EC-Council’s CHFI certifies individuals in the specific security discipline of computer forensics from a vendor-neutral perspective. The CHFI certification will fortify the application knowledge of law enforcement personnel, system administrators, security officers, defense and military personnel, legal professionals, bankers, security professionals, and anyone who is concerned about the integrity of the network infrastructure.

A CHFI v9 certified professional will be able to understand:

  • Perform incident response and forensics
  • Identify data, images and/or activity which may be the target of an internal investigation
  • Perform electronic evidence collections
  • Establish threat intelligence and key learning points to support pro-active profiling and scenario modelling
  • Perform digital forensic acquisitions
  • Search file slack space where PC type technologies are employed
  • Perform bit-stream Imaging/acquiring of the digital media seized during the process of investigation.
  • File MAC times (Modified, Accessed, and Create dates and times) as evidence of access and event sequences
  • Examine and analyze text, graphics, multimedia, and digital images
  • Examine file type and file header information
  • Conduct thorough examinations of computer hard disk drives, and other electronic data storage media
  • Review e-mail communications including web mail and Internet Instant Messaging programs
  • Recover information and electronic data from computer hard drives and other data storage devices
  • Examine the Internet browsing history
  • Follow strict data and evidence handling procedures
  • Generate reports which detail the approach, and an audit trail which documents actions taken to support the integrity of the internal investigation process
  • Maintain audit trail (i.e., chain of custody) and evidence integrity
  • Recover active, system and hidden files with date/time stamp information
  • Work on technical examination, analysis and reporting of computer-based evidence
  • Crack (or attempt to crack) password protected files
  • Prepare and maintain case files
  • Perform anti-forensics detection
  • Utilize forensic tools and investigative methods to find electronic data, including Internet use history, word processing documents, images and other files
  • Maintain awareness and follow laboratory evidence handling, evidence examination, laboratory safety, and laboratory security policy and procedures
  • Gather volatile and non-volatile information from Windows, MAC and Linux
  • Play a role of first responder by securing and evaluating a cybercrime scene, conducting preliminary interviews, documenting crime scene, collecting and preserving electronic evidence, packaging and transporting electronic evidence, reporting of the crime scene
  • Recover deleted files and partitions in Windows, Mac OS X, and Linux
  • Perform post-intrusion analysis of electronic and digital media to determine the who, where, what, when, and how the intrusion occurred
  • Perform keyword searches including using target words or phrases
  • Apply advanced forensic tools and techniques for attack reconstruction
  • Investigate events for evidence of insider threats or attacks
  • Perform fundamental forensic activities and form a base for advanced forensics
  • Support the generation of incident reports and other collateral
  • Identify and check the possible source/incident origin
  • Investigate and analyze all response activities related to cyber incidents
  • Perform event co-relation
  • Plan, coordinate and direct recovery activities and incident analysis tasks
  • Extract and analyze logs from various devices such as proxies, firewalls, IPSes, IDSes, Desktops, laptops, servers, SIM tools, routers, switches, AD servers, DHCP servers, Access Control Systems, etc.
  • Examine all available information and supporting evidence or artefacts related to an incident or event
  • Ensure that reported incident or suspected weaknesses, malfunctions and deviations are handled with confidentiality
  • Collect data using forensic technology methods in accordance with evidence handling procedures, including collection of hard copy and electronic documents
  • Assist in the preparation of search and seizure warrants, court orders, and subpoenas
  • Conduct reverse engineering for known and suspected malware files
  • Provide expert witness testimony in support of forensic examinations conducted by the examiner
  • Perform detailed evaluation of the data and any evidence of activity in order to analyze the full circumstances and implications of the event
  • Identify data, images and/or activity which may be the target of an internal investigation

About the Program

Digital forensic practices stem from forensic science, the science of collecting and examining evidence or materials. Digital or computer forensics focuses on the digital domain including computer forensics, network forensics, and mobile forensics. As the cyber security profession evolves, organizations are learning the importance of employing digital forensic practices into their everyday activities. Computer forensic practices can help investigate attacks, system anomalies, or even help System administrators detect a problem by defining what is normal functional specifications and validating system information for irregular behaviors.

In the event of a cyber-attack or incident, it is critical investigations be carried out in a manner that is forensically sound to preserve evidence in the event of a breach of the law. Far too many cyber-attacks are occurring across the globe where laws are clearly broken and due to improper or non-existent forensic investigations, the cyber criminals go either unidentified, undetected, or are simply not prosecuted.

Cyber Security professionals who acquire a firm grasp on the principles of digital forensics can become invaluable members of Incident Handling and Incident response teams. The Computer Hacking Forensic Investigator course provides a strong baseline knowledge of key concepts and practices in the digital forensic domains relevant to today’s organizations. CHFI provides its attendees a firm grasp on the domains of digital forensics.


  • 14 comprehensive modules and 39 labs
  • More than 40 percent of new labs
  • More than 400 new/updated tools
  • Classroom friendly curriculum with diagrammatic representation of concepts and examples
  • New and rich presentation style with eye catching graphics
  • Coverage of latest operating systems
  • Updated patch management and testing environment
  • Well tested, result oriented, descriptive and analytical lab manual to evaluate the presented concepts


About the Exam

The CHFI certification is awarded after successfully passing the exam EC0 312-49. CHFI EC0 312-49 exams are available at ECC exam center around the world.

CHFI Exam Details

  • Number of Questions: 150
  • Passing Score: 70%
  • Test Duration: 4 hours
  • Test Format: Multiple choice
  • Test Delivery: ECC exam portal

CHFI Course Outline (Version 9)

1. Module 01 Computer Forensics in Today's World
2. Module 02 Computer Forensics Investigation Process
3. Module 03 Understanding Hard Disks and File Systems
4. Module 04 Data Acquisition and Duplication
5. Module 05 Defeating Anti-forensics Techniques
6. Module 06 Operating System Forensics (Windows, Mac, Linux)
7. Module 07 Network Forensics
8. Module 08 Investigating Web Attacks
9. Module 09 Database Forensics
10. Module 10 Cloud Forensics
11. Module 11 Malware Forensics
12. Module 12 Investigating Email Crimes
13. Module 13 Mobile Forensics
14. Module 14 Forensics Report Writing and Presentation

Who Is It For?

 The CHFI program is designed for all IT professionals involved with information system security, computer forensics, and incident response.

Target Audience

  • Police and other law enforcement personnel
  • Defense and Military personnel
  • e-Business Security professionals
  • Systems administrators
  • Legal professionals
  • Banking, Insurance and other professionals
  • Government agencies
  • IT professionals, IT directors/ managers
  • Incident response team members
  • Information security managers
  • Network defenders
  • Security analyst/ architect/ auditors/ consultants