CHFI – study notes

Security Incident – when a crime or wrongdoing was performed, involving a computer (as target, tool or crime scene).

– Note: wrong access is not necessary an incident. What if the wrong access was not used to do something else. You must go further

5WH to an investigation – Who, What, Where, When, Why – and How

ETI – Enterprise Theory of Investigation – each separated incident is part of an ongoing series of activities (see: Clifford Stoll – Cuckoo’s Egg)

An investigator must: detect evidence, preserve evidence, analyze evidence, report findings – DPAR




After a long time, I just returned (to this blog, to books, to maybe achieve something else).

In memory of my father – 03/01/42 to 24/12/14


Computer Forensics certifications

On the mainstream of Computer Forensic market, we have two big players. Access Data and Guidance.

AD is responsible for the Forensic ToolKit, or simply FTK.

Guidance is the creator of EnCase, another solid solution.

As almost any IT / Security tool, they have their certification programs.

You can be an ACE (AccessData Certified Examiner) or EnCE (EnCase certified Examiner), or both, of course.

The exams have some similarities. Both require you to take a phase 1 with multiple choice tests. And both require you to take a phase 2 – practical, where you need to use their tool to investigate an evidence file.

ACE used to be free. EnCE has a cost. But, now, if you sign up for ACE test, you realize it could cost 15x the EnCE price.

I will explain.

For EnCe, you pay 200US, take the phase I, and if you pass, you are going to receive a temporary license for EnCase (dongle), which will enable you to take the investigative (second) phase.

In the other hand, you can take ACE exam phase I for free. Sign up, read their PDF, and you are ready to answer the tests. Now, for the practical questions, they introduced a big change.

Until last year, you could download their FTK 1.x version and investigate the evidence, without costs. So, phase I and II were free, and hence, ACE had the potential to be more popular. Now, for phase II, you will need a FTK license, and at least on version 3.x.

I’ve contacted and confirmed with their Marketing & Certifications departments. They say “if you don’t have a licensed copy of FTK, you should look for someone or some school with it”.

Well, if I want to step on Forensic market, I would hardly find someone with licensed FTK. If I find a school, they would charge me to use their facility. A FTK license costs 3000US (or more, it depends of the country).

In terms of difficulty, EnCE is still known as the hardest one.

You need to have attended 64 hours authorized computer forensic training (online or classroom) OR have 12 months computer forensic experience, before phase I.

Plus, the investigation phase is not straight forward. I’ve heard complains about it.

ACE is easier, but they made up this big barrier. Discontinued the only trial version of FTK and now expects someone would buy FTK or would find a good soul willing to help you.

In my opinion, a step behind for ACE.

Bad move, AD, bad move.

P.S.: I must say, before someone thinks I’m an EnCase guy…  I’m grateful for FTK, the tool that helped me finishing my final paper about OS X / Boot Camp investigation (yet to be published). And, after visiting the FTK 4 World Tour last year, I must say:  the new feature “social network map” (planets + galaxy style) this new version is able to build from artefacts and evidences seems to be really something!