It has been a lot of fact, learning and fun filled weeks that I’ve been trying to get a handle on the art of cyber forensics. And like the idiom goes – All is well that ends well. I’ve been able to achieve a milestone to my learning and jousting with computer/network forensics by attaining my Computer Hacking Forensic investigator or CHFI. After CEH this is my second ECC certification (after almost 4 years since I achieved CEH)
So, why forensics or digital/cyber investigation related study and certification? I decided to change gears the forensics way because, it’s one of the least understood and discussed about cyber security stream. Any certification or on the job experience would not normally involve doing forensics or understanding and deploying your inner Sherlock Holmes. This side of cyber security is often unseen, unheard and blindsided in wake of daily operations and business as usual. And that’s what caught my attention – the things which allure the most however, are not very well understood or discussed amongst security professionals.
It’s been a lot of learning and head scratching (well sometimes almost banging my head in the wall over some rather intricate topics), playing around with some tools (like EnCase, Mobiledit) and most importantly understanding how the end-to-end cyber forensics process pans out. I learned a lot and came to know things above and beyond the nature of job that a security professional such as myself may be usually engaged with.
As usual, I’ll share my experience with this certification and my journey to achieve the same. I hope that my experiences are useful and that you can achieve this certification.
The exam itself – This exam has been there since last 7+ years and has evolved a lot from its predecessors. I took the v8.0 as I have been preparing for a while for it although, v9.0 is very muc available since last year. CHFI is a pretty draining exam in that it addresses many areas of cyber forensics from – PC forensics to Mobile forensics to application forensics and finally network forensics. It covers all basics and covers the know how required from a forensics to investigation to conclusion. Which is great as this is something not taught in security 101. What we traditionally learn and practice is network, application and information security; not their underbellies in terms of conducting a forensic investigation, tracing the evidence(s) back to the perpetrator and going through chain of evidence/custody. And this goes on and on; you’ll have to use your imagination to guess where. A lot of uncommon topics are more than enough to throw off and it’s not unusual to be lost in the depths of legal obligations or standards and even the way an envidence must be handled from discovery to its presentation to convict the cyber criminals. See the topics covered and other requirements here – https://www.eccouncil.org/programs/computer-hacking-forensic-investigator-chfi/
The insights to the exam – The exam is a killer in that it is a 180 degree twist and covers subjects much apart from what we as security professionals are used to do vs. what this certification demands. This is certainly for the folks who have been in the ICT industry for a while and have a good grasp of security – both from network and information security backdrop. The exam is 4 hours long (not that you have to sit for all 4 hours unless it takes that much time to answer all questions) and consists of 150 questions – multiple choice (single and multiple options) as well as true and false type. This is a closed book and proctored certification exam. Now, it is important to note that this exam is only delivered online via https://eccexam.com and you get an online proctor from http://go.proctoru.com. Oh yes, before I forget to mention – you need to undergo an eligibility and verification process (and pay a fee for this and other ECC certifications) with EC-Council. You have to go through an application where they verfiy your security experience and only upon successful application you can you sit for the exam. A minimum of 2 years of security experience is required. I was exempted from the eligibility process and application as I already have CEH and more than 10 years of security experience.
My experience during the exam – The questions were very varied and not so much so expected. Saw a lot about basics being tested such as HDD geometry and OSI stack pertinent to forensics and traffic analysis. As expected, there were questions on PC, mobile and network forensics and best practices to lead an investigation. I did enjoy the time during the test and instead of being stressed I maintained my clam to ensure that I don’t get fatigued (both click wise and mental) as well as to ensure that the right choice was indeed the right choice; the first time. 4 hours is more than enough from a time perspective and it takes grits to hold up the security persona during the exam coming from a non-forensic background.
I marked quite a few questions on my way to completion of first pass, as I wold call it. Managed to complete the firt pass in about 2 hours. I completed the second pass in another 15 min or so looking over the marked questions. The worst thing would have been to second guess myself and hence, I changed just a couple of answers where it made absolute and concrete sense. And then submitted for grading. I passed with 93% (70% is the minimal score to pass). And that calls for a happier weekend knowing that I would have achieved another milestone in my quest for knowledge!
The preparation – For the prep I used a number of resources:
1. CHFI official slides. These are very helpful and that’s where most of my preparation would come from
2. CHFI all-in-one guide. This was also helpful specially with exam practice questions
3. I read through a few other forensics books and articles. To name a few – Computer Forensics a Pocket Guide, Computer Forensics for Dummies, Computer Incident Response, Digital Forensics for Network, Internet, and Cloud Computing, and so on. I skimmed the content where I knew it and read where I knew I had holes from an information and understanding of subject point of view
4. Practiced a few more questions from Skillset.com
Summarizing – This is hands down one of the most alluring and comprehensive certification pertinent to computer and network forensics. Security practitioners and professionals who intend to further their understanding on this subject matter (which is quite interesting and uncommon) should go for it. For me, it was the journey that was more rewarding than the certification.