Congratulations! By picking up this book, thumbing through it, and starting to read the introduction, you’ve taken your first step toward a deeper understanding of computer (digital) forensics, and perhaps a career in this field. Before we dive into the details, I want to make one thing clear. This book will help you pass your test. It will help you do so by teaching you what you need to know to pass this certification exam. It will not tell you how to pass the certification exam. To be blunt, this book alone will not allow you to pass this exam; no single source could. You’ll need to supplement this book with other texts that deal with digital forensics, Internet research, and getting some hands-on practice by downloading some of the software mentioned in this book and experimenting with it.
This book covers the exam objectives for EC-Council’s Computer Hacking Forensic Investigator (CHFI) v8 certification examination. Each chapter covers specific objectives and details for the exam. EC-Council has defined 22 areas of study for this exam, and the book is divided into 12 chapters. I’ve consolidated certain areas where they made sense to me. For example, the last chapter in the book covers the objectives for writing a report and for acting as an expert witness. If you’re engaged as an expert witness, you are going to need to write a report.
Each chapter has several features designed to communicate effectively the information you’ll need to know for the exam:
• The Certification Objectives covered in each chapter are listed first. These identify the major topics within the chapter, and help you to map out your study. Since several chapters cover information in multiple areas, some of the objectives have been combined into a single sentence. Fear not: The information is there.
• Sidebars are included in each chapter and are designed to point out information, tips, and stories that will be helpful in your day-to-day responsibilities:
• Exam Tips are exactly what they sound like. These are included to point out a focus area you need to concentrate on for the exam. No, they are not explicit test answers. Yes, they will help you focus your study.
• Specially called out Notes are part of each chapter too. These interesting tidbits of information are relevant to the discussion and point out extra information. Don’t discount them.
• You should pay attention to the notes labeled Caution, as they point out areas when you can go very wrong.
This book is divided into two general sections. The first three chapters address meta-issues in computer forensics, and propose a process for performing an investigation. Chapter 4 talks about what you need to do to set up a forensics lab, and offers good advice about what you need to consider if you’re thinking of going into business for yourself. The rest of the chapters go through this process in more detail, from the initial involvement with a case through writing a report and perhaps acting as a witness. Along the way, the book covers what I think of as “traditional” forensics, including evidence acquisition from disk drives and computer memory. The book also covers forensics as applied to other digital communications, including mobile devices, network-based attack and defense, and attacks against e-mail and web-based applications.
There a couple of groups of people who will benefit from this book. The first are people who are interested in having a career in the field of digital forensics, or are just interested in the topic. Unfortunately, this book doesn’t provide all the information that you need to start your career. EC-Council recommends that people who wish to obtain this certification should have already obtained the Certified Ethical Hacker (CEH) certification. This book assumes that you have a background in how computers are actually built (CPU, memory, persistent storage, and so on) and that you have some familiarity with current operating systems such as Linux, Microsoft Windows, Mac OS X, and Oracle Solaris. Without this background, I think you’ll find this book rather tough sledding. Remember, though, that I wrote this book for beginners in the field of digital forensics, so you will gain valuable information from reading this book.
The second group of people who will benefit from this book are those who have this basic knowledge already, as well as some knowledge and experience in the material covered in the CEH certification (the CEH Certified Ethical Hacker All-in-One Exam Guide is a good place to start). These folks may be looking for a career change or simply expanding their knowledge and expertise. If you’re one of those people, I think that this book will offer you a good resource to come up to speed quickly in the basics of digital forensics.
Where do you go from here? One thing to consider is gaining expertise in the “big two” of forensic software suites: AccessData’s Forensic Toolkit (FTK) and Guidance Software’s EnCase. Both of these vendors offer training and certification for these products. Other professional certifications include the Certified Forensics Examiner (CFE) from the International Society of Forensic Computer Examiners (ISFCE) and the Certified Forensic Computer Examiner (CFCE) from the International Association of Computer Investigative Specialists (IACIS).
You may also encounter a set of certifications and tools that are reserved for people in law enforcement. Frankly, there are elements of digital forensics that you will probably never get to do unless you are in law enforcement. However, the principles and processes that we cover in this book are appropriate for those of you who will be involved in incident response or internal investigations, since forensics techniques and technology are increasingly a part of incident response.
Before you take that next step in your career, you need to pass the CHFI certification examination. Passing this exam is complicated because of the breadth of the material covered (EC-Council lists 22 different subject areas). Nevertheless, take heart! This book will help you gain the knowledge needed for you to pass the exam. Read on!
The exam itself is computer-based and contains 150 multiple-choice questions with a few true/false questions thrown in. You have four hours to complete the exam. That’s a little under 40 questions an hour, or 1 question every minute and 30 seconds. Go ahead, take a deep breath, and count from 1 to 90 slowly (one thousand one, one thousand two…). That’s how long you could spend on every question and still complete the exam in the allotted time. Since there are some questions you can answer immediately, within five seconds or so, you don’t need to worry about running out of time. A passing score for the exam is 70 percent. For the mathematically inclined, that means that you need to answer 105 questions correctly to pass. Not quite as daunting as 150 questions, is it?
You will need to register for the exam at the EC-Council web site (www.eccouncil.org). The first step in the process is to apply to actually take the exam. Once you’ve been approved, you can purchase an exam voucher at the EC-Council online store, after which you can schedule your exam at a Prometric or VUE testing center.
I want to be very clear about this. This book will help you pass the exam. It will provide you with information you need to know to pass your exam, but it will not give you all the information and experience you need to pass the exam. Instead, it should help point you toward areas where you need more study or background. Take the practice exams, available for download. EC-Council also offers an online assessment that will give you a feel for the actual exam. Be tough on yourself while practicing with these exams. If you get a question right and you guessed the answer, you need to know what the correct answer is and why the other answers aren’t correct.
I’ve sat for a number of examinations, and I’ve developed a personal strategy that works for me. First, arrive early for the examination. Take a bio break and drink some water. Get loose. Walk around, shake your fingers, do whatever you like to do and need to do to loosen up. Don’t try to cram until the last minute. If you have a “cheat sheet” (a quick summary of important points), review that. A school of thought says you’ll remember the last thing you put into your head. Your moment of exam Zen: Remember everything and nothing. For most tests, you’ll be provided with an erasable pad and a marking pen. If you need to write down some information, write it on the pad before you even start the exam. This can save you time later and increase your accuracy, since you won’t have to rack your brains trying to remember details after you’ve been staring at a computer screen for an hour or so.
While you’re taking the exam, answer the question if you can. If you’re in doubt, mark the question and skip it. The answer may come to you as you proceed, or another question later in the exam may jog your memory or start you thinking in the right direction. Make sure that you read the question and all of the answer choices! If you choose the first answer choice that “looks right,” you may ignore a better answer choice following it.
After you’ve completed 30 questions or so, force yourself to stop, relax, take a deep breath, stretch, and look away from the screen. Moreover, blink! These exercises will keep you from tightening up, and blinking will prevent developing dry eye from staring at the screen for too long. The point is to keep yourself mentally and physically relaxed and loose.
When you’ve completed the exam, take a minute or three to relax before you start reviewing the questions you’ve marked. Then go back and look at the questions you marked. If you’re still unclear, leave the question marked and proceed to the next question you’ve marked. If you can eliminate one or two of the answer choices, you’ll have a better chance of narrowing the choice between the other two. As far as I know, there is no penalty for wrong answers, so, if worse comes to worst, choose the answer that “feels” correct. Remember, everything you read or studied in the course of preparing for this exam is stored in your memory, and although you may not be able to recall it, you may do so subliminally—the answer just “feels right” or “looks right.” Trust me: It works. When you’ve answered the question, unmark it. Repeat until you have no marked questions, you run out of time, or you can’t stand to look at the screen any longer.
Thank you for picking up this book and reading. I truly hope that this book will help you along your career path, as well as helping you fulfill your dreams and ambitions. Digital forensics is a fascinating, constantly changing, constantly challenging endeavor. You may become frustrated, but you won’t be bored! The work that you do can help catch the bad guys and exonerate the good guys. Moreover, at the end of the day, that’s not such a bad way to occupy your time.
The following table has been constructed to allow you to cross-reference the official exam objectives with the objectives as they are presented and covered in this book. References have been provided for the objective exactly as the exam vendor presents it, the section of the exam guide that covers that objective, and a chapter and page reference.
