Certifications Explained
In general, computer forensics is an unlicensed field which puts the burden on counsel to determine if a self-proclaimed expert has even basic knowledge of their trade. States that do have computer forensic licensing requirements usually regulate this specialty under existing private investigation (PI) laws. PI licensing requirements typically do not test the licensee’s computer knowledge let alone computer forensic skills.
A mix of non-profit and commercial entities provide independent third-party assessment of digital forensic knowledge. These forensic certifications can usually be grouped into two categories. Vendor neutral certifications which test general digital forensic concepts and vendor certifications which test proficiency in a forensic tool that the vendor sells. Note that all of the certifications listed in the tables below expire after a few years so attorneys should check that their expert’s credentials are currently valid. Links are provided below for doing this.
Vendor Neutral Certifications
| Certifying Body | Certification | Focus | Accrediting Organization | Written Exam Passing Score | Practical Media Exam Passing Score | Valid For | Continuing Education (CE) Requirement | Renewal Requires Retest | Check an Expert’s Status |
|---|---|---|---|---|---|---|---|---|---|
| IACIS | CFCE | Digital Forensics | FSAB | 80% | 80% | 3yrs | 40hrs | Yes | Verify |
| IACIS | CAWFE | Windows Forensics | 80% | 80% | 3yrs | 40hrs | Yes | ||
| IACIS | ICMDE | Phone Forensics | 80% | 80% | 3yrs | 40hrs | Yes | ||
| ISFCE | CCE | Digital Forensics | 70% | 70% | 2yrs | 40hrs | Verify | ||
| GIAC | GCFE | Windows Forensics | ANSI | 70% | 4yrs | 36hrs | Instead of CE hours | Verify | |
| GIAC | GCFA | Hacking Investigation | ANSI | 71% | 4yrs | 36hrs | Instead of CE hours | Verify | |
| GIAC | GNFA | Network Forensics | 70% | 4yrs | 36hrs | Instead of CE hours | Verify | ||
| GIAC | GCFR | Cloud Forensics | 62% | 4yrs | 36hrs | Instead of CE hours | Verify | ||
| GIAC | GREM | Malware Forensics | 73% | 4yrs | 36hrs | Instead of CE hours | Verify | ||
| GIAC | GBFA | Evidence Collection | 69% | 4yrs | 36hrs | Instead of CE hours | Verify | ||
| GIAC | GIME | Mac Forensics | 67% | 4yrs | 36hrs | Instead of CE hours | Verify | ||
| GIAC | GASF | Phone Forensics | 69% | 4yrs | 36hrs | Instead of CE hours | Verify | ||
| EC Council | CHFI | Digital Forensics | ANSI | 60-85% | 3yrs | 120hrs | Instead of CE hours | Verify |
Vendor Product Certifications
| Certification | Vendor | Product | Exam Passing Score | Valid For | CE Requirement | Renewal Requires Retest |
|---|---|---|---|---|---|---|
| X-PERT | X-Ways Software | X-Ways Forensics | 75% | 3yrs | Yes | |
| EnCE | OpenText | EnCase | 80%, 85% | 3yrs | 32hrs | |
| ACE | Exterro | FTK | 80% | 2yrs | Yes | |
| MCFE | Magnet Forensics | Axiom | 80% | 2yrs | Yes | |
| MCCE | Magnet Forensics | Axiom Cloud | 80% | 2yrs | Yes | |
| CCO (CCLO) | Cellebrite | UFED (intermediate) | 80% | 2yrs | ||
| CCPA | Cellebrite | PA (advanced) | 80% | 2yrs | ||
| CCME | Cellebrite | UFED/PA (capstone) | 80% | 2yrs | 21hrs | |
| MCE | MSAB | XRY | 70% | 3yrs | Yes | |
| MCA | MSAB | XAMN | 70% | 3yrs | Yes | |
| OFC (OFE) | Oxygen Forensics | Detective | Pass/Fail | 1yr | 24hrs | |
| CVSO | Berla | iVe | 80% | 2yrs | 20hrs | Yes |
| CVST | Berla | iVe | 80% | 2yrs | 20hrs | Yes |
| CVSE | Berla | iVe | 80% | 2yrs | 20hrs | Yes |
Other Certifications
Don’t see your expert’s certification listed above? Some computer forensic experts will list unrelated computer administration and computer security certifications amongst their credentials. Note that these certifications typically are not focused on digital forensics since they are about administering computers and securing them from attackers. A list of the more common certifications that fall into this category include: MCP, MCTS, MCSA, MCSE, MCITP, CISSP, CISM, GCIH, GSEC, A+, Network+, Security+, Server+, CCSP, LPT, CSSA, CEH, CISA, CCNA, CNE, PMP.
Experts need to take relevant training to meet the CE requirements for their certifications. These classes usually provide a Certificate of Completion which lists how many hours were attended. Some training classes distinguish between a Certificate of Attendance for showing up to class versus a Certificate of Completion which shows that attendees were able to pass a knowledge test at the end of the training. Some experts have started listing Certificates of Completion for training classes in their credentials. Common certs that fall into this category include: CMFF, CASA.
The following digital forensic certifications have been listed by their certifying bodies as discontinued in the year shown in parentheses: CBE (2023), CMO (2021), MiCFE (2021), CCFP (2020).
*The above information is my opinion based on the publicly available information for each certification and how it fits into generalized categories. For more detailed and current information about a specific certification, please contact the respective certifying body.