This article outlines the top professional certifications for digital forensic investigators. In addition to discussing the certifications most commonly preferred by employers, we’ll look at the skills and education needed to succeed in this growing field. Finally, we’ll examine the growth and salary potential for trained digital forensic investigators.
In this guide
Many of today’s most in-demand jobs are in the areas of cybersecurity and digital forensics. These two specialties are closely related, with cybersecurity techniques generally applied to prevent and mitigate cyber-attacks and digital forensics principles used to investigate an incident after the fact.
According to Techopedia, digital forensics is “the process of uncovering and interpreting electronic data. The goal of the process is to preserve any evidence in its most original form while performing a structured investigation by collecting, identifying, and validating the digital information for the purpose of reconstructing past events. The context is most often for usage of data in a court of law, though digital forensics can be used in other instances.”
Digital forensics skills
Digital forensics is a technical field requiring professionals to systematically apply investigative techniques. Successful investigators must have extensive knowledge of computers, mobile devices, and networks, including how processors, hard drives, software, and file systems work. Understanding how data is stored and accessed on digital systems and in the cloud is essential.
Analytical skills and the ability to use evidence-based reasoning are essential for discovering and understanding how a cyber-attack may have occurred on a system and what data was exfiltrated or exposed. An in-depth understanding of how cybersecurity solutions work helps investigators learn how bad actors may have compromised an organization’s cyber defenses.
A working knowledge of legal principles will guide a digital forensic investigator as they collect evidence that may be used in a criminal court case. The ability to preserve evidence and prove the chain of custody for information gathered as part of an investigation is crucial. Forensic investigators must know relevant laws in their country and abroad.
While not always required, many governmental agencies prefer previous law enforcement experience when considering digital forensic investigator new hires. An understanding of the types of evidence that are likely to be admissible in court, for example, becomes an essential part of a cyber-attack investigation. On the other hand, private businesses are more interested in protecting their systems and data than apprehending and prosecuting cybercriminals.
Because digital forensic findings can be used by law enforcement and other investigative agencies and organizations, the ability to write and communicate effectively using the vocabulary and terminology of computer science as well as law enforcement is helpful.
Digital forensics education
Many colleges and universities offer a bachelor’s degree in digital forensics or something very similar. Such a degree could easily be considered the ideal entry-level degree for working as a forensic investigator. Other related degrees include a bachelor of science in computer science or computer engineering. Many employers prefer a bachelor of science in cybersecurity over other associated degrees.
Governmental agencies may prefer a candidate with a bachelor of science in criminal justice degree. And, for most jobs, a minimum of five years of work experience will also be required.
A master of science in cybersecurity is ideal for advanced forensic positions, and of course, those with a Ph.D. in computer science can often forego the previous work experience required by many employers.
Top vendor-neutral certifications
Vendor-neutral certifications are offered by professional organizations that are not associated with a specific product or service; rather, these certs apply to the field of forensic investigations generally.
The certifications discussed below are presented in alphabetical order, and this is not intended to be an exhaustive list. Indeed, dozens of professional certifications could, in one way or another, be helpful for those working in the field of forensic investigations. We have included the certifications that most often surface when seeking employment as a digital forensic investigator.
CDFE (Certified Digital Forensics Examiner): NICCS
The CDFE program from National Initiative for Cybersecurity Careers and Studies (NICCS) is designed to train cybercrime and fraud investigators. Security professionals are taught electronic discovery and advanced investigation techniques. This training is intended for anyone encountering digital evidence while conducting an investigation.
CDFE certification is provided through Mile2. Mile2 is an information technology security company that produces and delivers proprietary accredited cybersecurity certifications. Their technology security programs are utilized in the private and public sectors, including Boeing, Canada’s Department of National Defense, the National Security Agency, the United States Air Force, the Committee on National Security Systems.
CHFI (Computer Hacking Forensic Investigator): EC-Council
The CHFI from EC-Council is a comprehensive ANSI accredited and lab-focused program designed for professionals working in information system security, computer forensics, and incident response jobs. The EC-Council training covers forensic principles for Windows, Linux, Mac OS, and mobile devices.
The CHFI certification is awarded after passing a 150-question multiple-choice exam within the allotted four-hour time limit. A passing score will range from 60 percent to 78 percent, depending on the cut score of the particular exam taken.
EC-Council (The International Council of Electronic Commerce Consultants) is a New Mexico based organization that offers cybersecurity certification, education, training, and services in various cybersecurity skills.
CFCE (Certified Forensic Computer Examiner): IACIS
The CFCE certification program from IACIS is based on a series of core competencies in digital forensics. The program is comprised of two phases:
- Peer review phase – Candidates complete four scenario-based problems guided by a forensic professional through a mentoring process whereby candidates can present reports or assessment documents after finishing each practical exercise.
- Certification Phase – an independent exercise wherein the candidate must complete a functional exercise and a written final examination. Upon successful completion, the candidate will be awarded the Certified Forensic Computer Examiner (CFCE) certification.
The IACIS (International Association for Computer Information Systems) was formed in 1960 as the Society for Automation in Business Education. The primary purpose of the founding organization was to promote an understanding of the use of computers in training business students. In 1969 the organization incorporated and changed its name to the Society of Data Educators.
GCFE (GIAC Certified Forensic Examiner): SANS
The GCFE certification from GIAC Certifications in partnership with SANS validates a security practitioner’s understanding of computer forensic analysis. The program concentrates on the core skills needed to collect and interpret Windows computer systems. GCFE certification holders have the knowledge, skills, and ability to perform typical incident investigations, including forensic analysis and reporting, evidence acquisition, browser forensics, and tracing user and application activities on Windows systems.
The primary areas covered during GCFE training and testing are:
- Windows Forensics and Data Triage
- Windows Registry Forensics, USB Devices, Shell Items, Email Forensics, and Log Analysis
- Advanced Web Browser Forensics (Chrome, Edge, Firefox, Internet Explorer)
GASF (GIAC Advanced Smartphone Forensics): SANS
The GASF, like its sister certification GCFE, is offered by GIAC Certifications in partnership with SANS. The program concentrates on forensic analysis of contact lists, email, work documents, SMS messages, images, internet browsing history, and application-specific data commonly used with smartphones.
The primary areas covered during GASF training and testing are:
- Fundamentals of mobile forensics and conducting forensic exams
- Device file system analysis and mobile application behavior
- Event artifact analysis and the identification and analysis of mobile device malware
The SANS Institute is a private company founded in 1989 specializing in information security, cybersecurity training, and professional certifications. Topics available for training include cyber and network defenses, penetration testing, incident response, digital forensics, and auditing.
GIAC (Global Information Assurance Certification) partners with SANS to validate the skills of cyber security professionals in the critical areas of computer, information, and software security.
Top vendor-specific certifications
Vendor-specific certifications are offered by companies that provide solutions used in forensic investigations. These certs indicate a level of proficiency in the use of specific products and tools.
Earning a vendor-specific certification can be especially important when seeking employment with a company that has standardized on a specific tool. When faced with two candidates with similar qualifications, except one of them is certified in the organization’s preferred investigative tool, hiring managers will tend to hire the person that will require the least amount of on-the-job training.
EnCE (EnCase Certified Examiner): OpenText
The EnCE program from OpenText Corporation certifies security professionals in the use of OpenText EnCase Forensic software. EnCE certification validates that practitioners have mastered the computer investigation methodology and the use of EnCase software during complex computer examinations.
EnCEP (EnCase Certified eDiscovery Practitioner): OpenText
The EnCEP, like the EnCE, is offered by OpenText Corporation. This certification validates the use of the OpenText EnCase Information Assurance software and the candidate’s proficiency in eDiscovery planning, project management, and best practices, spanning legal hold to load file creation.
OpenText Corporation is a Canadian company that produces and sells enterprise information management software. OpenText is Canada’s largest software company as of 2014 and recognized as one of Canada’s top 100 employers.
Paraben offers mobile forensics training and digital forensics training programs. They provide a variety of courses from the fundamental level to advanced levels. Each course is designed around lectures, labs, and testing to receive the certification included with the course.
Companies and organizations of all types rely on digital forensics to protect their data and systems by learning how attempted and successful attacks are structured and delivered. Law enforcement and governmental agencies use these same forensic techniques to attribute attacks and find cyber bad actors.
Computer forensic technicians are in demand at police departments and other law enforcement agencies, including intelligence gathering services and the various branches of the military. Corporate investigators are needed at banks, law firms, consultancies, and nearly every type of company.
In a day and age when the validity and accuracy of news agencies often come into question and under scrutiny, newsgathering companies must use proven digital forensic techniques to verify and substantiate sources for the news they report. If, for example, a news reporter investigates a cybercrime without protecting the original digital sources such as computers or cell phones, the evidentiary value of that device could be compromised and further investigation and prosecution hampered.
Many corporate security teams combine digital forensics and incident response roles into a DFIR team. This team of experienced security practitioners is responsible for responding to cyber-attacks and incidents and investigating the aftermath to assist in recovery efforts and help prevent similar breaches in the future.
Career track and salary information
The Bureau of Labor Statistics (BLS) indicates that the job outlook for Information Security Analysts (a common labor grouping for digital forensic investigators) is expected to grow much faster than average. The projected growth rate for these jobs is 33 percent between 2020 and 2030. The BLS cites the 2020 median pay for this job as $103,590.
According to Salary.com, the median salary for an entry-level computer forensic analyst in the United States is $66,007. PayScale lists the average base salary for a computer forensic analyst at $75,120 and the high end of the base salary scale at $119,000.
Every day the news contains a report of another cyber-attack. Cyber Security Intelligence reports that “Across the board, authoritative cyber security researchers say that the threat of ransomware isn’t going away and they predict that the frequency, intensity and sophistication of ransomware attacks will significantly increase in 2022.”
As the incident rate of cyber-attacks rises, the need for trained and certified digital forensic investigators increases too. Hiring managers use professional certifications to validate a candidate’s skills and expertise.
While some certifications signify knowledge of digital forensics generally, others are designed to represent an individual’s proficiency with a particular investigative tool. Which type of certification is right for you will depend on the jobs you are interested in and whether or not the employer you desire uses a forensic tool that offers a certification.