Hello everyone! I’ve been a lurker on these boards for awhile and recently went through the CHFI course/certification (version 4). I wasn’t finding a WHOLE lot on the Internet about this exam when I was going through it – at least compared to other exams in this field --  so I wanted to post my experience for those looking to take it in the future (both members of this forum, and the random Google searcher).

I currently work in law enforcement and studied criminal justice in undergrad, so I am familiar with a lot of the legal realm, along with investigative and forensics methodology. I don’t actually work IN forensics, but I definitely work alongside them and have more familiarity than the average person would. I also have had a personal interest in computers since I was a kid, and again, while I don’t have actual job experience with them, I definitely had some background knowledge going into this.


THE COURSE

I decided to start my computer forensics training/education with CHFI mainly because a friend of mine works in the field and has it, and recommended it as a good introductory course. I was spending my own money on this and had been warned about unauthorized training partners, so I decided to go straight to the source and take the online course through EC-Council. I received four thick books and four DVDs.

The books – horrible grammar, repetitive, and yet contradictory in many instances – just awful. I found out later that EC-Council outsources their publishing to Malaysia, and it shows. Also, many, MANY pages simply detailing many different types of programs that do essentially the same thing for whatever topic is being discussed in that chapter. I was getting frustrated thinking I needed to memorize all of these random programs, many of which are outdated at this point anyway. How is that testing my computer forensics knowledge???

The DVDs – wildly disorganized. The DVDs did have a TON of additional information on them, but I had no way of knowing what was just additional reading material, and what might actually be on the exam. This was my same issue with the book. Tons of random info and no real guidance on what was going to be on the test.

Both the books and the DVDs just seemed to be thrown together which a bunch of random information in as “padding”. It was infuriating, to say the least. The online lectures were okay, but went extremely fast and didn’t always add up to what was in the books. Additionally, I didn’t receive a lab manual OR a fifth book. They didn’t bother to tell me when I ordered it that all those materials were on the DVD and I had to print them out myself (good thing I asked). So after paying nearly $1500 on the course, I still had to use my own paper and ink to print a thousand, if not more, extra pages. Are you kidding me???

Each module in the online lectures had a quiz review, which you’d think would be good practice for the exam…. except that a lot of the answers were incorrect and in exact opposition to what I was looking at in one of the books in front of me. Additionally there were a few questions where the answer was A, B, and C, and when I chose “D” for “all of the above”, I got it wrong because apparently I should have checked A, B, and C separately. There were also a lot of questions that were worded very strangely and vaguely. Needless to say this stressed me out even more since I had no way of knowing if these questions were similar to those on the real test – which would have been INFURIATING. If you’re going to put together questions like this as part of a training aid, it would be nice if you gave the correct answers.

I was so disappointed in the course materials that I ended up getting a refund for the entire course, thankfully. This was the ONLY reason I went forward with the certification exam. I do have to say that they did not put up a fight about the refund, which I appreciate, however it leads me to believe that they are well aware of the horrible quality of their course materials.


THE EXAM – PREP PHASE

I was stressing about this exam A LOT after finishing EC-Council’s online course. I did learn a lot from it, but considering I am new to the field anyway, of course I was going to take SOMETHING away from it. I was stressing so much that I purchased several other books just as background reading.


STUDY MATERIALS

-   File System Forensic Analysis by Brian Carrier
-   Real Digital Forensics: Computer Security and Incident Response by Keith Jones, et. Al
-   Forensic Discovery by Dan Farmer (came as part of a boxed set with above)
-   CompTIA Network+ Study Guide by Todd Lammle (for basic networking background that I didn’t have)
-   The Official CHFI Study Guide by Syngress Publishing


Ah, the study guide. I only purchased it because the course materials from EC-Council were so infuriatingly disorganized. I attempted to go through and make my own study guide based on the objectives that I downloaded from EC-Council’s web site, but that probably would have taken me an entire month’s time, and didn’t I pay $1500 for decent training materials in the first place??? However, they were what they were – no fixing that -- and I figured it was worth the extra $50 just to lower my stress level a little bit. Plus, it advertised a free sample web exam. Even after the online course and all the material on the DVD and in the books – I did not feel at ALL prepared for the exam. The whole point of the study guide is to give you some direction on what things to concentrate on and view sample questions, etc, right? Well.

I found out AFTER I purchased the book – which is advertised on EC-Council’s web site as the “official” study guide – that it is actually for the previous version. So while a lot of the material is the same, it’s still outdated and from 2007. Not only that, but the “free, web-based sample exam” that is advertised on the book – and one of the main reasons I purchased it – is no longer available. I e-mailed Syngress repeatedly and never received a response. I was (am) not amused.


THE EXAM – EXAM DAY

I took the exam through Pearson Vue at my local community college after doing the background reading and studying for a little over two months. Frankly at this point I didn’t really care whether I passed or not, since I got the course for free and was just completely fed up at this point and wanted it over with. Not to mention that nobody in this area seems to have ever heard of this test, and even the testing center guy said I was the first one to take it since he’d been there (several years). I’d really just had it with this entire thing.

I finished the test in about fifteen minutes and got an 80% (needed a 70% to pass). The questions were a lot clearer than I was expecting, however there were a few that were a little tricky. I was disappointed I couldn’t view the questions that I got wrong. All of the questions had only one answer though, none of this “A and C” or “all of the above” stuff (whew!).

There were quite a few questions that I would NOT have known the answer to if I had not done all the background reading on my own. Things that were not covered anywhere in the official courseware or the study guide. Since I already got an 80% as it was, I’m not sure I would have passed had I not done my extra reading.

I had read on various forums that I should focus a lot on the laws when studying, which I did, and reviewed right before the test. Oddly though, I didn’t get ANY questions on anything legal.


CONCLUSIONS

Really, I don’t know. My friend had a good experience with this certification, but she took the training through InfoSec. That might be a better option if you are looking to take this class. AVOID EC-Council’s materials. I really have no faith in them at this point and they really just seem like a scam to me. I did the certification exam because I got most of my money back – so I really wasn’t losing anything. But I can’t believe they charge almost $1500 for that garbage. Their training is just HORRIBLE and I cannot stress that enough.

I was looking forward to taking CEH because it sounded interesting, but I will be avoiding EC-Council from now on. I do have to say that my friend was right; this course WAS a good introduction to the field, but most of that was due to the fact that I was forced to do so much extra reading on my own.

Does the certification mean anything? I don’t know. I really just wanted a training class to dip my toe into the subject, and also show that I had some type of foundational knowledge, since I’ve never taken any formal classes in computer science. It wasn’t much of a waste since I got a refund, but would I recommend it to others? No, especially if you are spending your own money like I did. If your job is paying for it, why not?

This post is a little long, however I wish I had read something like this before I took the class. If other people had good experiences with EC-Council and this exam, great! Unfortunately I did not.

Never too long of a post when you're helping others.

Thanks and welcome to EH-Net,
Don

Thank you Cafepithecus for your great review. I am on the track to take this and with you review - glad I'll be saving a few bucks.

New to EH, lurker for years. Great info here.

I think this is a great writeup and really appreciate the insight. I'm actually sitting in the EC-Council's CHFI class at this very moment and will sit for the CHFI exam in a few days. Fortunately, I currently work in the field and have a few vendors certs in tis area. I am worried that we seem to be spending an inordinate amount of time in class on things like "photographing the crime scene" and "legal issues of forensics". We have yet to actually do a single lab or any hands on stuff, although we were required to bring our own laptop with WinXP VMs ready to go. I paid over $2,000 to sit in this class and was offered the actual hardcopy of the courseware for another $250, but declined (based on this post). You GOT to be kidding me. They did throw in lunch. I overheard one attendee comment, "This is the best $2000 fajita I've ever had."  (We did receive an iPad2)

I had the same experience with the CEH exam a few years ago using the EC-Council Official Curriculum. Disjointed, too much info, unclear practice tests, and just a lot of rote memorization, none of which appeared on the actual exam. First time I've ever failed any certification exam, so I was a bit perturbed.

How much would this organization benefit from a proof reader or decent content developer?

Mine too...and I'm sitting for the exam tomorrow.

Just FYI, I just checked the CHFI class v4 TOC and there is over 4,000+ pages of material for you to cover (not including labs)!!! There is another complete DVD filled with "extra material" which is essentially just a huge conglomeration of whitepapers and stuff from academic journals on anything even remotely technical, that they couldn't fit in the slides....and which I'm sure is considered testable. Today I did get a question on what attack uses UDP packets (Fraggle), which I'm not sure is relevant or a priority in this course given the amount fo real forensics material they could cover.

After this exam, I'm pretty much done with EC-Council. Bring on the SANS forensics courses or vendor specific stuff for me.

@Sil

Its funny you should reference Deer Run as Hal Pomeranz is one of the instructors for SEC 408 and SEC 508. If you were to take either class with him, you could find no better instructor on *nix forensics. You may not get it through the regular course, but he's available outside of the class for questions.

Btw, I took SANS 506 with him...