Cyber Security Forensics

CHFI v9 Certified Hacking Forensic Investigator Certification

This certification is offered by EC-Council who claims that the average salary for CHFI certification holders is between $85,000 and $120,000.  Sounds great right?

Prep:  Took a course of computer forensics, used to study for the exam and it is telling me that I am doing well enough to pass.  Am I ready?

After taking this exam this last weekend and passing, I would want to ask you a few more questions.

1)Have you ever had work experience in this field?  Work experience can go such a long ways when taking these exams.

Also my proctor had taken and passed v8 of this exam andeccouncil-computer-hacking-forensic-investigator-v9-1-638 after having a discussion with him about some of the content that I came across, it was very obvious to the both of us that EC-Council was not playing any games when they said they were increasing the difficulty on this exam when releasing v9.

I do not want to discourage you whatsoever as the time put into this will be worth it when achieving this certification.  Just know that if I relied on just Skillset (pretty sure they are still using v8 questions) and a college level forensics course for all of my information before taking this exam I would not have passed.

Recommendation: Look into your organizations training budget options for their team members.  If you have unlimited funds, hands down go with SANS FOR508 this advanced forensics, incident response, and threat hunting course has gotten rave reviews but the price tag is going to run you over $6000 dollars for the course, and if you end up doing their forensics DFIR netwars program (Worth it, 2 nights of fun and learning whether you are a beginner or already a pro), and go on to take their GIAC Certified Forensic Analyst (GCFA) Exam  you are looking around $7000 dollars +hotel stay. Once again more than worth it if you can get your organization to comp it. (Keep reading till the end for a way to get some serious savings on this course)

If you can’t afford SANS at this time, or the locations of their training at this point in time isn’t convenient look into more local boot-camps closer to your home.  5-day course preferably.   If you are taking something shorter you may not be prepared for where the Google Drive artifacts are located or what is located within Hkey_local_machine (folder specific).  This is one exam you cannot be over prepared for.

The other option is studying the old fashion way.  Hop on amazon and grab your studyguide, but please please please look at the date the book was published! Be sure you get the most recent edition as well!  Click on that amazon link and it will take you to the most current even though its not the cheapest (55$) it will be worth the extra 20 spent on it.


Study hard and Go CHFI.

P.s. I did promise a little trick to get your SANS course cheaper.  It is called a SANS Work-Study program.  You have to apply and be chosen for the event, and sometimes you do not get selected for the exact class you were hoping for (you give them a selection of your top 5-10 choices).  You must be able to arrive a day early to the training, show up early for registration, and stay through your lunches to watch over professor equiptment, but it gets you a pretty stellar discount.  Instead of $6000+ you are looking at 1,200 out the door for a whole week of training!  If your company is paying for the event, give someone else the chance to do the work study, but if you are paying out of pocket, and its close enough to commute, DO IT!


Work hard, study harder, go get that cert.

Cyber Security Forensics

The Top Five Computer Forensic Tools

Forensic tools are something that are required to be updated on a regular basis.  Whether because of patches, new hardware, or just a changing technological landscape, tools must be maintained in order to remain relevant.  The ongoing support is just one of the reasons that the tools discussed in this article are the most used in the forensic community.  The capabilities and usability of the tools are what we will discuss here today as to why these tools are some of the most used in my opinion.

Forensics is the retrieval, collection, and interpretation of computer data without the corruption of this data.  Therefore the best tools should be able to contain discoverable unfiltered accounts of suspect’s data, activity, and electronic records.    Guidance Software has developed a phenomenal product in which I discussed in week ones post (EnCase Forensic Imager, 2013).  EnCase Forensic Imager is able to save forensic investigators hours and hours of counting through large amounts of forensic computer data that may or may not be relevant to the case in which they have.  EnCase does this not just through the speed in which it can search and collect data, but also due to the built in automation.  Of course it performs, but it is also one of the top sellers in the forensic community according to their website.  Here is the kicker…. $$$$$.  If you are looking for something to just get your hands dirty with, this is not the tool for you.  This is for the organization who is looking for a new PRODUCT to write off on their taxes!  For getting your hands dirty with a forensic tool kit, look no further than the next line.

SIFT (SANS Investigative Forensic Toolkit) has to come in second place (FREE).  It comes in second place because it is an excellent combination of open source tools that are all updated and worked on by the community (Not to mention a pretty cool acronym).  I am partial to Ubuntu or Linux based systems and this had a lot to do with me choosing it for my number two, along with the fact that anyone who takes a SANS Training course (more to come on these later) will get some serious hands on tSIFTraining with this toolkit. Some of these tools are world class and some of these tools are only usable on specific versions, but none the less because of the popularity of SANS certifications and the amount of people going through their certification process (myself included), I would say this is one of the top five forensic tools.  This is an excellent example of how SANS practices what they preach(keep it up to date as well), and also promote what you preach.  Click on the image to get over to the SIFT Install Directions on YouTube.

ProDiscover Forensics is going to end up as number three on the list.  It will be categorized as one of the top tools used because of a few reason, the first being that it is a free tool.  Free means lots of individuals are able to handle the steep price, and for the quality that comes along with it is acceptable.  This tool specifically goes into preparing legal reports with all of the data that is relevant to the case, previewing all files along with their corresponding meta data, and cross reference of data to make sure nothing is hidden. (Shakeel, 2016).  With this in mind it is an excellent tool for smaller organizations who are getting their Forensics organization either up and running or looking for new tools to expand upon their craft.

Xplico is tool number four, as it is a forensic tool that is used on networks to help reconstruct the contents of packets gained through Wireshark and similar sniffers (Shakeel, 2016).  This tool can take these packets, and then output reconstructed data into multiple types of databases which makes it flexible and there is no size limit on the data entry which makes this tool excellent for any size investigation.  This tool is automatically loaded into many of the main penetration testing Linux images such as Kali Linux by default which will make this one of the most well used tools on the market.

X-Ways Forensics will be one of our final contenders for most used forensic tools.  This is a tool that is capable of running off of a usb drive and will make complete disk images that will identify lost and/or deleted partitions as well.  This is a very popular tool as well, and it lives up to its name.

These in my opinion would be my top five forensic tools, I use Kali Linux frequently so this list is not including any packet sniffers such as Wireshark and web app analysis tools such as burp suite.

References and Tools:

Access Data. (2017). Retrieved June 5, 2017, from

Arsenal Recon. (2017). Retrieved June 5, 2017, from

Carrier, B. (2017). Open Source Digital Forensics. Retrieved June 5, 2017, from

EnCase Forensic Imager v7.06 User’s Guide [PDF]. (2013). Guidance Software Inc.

Guidance Software. (2017). Retrieved June 5, 2017, from

SANS Institute. (2017). SANS Investigative Forensic Toolkit (SIFT) Workstation Version 3. Retrieved from

Shakeel, I. (2016, December 14). 7 Best Computer Forensics Tools. Retrieved May 18, 2017, from