Eight top certifications to help you dig deep into digital forensics

Wherever data shall pass, there's a chance that someone will be needed to resurrect it for some legal, regulatory, or investigative purpose. That someone will be a computer forensics specialist who is skilled in recovering data others thought long gone, while documenting the actions taken every step of the way. IT forensics pros are also versed in proper evidence collection procedures to ensure that the electronic data so painstakingly uncovered is retrieved and maintained in a legally defensible manner.


Forensic investigator

Digital forensics experts are employed by a wide range of organizations, ranging from the U.S. Department of Defense through law enforcement, banks and major cell phone carriers. It's a specialty where employers aren't shy about asking for certifications, so having the right one on board will definitely open doors. We did some detective work of our own to find out which credentials carry the most resume-boosting potential. Here's what we uncovered:


EnCase Certified Examiner (EnCE) 


Since 2001, more than 4,800 individuals have earned the EnCE. It's one of the most widely cited certifications in job postings. This vendor-specific credential is offered by Guidance Software, vendor of the widely used EnCase suite of e-discovery tools. EnCE certification demonstrates both your knowledge of EnCase software and general knowledge of computer forensics.


To earn it, you'll first need to meet an experience requirement (12 months computer forensics experience) or else complete an authorized training program. Then you must print out and mail in an application. Once that's approved, you can take the written and then practical hands-on exams. You must pass the Phase 1 exam ($200) before you will be issued a log in to take the Phase 2 portion.


AccessData Certified Examiner (ACE)


AccessData is a vendor of e-discovery tools and computer forensics training centered around Forensic Toolkit (FTK), a widely used digital investigation product. The ACE exam is a multiple-choice test with knowledge-based and practical components. FTK is used to complete the exam. Although AccessData offers training, it isn't required in order to take the exam. The exam is administered through an online portal and there is no charge to attempt the exam. Certification must be renewed every two years.


Certified Computer Examiner (CCE)


This well-established vendor-neutral credential comes from the International Society of Forensic Computer Examiners (ISFCE). Since its inception in 2003, more than 1,700 individuals have earned the CCE. To be eligible to take the exam that can get you into that elite group, you'll first have to meet either training or experience requirements — the good news is you don't have to do both. Training via ISFCE-approved vendors is highly encouraged but not required.


The exam process consists of four parts: Submit an application, purchase testing ($395) and then submit a notarized statement of your eligibility to take the exams. Once you clear those hurdles, you must pass a written exam administered online — succeed at that, and you get to attempt the practical exam, which is also administered online. You get 90 days to complete the practical exams. You can't have a criminal record, so if you have a rap sheet from your dark and distant past, then this one's off the table.


GIAC Certified Forensic Examiner (GCFE) and GIAC Certified Forensic Analyst (GCFA)


These two come from the well-respected Global Information Assurance Certification (GIAC) program. Each is a one-exam certification that will set you back a hefty $1,049 ($899 if you take the associated training course). You'll be expected to prove your chops on topics ranging from browser forensics to evidence acquisition and preservation to log analysis and a host of other key subjects.


On the surface, the GCFE certification is GIAC's introduction to forensics. The certification objectives and material on the exam, however, are targeted toward an intermediate-to-advanced level candidate. The fundamental methodology of forensic acquisition, preservation and collection are emphasized, along with the identification and analysis of file, application and operating system artifacts. Typically, this is the first GIAC Forensics certification that a candidate may attempt and is well suited to the junior forensic and junior incident handler positions that may have 1-5 years of practical experience in digital forensics and may possess several GIAC or other certifications.


The GCFA certification has some similarities with the GCFE but takes the process from disk-based forensics to include volatile memory acquisition and analysis of both RAM and network artifacts. The enterprise incident response framework and process is also heavily emphasized with this certification. The candidates are expected to understand and be able to process more complicated scenarios, find harder-to-locate data and be able to work with material originating from a higher degree of difficulty. These would include creating and analyzing file system timeline data, the Windows Registry and carving deleted files from the unallocated space of a hard drive. The GCFA certification is targeted toward a candidate who has several years of practical digital forensics experience and is performing incident response as a regular part of their daily activities.


GIAC recently launched an additional forensics credential, GIAC Network Forensics Analyst (GNFA). It is a high-level specialized GIAC certification which focuses on data that is typically not resident on workstations, servers or mobile devices. The GNFA candidates are expected to be able to collect, preserve and analyze data from network-based activity including system, application and service logs, network traffic captures and communications between hosts within an enterprise environment.


This data is typically not part of traditional disk-based forensics and provides important and, in many cases, critical evidence in examinations of data breach, data loss and social engineering. The candidates who may attempt this certification typically have several years of digital forensics training and practical experience, as well as a fundamental comprehension of network devices, network architecture and the collection and preservation of transient volatile data such a network captures.


The good news with GIAC certifications is that you can bring your reference books with you to the testing center, though you won't be allowed to access the internet in your quest for answers. GIAC certifications must be renewed every four years.


IACIS Certified Forensic Computer Examiner (CFCE)


The CFCE is a rigorous, vendor-neutral certification offered by The International Association of Computer Investigative Specialists (IACIS). Earning it is a two-step procedure: The first step is a peer review where you must complete four scenario-based problems via a mentored process. Once you successfully complete that, you'll move on to Phase Two, which consists of a hard drive practical exercise and written final examination. You'll also have to submit a notarized statement declaring that you didn't receive any assistance in completing the exams and may be required to undergo a background check. Certification must be renewed every three years. This program has a training requirement, which you can meet by taking IACIS training, or by submitting proof of other formal digital forensics training along with your application. The CFCE exam costs $750 when purchased separately.


Certified Cyber Forensics Professional (CCFP)


The CCFP credential is offered by the International Information Systems Security Certification Consortium , or (ISC)�, vendors of the prestigious Certified Information Systems Security Professional (CISSP). To take on this challenging credential you'll first need to demonstrate that you have a four-year baccalaureate degree plus three years of full time digital forensics experience. You can substitute additional work experience in lieu of the degree. In addition, you must pass the (ISC)2 CCFP exam ($549).


The exam covers the six knowledge domains of the CCFP: Legal and Ethical Principles; Investigations; Forensic Science; Digital Forensics; Application Forensics; Hybrid and Emerging Technologies. If lack of experience is holding you back, you can pursue this credential at the associate level until you meet the professional experience requirements.


Would you like more insight into the history of hacking? Check out Calvin's other articles about historical hackery:
About the Author

Anne Martinez is a certification industry veteran and the founder of GoCertify.com. She has been observing the industry and writing about IT certification since 1998.