the following:
- GIAC Certified Forensic Examiner (GCFE)
- GIAC Certified Forensic Analyst (GCFA)
- GIAC Reverse Engineering Malware (GREM)
- GIAC Network Forensic Analyst (GNFA)
- GIAC Advanced Smartphone Forensics (GASF)
- GIAC Cyber Threat Intelligence (GCTI)
The intermediate GCFE and the more senior GCFA are the focus of this section. Neither credential requires taking SANS courses (which have a strong reputation for being among the best in the cybersecurity community, with high-powered instructors to match), but they are recommended to candidates and often offered before, during or after SANS conferences held around the U.S. at regular intervals.
Both the GCFE and GCFA focus on computer forensics in the context of investigation and incident response, and thus also focus on the skills and knowledge needed to collect and analyze data from Windows and/or Linux computer systems during such activities. Candidates must possess the necessary skills, knowledge, and ability to conduct formal incident investigations and advanced incident handling, including dealing with internal and external data breaches, intrusions, and cyberthreats; collecting and preserving evidence; understanding anti-forensic techniques; and building and documenting advanced digital forensic cases.
Most SANS GIAC credentials are valid for four years. Candidates may recertify for the GCFE and GCFA by earning 36 continuing professional experience (CPE) credits. In addition, credential holders must pay a certification maintenance fee of $429 every four years.
The SANS GIAC program encompasses more than 36 information security certifications across a broad range of topics and disciplines. IT professionals interested in information security in general, as well as digital forensics, would be well advised to investigate further on the GIAC homepage.
GCFE and GCFA facts and figures
| Certification name | GIAC Certified Forensic Examiner (GCFE)
GIAC Certified Forensic Analyst (GCFA) |
|---|---|
| Prerequisites and required courses | None
GCFE recommended course: FOR500: Windows Forensic Analysis ($6,210) GCFA recommended course: FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting ($6,210) |
| Number of exams | One exam for each credential (115 questions, three hours, passing score of 71 percent)
Exams proctored by Pearson VUE. Registration with GIAC required to schedule an exam. |
| Cost per exam | $769 if part of training/bootcamp
$1,899 (no training – referred to as a certification challenge) Additional details available here. |
| URL | www.giac.org |
| Self-study materials | Practice tests available on the GIAC exam preparation page (two tests included in exam fee; additional practice tests are $159 each). Study guides and practice exams can be found on Amazon and other typical channels. |
Beyond the top 5: More digital forensics certifications
There are lots of other certification programs that can help to further the careers of IT professionals who work in digital forensics.
One certification we’ve featured in the past is the CyberSecurity Institute’s CyberSecurity Forensic Analyst (CSFA). The CyberSecurity Institute provides digital forensic services aimed at law firms, businesses and individuals, and administers a small but well-respected certification program. The CSFA is designed for security professionals with at least two years of experience performing digital forensic analysis on computers and devices running the Windows operating system and creating investigative reports. Although the certification didn’t generate as many job board hits as our other featured certifications, the CSFA is still worth your attention.
The same goes for the Certified Computer Examiner (CCE) from the International Society of Forensic Computer Examiners, also known as ISFCE. The CCE is well recognized in the industry and in the law enforcement community as a leading credential for digital forensics professionals, but it fell a little short on job board hits during our review this year.
Other good certifications include the Professional Certified Investigator (PCI), a senior-level, vendor-neutral computer investigations and forensics credential available through ASIS International. The organization also offers the Certified Protection Professional (CPP), which includes an investigation component, and the Physical Security Professional (PSP) in its certification program. Forensics candidates can also pursue one of the High Tech Crime Network vendor-neutral certifications – the Certified Computer Crime Investigator or Certified Computer Forensic Technician, both of which have a Basic and an Advanced credential.
If you look around online, you’ll find numerous other forensics hardware and software vendors that offer certifications and plenty of other organizations that didn’t make the cut for the 2019 list of the best digital forensics certifications. But before you wander outside the items mentioned in this article, you might want to research the sponsoring organization’s history and the number of people who’ve earned its credentials, and then determine whether the sponsor not only requires training but stands to profit from its purchase.
You might also want to ask a practicing digital forensics professional if they’ve heard of the certifications you found on your own and, if so, what that professional thinks of those offerings.