Computer Hacking Forensic Investigator Exam Information

Computer Hacking Forensic Investigator exam


Credits Towards Certification

Computer Hacking Forensic Investigator v8

Exam Details

  • Number of Questions: 150
  • Passing Score: 70%
  • Test Duration: 4 hours
  • Test Format: Multiple choice
  • Test Delivery: ECC exam portal


Exam Code

The exam code
  • ECC Exam Center: 312-49v8

Skills Measured

The exam 312-49 tests CHFI candidates on the following 22 domains.
  • Computer Forensics in Today’s World
  • Computer Forensics Investigation Process
  • Searching and Seizing Computers
  • Digital Evidence
  • First Responder Procedures
  • Computer Forensics Lab
  • Understanding Hard Disks and File Systems
  • Windows Forensics
  • Data Acquisition and Duplication
  • Recovering Deleted Files and Deleted Partitions
  • Forensics Investigations Using AccessData FTK
  • Forensics Investigations Using EnCase
  • Steganography and Image File Forensics
  • Application Password Crackers
  • Log Capturing and Event Correlation
  • Network Forensics, Investigating Logs and Investigating Network Traffic
  • Investigating Wireless Attacks
  • Investigating Web Attacks
  • Tracking Emails and Investigating Email Crimes
  • Tracking Emails and Investigating Email Crimes
  • Investigative Reports
  • Becoming an Expert Witness

CHFI (312-49) Exam

Computer Forensics in Today's World

  • Define computer forensics
  • Discuss the evolution of computer forensics
  • Explain the objectives and benefits of computer forensics
  • Discuss forensic readiness planning in detail
  • Explain cyber crimes
  • Examine various computer crimes
  • What is cybercrime investigation
  • Explain the key steps and rules in forensic investigation
  • What is the role of a forensics investigator
  • How to access computer forensics resources
  • Describe the role of digital evidence in forensic investigation
  • Understanding Corporate Investigations
  • Explain the key concepts of Enterprise Theory of Investigation (ETI)
  • Discuss various legal issues and reports related to computer forensic investigations

Computer Forensics Investigation Process

  • Provide an overview of computer crime investigation process
  • Describe computer forensic investigation methodology
  • Summarize the steps to prepare for a computer forensic investigation
  • How to obtain a search warrant
  • How to evaluate and secure a scene
  • How to collect and secure the evidence in a forensically sound manner
  • Explain the different techniques to acquire and analyze the data
  • Summarize the importance of evidence and case assessment
  • How to prepare the final investigation report
  • Testify in the Court as an Expert Witness

Searching and Seizing Computers

  • How to searching and seize computers without a warrant
  • Discuss the Fourth Amendment’s “Reasonable Expectation of Privacy”
  • What is consent and discuss the scope of consent
  • Summarize the steps involved in searching and seizing computers with a warrant
  • Examine the basic strategies for executing computer searches
  • Discuss the Privacy Protection Act
  • Describe drafting the warrant and affidavit
  • Explain the post-seizure issues
  • Describe the Electronic Communications Privacy Act
  • What is voluntary disclosure
  • Electronic Surveillance in Communications Networks
  • Discuss how content is different from addressing information
  • Provide an overview of evidence and authentication

Digital Evidence

  • Define digital evidence and explain its role in case of a computer security incident
  • Discuss the characteristics of digital evidence
  • What are the various types of digital data
  • What is best evidence rule
  • Discuss federal rules of evidence
  • Summarize the international principles for computer evidence
  • Discuss about the Scientific Working Group on Digital Evidence (SWGDE)
  • What are the considerations for collecting digital evidence from electronic crime scenes
  • Provide an overview of digital evidence examination process and steps involved
  • Explain electronic crime and digital evidence consideration by crime category

First Responder Procedures

  • Define electronic evidence
  • Who is first responder
  • Provide an overview on how to collect and store the electronic evidence
  • Describe first responder tool kit and how to create it
  • How to get first response from laboratory forensic staff
  • Provide an overview on how to collect and secure the electronic evidence at crime scene
  • Explain how to conduct preliminary interviews
  • How to document electronic crime scene
  • Explain how to collect and Preserve electronic evidence
  • Explain how to package and transport electronic evidence in a forensically sound manner
  • How to prepare report on crime scene
  • Provide a checklist for the first responders
  • Discuss the first responder’s common mistakes

Computer Forensics Lab

  • How to set up a computer forensics lab
  • Discuss the investigative services in computer forensics
  • What are the basic hardware requirements in a forensics lab
  • List and summarize various hardware forensic
  • Discuss the basic software requirements in a forensics lab
  • Summarize various software forensic tools

Understanding Hard Disks and File Systems

  • What is an hard disk drive
  • Explain solid-state drive (SSD)
  • Provide an overview of physical and logical structure of a hard disk
  • Describe the various types of hard disk interfaces
  • Examine the components of a hard disk
  • What are disk partitions
  • Explain Windows and Macintosh boot process
  • What are file systems
  • Explain various types of file systems
  • Provide an overview of Windows, Linux, Mac OS X, and Sun Solaris 10  file systems
  • Discuss about CD-ROM/DVD File System
  • Explain about RAID storage system and RAID levels
  • Explain file system analysis using the sleuth Kit

Windows Forensics

  • What is a volatile information
  • Explain what is network and process information
  • Define non-volatile information
  • Describe memory dump
  • Parsing Process Memory
  • Describe different techniques for collecting nonvolatile information such as registry settings and event logs
  • Explain various processes involved in forensic investigation of a Windows system such as memory analysis, registry analysis, IE cache analysis, cookie analysis, MD5 calculation, Windows file analysis, and metadata investigation
  • Provide an overview of IIS, FTP,  and system firewall logs
  • Discuss the importance of audit events and event logs in Windows forensics
  • Explain the static and dynamic event log analysis techniques
  • Discuss different Windows password security issues such as password cracking
  • How to analyze restore point registry settings
  • Provide an overview of cache, cookie, and history analysis
  • How to evaluate account management events
  • How to search with event viewer
  • Discuss various forensics tools

Data Acquisition and Duplication

  • Define data acquisition and explain various types of data acquisition systems
  • Explain various data acquisition formats and methods
  • How to determine a best acquisition method
  • What is contingency planning for image acquisitions
  • Describe static and live data acquisition
  • Provide an overview of volatile data collection methodology
  • Explain various types of volatile information
  • What are the requirements of disk imaging tool
  • How to validate data acquisitions
  • Discuss Linux and Windows validation methods
  • How to acquire RAID Disks
  • Examine the best practices of acquisition
  • List various data acquisition software and hardware tools

Recovering Deleted Files and
Deleted Partitions

  • Explain how to recover files in Windows, MAC, and Linux
  • Discuss file recovery tools for Windows, MAC and Linux
  • How to identify creation date, last accessed date of a file, and deleted sub-directories
  • How to recovering the deleted partitions and list partition recovery tools

Forensics Investigation using
AccessData FTK

  • What is Forensic Toolkit (FTK®) and discuss its various features
  • Explain FTK installation steps
  • Discuss about FTK Case Manager
  • How to restore an image to a disk
  • Explain FTK examiner user interface
  • How to verify drive image integrity
  • Discuss how to mount an image to a drive
  • Summarize the steps involved in creating a case
  • Discuss the functions of FTK interface tabs
  • Explain the steps involved in adding evidence to a case
  • How to acquire local live evidence
  • Explain the steps involved in acquiring data remotely using remote device management system (RDMS)
  • Discuss the steps involved in imaging drives
  • How to mount and Unmount a Device
  • Explain the steps involved in conducting an index search and live search
  • How to decrypt EFS Files and Folders

Forensics Investigation Using EnCase

  • Provide an overview of EnCase forensics
  • Discuss EnCase, its uses, and functionality
  • Discuss about EnCase forensics modules
  • How to install EnCase forensic
  • Explain how to configure EnCase
  • Provide an overview of case structure
  • What is case management
  • How to add a Device to a Case  and how to acquire a Device
  • Explain the verification process of evidence files
  • What is  a source processor
  • How to Set up case options
  • Discuss how to analyze and search files
  • Describe how to view file content
  • Provide an overview on bookmarks
  • How to create various types of bookmark
  • Explain how to create a report using the report tab
  • How to export a Report

Steganography and Image File Forensics

  • Summarize steganography and its types
  • List the application of steganography
  • Discuss various digital steganography techniques
  • What is Steganalysis
  • How to Detect Steganography
  • List various steganography detection tools
  • Discuss about image file formats
  • How to compress data
  • How to process forensic image using MATLAB
  • Explain how to locate and recover image files
  • How to identify unknown file formats
  • List picture viewer tools and image file forensic tools

Application Password Crackers

  • What are the terminologies used
  • Explain the functionality of password crackers
  • Summarize various types of passwords
  • What is a password cracker
  • How Does a Password Cracker Work?
  • Discuss various password cracking techniques
  • List various types of password attacks
  • List various system and application software password cracking
  • What are default passwords
  • Discuss various password cracking tools

Log Capturing and Event Correlation

  • What are computer security logs
  • Discuss about logon event in Window
  • What are IIS logs
  • How to view the DHCP logs
  • What is ODBC logging
  • Explain legality of using logs
  • Explain log management
  • Discuss various challenges in log management
  • What is centralized logging
  • Discuss about syslog
  • Why Synchronize Computer Times?
  • What is NTP?
  • List various NIST time servers
  • Discuss various event correlation approaches
  • List various log capturing and analysis tools

Network Forensics, Investigating Logs
and Investigating Network Traffic

  • Summarize network forensics concepts
  • Explain the network forensics analysis mechanism
  • What are intrusion detection systems (IDS)
  • Define the terms firewall and honeypot
  • Discuss various network vulnerabilities
  • Explain various types of network attacks
  • Explain new line injection attack and timestamp injection attack
  • Where to Look for Evidence?
  • How to handle logs as evidence
  • Explain how to condense a log file
  • Why to Investigate Network Traffic?
  • How to acquire traffic using DNS poisoning techniques
  • Explain how to gather from ARP table
  • List various traffic capturing and analysis tools

Investigating Wireless Attacks

  • Discuss various advantages and disadvantages of wireless networks
  • list different components of wireless networks
  • What are the various types of wireless networks
  • List various types of wireless standards
  • What is MAC filtering
  • What is a Service Set Identifier (SSID)
  • Discuss various types of wireless encryption
  • List various types of wireless attacks
  • How to investigate wireless attacks
  • What are the requirements of a tool design and summarize the best practices for wireless forensics
  • List various wireless forensics tools

Investigating Web Attacks

  • What are Web applications
  • Explain Web application architecture
  • Why Web servers are Compromised
  • Provide an overview of Web logs
  • What are Internet Information Services (IIS) and apache Web server Logs
  • Discuss various types of Web attacks
  • How to investigate Web attacks
  • Explain the investigation process of Web attacks in Windows-based servers
  • Describe how to investigate IIS and Apache logs
  • When does Web page defacement occur
  • Discuss various security strategies to Web applications
  • List various Web attack detection tools
  • Discuss about various tools for locating IP address

Tracking Emails and Investigating
 Email Crimes

  • Explain the terms Email system, Email Clients, Email Servers, and Email Message
  • Discuss the importance of electronic records management
  • Discuss various types of Email crimes
  • Provide examples of Email header
  • List Common Headers
  • Why to Investigate Emails
  • Discuss the steps involved in investigation of Email crimes
  • List various Email forensics tools
  • What are the different laws and acts against Email crimes

Mobile Forensics

  • List different mobile devices
  • What are the hardware and software characteristics of mobile devices
  • What is a cellular network
  • Provide an overview of mobile operating system
  • Discuss various types of mobile operating systems
  • What a Criminal can do with Mobiles Phones?
  • Describe various mobile forensics challenges
  • Discuss various memory considerations in mobiles
  • What are the different precautions to be taken before investigation
  • Explain the process involved in mobile forensics
  • List various mobile forensic hardware and software Tools

Investigative Reports

  • Explain importance of reports and need of an investigative report
  • Discuss the salient features of a good report
  • Provide computer forensics report template
  • How is a report classified
  • Provide layout of an investigative report
  • What are the guidelines for writing a report
  • Provide an overview of investigative report format
  • How to document a case report
  • What are the best practices for investigators
  • How to write a report using FTK and ProDiscover

Becoming an Expert Witness

  • What is an Expert Witness?
  • Explain the role of an expert witness
  • Describe various types of expert witnesses
  • What is the scope of expert witness testimony
  • Explain the differences between Technical Witness and Expert Witness
  • What are the various steps involved in evidence processing
  • How to prepare a report
  • List the rules pertaining to an expert witness’ qualification
  • How to testify in the court
  • What are the general ethics while testifying
  • How to testify during direct and cross-examination
  • How to find a computer forensic expert