I think it is important to realize that certification in any area of expertise should be designed to tell the world that you have attained something that sets you apart from others in the field. Digital forensic certification should be measured much like a college degree program. There are a number of undergrad and post graduate degree programs out there that are designed simply to make money through mail order and not to provide something of real value that tells the world that you have earned a college degree through a nationally or internationally accepted and recognized degree program. The programs I will discuss here have various requirements and levels of difficulty and it is up to you decide the direction you want to go. Any good certification program in digital forensics should have a practical examination component and a written examination that requires the student to show their knowledge and proficiency in performing digital forensic work. The organization putting forth the certification should also require certificate holders to subscribe to best practices standards and to a code of ethics. Additionally, the certificate holder should be required to recertify and prescribed interval and maintain continuing education in the field of digital forensics.

Digital forensic education programs leading to certification are generally divided into two areas; those open only to law enforcement and those open to any professional. Those open only to law enforcement typically also allow “non-sworn” personnel to attend if they are engaged in a full time position with a government agency that prepares criminal cases and assists in the prosecution of defendants. There are two programs that fall into the law enforcement only classification the CFCE and SCERS certifications.

The Certified Forensic Computer Examiner (CFCE) certification is offered through the International Association of Computer Investigative Specialists (IACIS). This program is offered by attending a two week intensive training course in Orlando, Florida. This course is offered every year and is now offered in multiple countries. IACIS began in the early 90’s and the training course is staffed by a host of volunteers who each year gives up two weeks of their Summer to teach and coach in the two week class. While the course is geared for the novice it will be very difficult to keep up in the class if you have not acquired at least a basic knowledge of technical background in the Windows operating systems. The class covers everything from basic FAT file systems to NTFS and Unix/Linux basics and also includes the various Apple Macintosh file systems. The class also covers the logical and the physical disk structures and computer forensic artifacts. Following the completion of the class the student is granted the Certified Electronic Evidence Collection Specialist (CEECS) certification which signifies training in how to seize and gather digital evidence in forensically sound manner.

Shortly after graduation from the two week class the student applies for and is assigned a regional coach who will help guide the student through a series of five practical exercises designed to cause the student to explore digital forensic issues, locate forensic artifacts, and prepare a technical report based on their findings and conclusions. Each report is reviewed for thoroughness and once all issues in the exercise are resolved the student advances to the next practical. The final practical is a full size hard drive that must be imaged correctly and fully reported on. Once the final practical is completed the student is presented with an one hundred question multi-part written essay examination that usually requires several days to complete. The student must pass at 80%. If successful, the student is awarded the Certified Forensic Computer Examiner designation. The CFCE is required to maintain annual training hours and to recertify every three years. The cost of this program is approximately $1600 plus room and board. In the event that a student wishes to participate in the certification process without attending the two week training course there is also an external certification method. Each year approximately 200 students begin the process but only about 50 percent complete it. The CFCE is allowed to maintain their certification when separating from the public sector provided the separation was under honorable conditions.

The Seized Computer Evidence Recovery Specialist (SCERS) training program is only available to law enforcement and is part of the Federal Training Program offered at the Federal Law Enforcement Training Center (FLETC) in Glynco, Georgia. Students who are from a non governmental private entity may take part in the training provided they are sponsored by a law enforcement agency and the agency training coordinator or other responsible party within the agency makes the request for the student to attend. There is a prerequisite for this training in that the student must have completed the Digital Evidence Acquisition Specialist Training Program (DEASTP) or the Criminal Investigations in an Automated Environment Training Program (CIAETP) to qualify for admission to the SCERS Program. The SCERS program is quite expensive at $5,047 US but as a part of this price the student receives numerous pieces of hardware including a mini personal computer as well as the top selling forensic software products like Guidance Software™ Encase Forensic and AccessData™ FTK; generally almost everything needed to conduct digital forensic examinations and analysis. The training program covers two weeks and involves extensive after classroom time. The in class curriculum is very similar to the CFCE program but also provides an introduction to the use of some forensic software tools. At the conclusion of the training program the student must pass a graded practical examination to be awarded the SCERS certification.

Private Sector Programs

For the digital forensic professional in the private sector there are several programs leading to certification. These programs are of course also offered to professionals in law enforcement but it is not required. These programs are generally divided into two areas; programs offering certification using non vendor specific digital forensic methodology and those which certify the student in the use of a particular piece of forensic software.

The High-Tech Crime Network (HTCN) offers several levels of proficiency for applicants seeking to attain certification. The HTCN state that they are the only certifying body that actually perform a background check on applicants and award a certification based on experience in the computer forensic industry. The candidate must provide satisfactory proof that he or she has received a minimum number of hours in computer crime and/or computer forensic training and must be able to document their experience in the field. The applicant can download a 17 page application from the HTCN website, submit the notarized application to HTCN with a $50 non-refundable application processing fee. The applicant must also submit a copy of the notarized application to their direct supervisor who authenticates the information contained in the application and also must sign a notarized affidavit to that effect. The supervisor then forwards the affidavit to the HTCN under separate cover. The applicant then waits 45-90 days for the HTCN decision concerning approval for certification. Prior to being awarded certification the applicant must become a member of HTCN and be an annual dues paying member in good standing and pay the remaining $450 to get their certificate.

The HTCN offers four different certifications:

Certified Computer Crime Investigator, Basic Level requires candidates have 2 years of investigative experience or a bachelor’s degree and one year of experience. It also requires 18 moths of experience directly related to the investigation of computer-incidents/ crimes. The basic certificate also requires the candidate to have completed 40 hours of training in computer crime investigation from an approved source.

Certified Computer Crime Investigator, Advanced Level candidates must have an additional year of investigative experience and 4 years of experience directly related to the investigation of computer crime. Candidates for the advanced certificate must have completed 80 hours of training.

Certified Computer Forensic Technician, Basic requires 3 years of investigative experience or a bachelor’s degree and 2 years of experience. Candidates must have 18 months of computer investigation experience and 40 hours of computer forensic training from an approved source and must pass a written examination on computer forensics. Additionally, the candidate must provide documentation that they have performed at least 10 computer forensic examinations.

Certified Computer Forensic Technician, Advanced also requires 3 years of investigative experience but must have 4 years of direct experience related to computer forensics. Additionally, the candidate must have 80 hours of computer forensic training. Candidates for the advanced certificate must have been the lead examiner in at least 20 examinations in the past 3 years and in 40 or more or additional computing investigations as the lead forensic technician, supervisor, or contributor. The candidate must have been involved in a total of at least 60 computer forensic investigations at some level in the last 3 years.

LC Tech offers training in several computer crime disciplines marketed as the High Tech Crime Institute (HTCI) that culminate in certification one of which is the Computer Crime Scene Technician (CCST). HTCI offers tracks of study in which the student is required to attend training courses in certain topics to achieve certification in a particular area of study. Other forensic designations through HTCI include Certified Computer Network Investigator (CCNI), Certified Computer Forensic Technician (CCFT), and the Forensic Operating System Specialist (FOSS). Each of these tracks has their own exam and results in the designation of High Tech Crime Investigator Basic, Intermediate or Advanced.

The International Society of Forensic Computer Examiners (ISFCE) offers the Certified Computer Examiner (CCE) certification. CCE certification exams are offered at several locations around the country. CCE authorized training centers are also found at university and other locations in the US and internationally. The applicant must have documented training at one of the approved training facilities or have 18 months of responsible computer forensic examination experience. As an additional option the candidate may produce documented proof of a valid self study in computer forensic examination. The initial CCE process consists of a proctored multiple choice online exam and the forensic examination of a floppy disk, CDR, and hard drive. An 80% or better score is required to complete the process. The fee for the process in $395 US and additionally may also include a proctoring fee. The CCE must adhere to the ISFCE code of ethics and complete recertification every 2 years. A CCE may take additional online examinations particular to computer operating systems such as FAT, NTFS, Linux/UNIX, or Apple Macintosh in order to receive specific endorsements for demonstrated learning in these areas. The attainment of 3 or more such endorsements grants the CCE the advanced certification of Master Certified Computer Examiner (MCCE). There is no fee for membership to the ISFCE once the candidate has completed the CCE certification but there is a recertification fee of $75 US. The CCE also requires continuing education in computer forensics.

The International Information Systems Forensic Association offers the Certified Information Forensic Investigator (CIFI) certification. Training courses aimed at attaining this certification are available at various Technet Training Centers around the US. Candidates wishing to sit for the CIFI examination can do so at any Prometrics testing center for a fee of $150 US. Candidates must score a 70% or better on the exam to qualify.

New Technologies, Inc. acquired in 2000 by Armour Holdings, Inc. offers comprehensive training in computer forensics and a Certificate of Professional Development through the Oregon State University. Students earn the certificate of completion and college credit through the university. NTI offers their classes in Portland, Oregon and Jacksonville, Florida. The process involves both a practical and written examinations.

In addition to these non-vendor specific training and certification opportunities several of the forensic software vendors are also offering forensic certification using their products. Guidance Software makers of the EnCase line of forensic software offers the EnCase Certified Examiner (EnCE) certification. The EnCE has two paths to certification. One path requires that the candidate attend Guidance Software’s computer forensic or incident response training at the intermediate level or above. Those candidates must possess a valid EnCase software license personally owned or purchased through a training site or business. He or she must have 18 months of investigative experience with at least 6 months or verified experience in computer forensic examinations endorsed by their department head. The other path is for candidates who have other computer forensic training and have not taken the Guidance Software courses. In addition to the EnCase software license requirement the candidate must have 80 verifiable hours of authorized classroom computer forensic training with 18 months of total investigative experience including 6 months of experience in computer forensic examinations, or 32 hours of classroom training and two years of total investigative experience with 1 year of computer forensic examination experience. Both paths to certification require a two phase testing process. Phase I is a computerized examination proctored through Prometric Testing Centers. It requires and 80% or better grade on the exam. Phase II is practical test requiring the candidate to examine computer evidence on CD-ROM. Candidates have 60 days to complete the practical and submit a report of their findings. Candidates must achieve and 85% or higher rating on the practical.

AccessData Corporation makers of the Forensic Tool Kit (FTK) and Password Recovery Toolkit (PRTK) have recently developed the AccessData Certified Examiner (ACE) certification. Candidates for the ACE certificate are required to possess (individually or through their employer) a licensed copy of FTK, PRTK, and Registry Viewer. The applicant must also have completed the AccessData Forensic Boot Camp and Windows Forensic training classes. There is no waiver or allowance for other types of forensic training. The applicant must also have 6 months of computer forensic experience. Successful completion of the process is also in two phases. Phase I is an 80% or better score on the computerized exam administered by Prometric Testing and Phase II involves completion of a Practical Based Assessment (PBA) administered by AccessData. The cost of the certification at the time of this writing is $395 US.

While it may not be necessary to have a certificate in Digital Forensic proficiency to conduct computer forensic work it shows that you have submitted your knowledge and skills in this area for review by an outside party. Much like the Certified Fraud Examiner, possessing a certificate in digital forensics sets you apart from others in the field. The CFE is highly recognized and a very valuable certification to have in today’s job market. Be certain the certification you choose in Digital Forensics will have the respect of your peers in the industry and be something that you can proudly display. It’s been said that computer forensics is a community of practice; we all learn from each other. Having a certification does not make you an expert but it does say something important about you and your level of knowledge and skill.

As a caveat, you should know that many states are requiring private computer forensic examiners to be licensed private investigators. If you are considering this field as an independent private examiner you should check with your state to find out if they will require licensing as a PI before you engage any clients.

Richard Cannon is both a Certified Forensic Computer Examiner and a Certified Fraud Examiner and has over 20 years experience in the fields of criminal and civil investigation and for the past 6 years he has worked in the field of digital investigation and analysis. He is the former Forensic Technology Director for the Association of Certified Fraud Examiners. He has written on the topic of digital investigation and spoken at a number of conferences both in the US and internationally on the subject of Digital Forensic Evidence and the investigation of fraud using digital forensic methodology. Mr. Cannon is currently Chief Investigator for Corporate InfoSec at a large global corporation and continues to conduct forensic examinations and investigations.