CHFI - EC-Council Certified Hacking Forensic Investigator Quick Study Guide

there is a high demand for Certified Hacking Forensic Investigator graduates, commanding salaries as high as $85,000 to $120,000 per year. This hub is based on my experience taking the certification test through Western Governors University and should help you prepare for the exam. It should be noted that this article merely suggests items that you may wish to familiarize yourself with and in no way is a confirmation of what may or may not be on the exam.

The CHFI, Certified Hacking Forensic Investigator, exam is 150 questions long and you have just over 4 hours to complete it. Before you go in, it's recommended that you have the knowledge equivalent to the Certified Ethical Hacker level. As with all big exams, you should try to get a good night's rest and a good breakfast, but don't eat anything that might give you stomach problems during your test. Save the celebration until after you've passed!

Some of the information you'll need to study for your CHFI certification might seem somewhat sketchy at first. It might even seem like you're learning many of the dirty little tricks that the bad guys use. As an Ethical Hacker or Forensics Investigator, you've got to understand the vulnerabilities of your systems and the methodology of those individuals or groups who might use their hacking abilities to further their own gain, or stifle the gain of someone else.

Hacking Attacks & Device Mechanics

• What is a Fraggle attack?
• What is a Smurf attack?
• What is a Syn Flood?
• What is DNS Poisoning?
• How many characters is an MD5 Hash?
• What does a sheepdip do?
• What type of evidence might be stored in a StrongBag?
• How do you hide a file using Mac OS X?

• Define the Trademark Law.
• What is a Servicemark?
• What is a patent?
• The legal sequential numbering system is popular among lawyers and is used in pleadings.
• Evidence Format = aaa/ddmmyy/nnnn/zz (You might want to understand what each of those letters means, in the event you ever have to handle potential evidence.)
• What is specified in Title 18, Section 2703(f)? If an investigator contacts an ISP or phone company, citing this title, what can they expect to receive in return? What must the investigator provide the company in order to seize records of customers? What about employees?
• What's the difference between expert testimony and opinion testimony? Who is authorized to be an expert witness? How is this authorization established? What type of testimony can be expected from a lay witness?
• Explain the Copyright law. How long does a copyright stay valid once established?

• What are the 7 layers in the OSI Model and what devices and protocols operate at each layer?
• At what layer of the OSI Model would a NIC in promiscuous mode operate on?
• Define the services that run on these well known ports: 21, 22, 23, 25, 80, 110, 115, 137, 138, 139, 143, 161, 162, 389, 443

• What does the dd command do?
• Can you use the dd command in Windows?
• How do you use the dd command to make a backup of the master boot record in Linux?
• How do you use the dd command to make a backup image of the slave device on the secondary IDE cable?
• Where are print jobs spooled on Linux servers?

What are Alternate Data Streams?

• How do you hide files using ADS?
• How can you detect Alternate Data Stream files?

File Deletion and Data Recovery

• What does Encase need before it can perform searches?
• How is the Recycle Bin handled on systems using the FAT drive formatting standard? Where is this folder located?
• How is the Recycle Bin handled by Windows NT, 2000, and XP using the NTFS standard? Where is this folder located?
• How is the Recycle Bin handled by Windows Vista using the NTFS standard? Where is this folder located?
• Where must you search to recover NTFS files?
• Where must you search to look up deleted FAT partitions?
• What is a lost cluster?
• What is a sector?

Ports

• Define the services that run on these well known ports:
• 21, 22, 23, 25, 80, 110, 115, 137, 138, 139, 143, 161, 162, 389, 443

Portable Devices

• Where do iPods store contact information?
• What type of encryption is used by Blackberry devises?
• How do Blackberry devices handle email messages?

What are vector graphics? As far as computing graphics are concerned, vectors can be described as the use of geometric primitives such as curves, lines, polygons, points, and shapes -- which are all based upon mathematical equations -- to represent images. In this manner, enlarging a vector image doesn't impact the image quality. The mathematical expressions allow the image to retain its quality as you resize it. The key point here is that the image is not static by nature, but allows flexibility.

• What is lossy compression? Lossy compression occurs when a reduced instance or a file is restored imperfectly.
• What is lossless compression? Lossless compression occurs when a full instance of a file can be restored for a high compression ratio. The results should be without flaw, or perfect.

This article is not meant to be an exam cram or all-inclusive study guide for the Certified Hacking Forensic Investigator test. As with all certifications, potential testers should take time to read over the certification knowledge requirements and ensure they are comfortable they meet the standards held by the organization offering the certification in question.

For more information, please see the official EC-Council Website:

• Certified Hacking Forensic Investigator
• Official EC-Council CHFI version 4 Brochure

As of this writing, Brady Frost has over 12 years of experience in the Information Technology industry with a completed undergraduate degree in Internet Systems Software Technology. He is currently working on his graduate degree through Western Governors University in Information Security and Assurance and holds the following applicable certifications:

• Microsoft Certified Professional (MCP)
• CompTIA Security+
• CompTIA Network+
• EC-Council Certified Ethical Hacker
• EC-Council Certified Hacking Forensic Investigator