April 1, 2011 at 8:32 pm #6259cafepithecusParticipant
Hello everyone! I’ve been a lurker on these boards for awhile and recently went through the CHFI course/certification (version 4). I wasn’t finding a WHOLE lot on the Internet about this exam when I was going through it – at least compared to other exams in this field — so I wanted to post my experience for those looking to take it in the future (both members of this forum, and the random Google searcher).
I currently work in law enforcement and studied criminal justice in undergrad, so I am familiar with a lot of the legal realm, along with investigative and forensics methodology. I don’t actually work IN forensics, but I definitely work alongside them and have more familiarity than the average person would. I also have had a personal interest in computers since I was a kid, and again, while I don’t have actual job experience with them, I definitely had some background knowledge going into this.
I decided to start my computer forensics training/education with CHFI mainly because a friend of mine works in the field and has it, and recommended it as a good introductory course. I was spending my own money on this and had been warned about unauthorized training partners, so I decided to go straight to the source and take the online course through EC-Council. I received four thick books and four DVDs.
The books – horrible grammar, repetitive, and yet contradictory in many instances – just awful. I found out later that EC-Council outsources their publishing to Malaysia, and it shows. Also, many, MANY pages simply detailing many different types of programs that do essentially the same thing for whatever topic is being discussed in that chapter. I was getting frustrated thinking I needed to memorize all of these random programs, many of which are outdated at this point anyway. How is that testing my computer forensics knowledge???
The DVDs – wildly disorganized. The DVDs did have a TON of additional information on them, but I had no way of knowing what was just additional reading material, and what might actually be on the exam. This was my same issue with the book. Tons of random info and no real guidance on what was going to be on the test.
Both the books and the DVDs just seemed to be thrown together which a bunch of random information in as “padding”. It was infuriating, to say the least. The online lectures were okay, but went extremely fast and didn’t always add up to what was in the books. Additionally, I didn’t receive a lab manual OR a fifth book. They didn’t bother to tell me when I ordered it that all those materials were on the DVD and I had to print them out myself (good thing I asked). So after paying nearly $1500 on the course, I still had to use my own paper and ink to print a thousand, if not more, extra pages. Are you kidding me???
Each module in the online lectures had a quiz review, which you’d think would be good practice for the exam…. except that a lot of the answers were incorrect and in exact opposition to what I was looking at in one of the books in front of me. Additionally there were a few questions where the answer was A, B, and C, and when I chose “D” for “all of the above”, I got it wrong because apparently I should have checked A, B, and C separately. There were also a lot of questions that were worded very strangely and vaguely. Needless to say this stressed me out even more since I had no way of knowing if these questions were similar to those on the real test – which would have been INFURIATING. If you’re going to put together questions like this as part of a training aid, it would be nice if you gave the correct answers.
I was so disappointed in the course materials that I ended up getting a refund for the entire course, thankfully. This was the ONLY reason I went forward with the certification exam. I do have to say that they did not put up a fight about the refund, which I appreciate, however it leads me to believe that they are well aware of the horrible quality of their course materials.
THE EXAM – PREP PHASE
I was stressing about this exam A LOT after finishing EC-Council’s online course. I did learn a lot from it, but considering I am new to the field anyway, of course I was going to take SOMETHING away from it. I was stressing so much that I purchased several other books just as background reading.
– File System Forensic Analysis by Brian Carrier
– Real Digital Forensics: Computer Security and Incident Response by Keith Jones, et. Al
– Forensic Discovery by Dan Farmer (came as part of a boxed set with above)
– CompTIA Network+ Study Guide by Todd Lammle (for basic networking background that I didn’t have)
– The Official CHFI Study Guide by Syngress Publishing
Ah, the study guide. I only purchased it because the course materials from EC-Council were so infuriatingly disorganized. I attempted to go through and make my own study guide based on the objectives that I downloaded from EC-Council’s web site, but that probably would have taken me an entire month’s time, and didn’t I pay $1500 for decent training materials in the first place??? However, they were what they were – no fixing that — and I figured it was worth the extra $50 just to lower my stress level a little bit. Plus, it advertised a free sample web exam. Even after the online course and all the material on the DVD and in the books – I did not feel at ALL prepared for the exam. The whole point of the study guide is to give you some direction on what things to concentrate on and view sample questions, etc, right? Well.
I found out AFTER I purchased the book – which is advertised on EC-Council’s web site as the “official” study guide – that it is actually for the previous version. So while a lot of the material is the same, it’s still outdated and from 2007. Not only that, but the “free, web-based sample exam” that is advertised on the book – and one of the main reasons I purchased it – is no longer available. I e-mailed Syngress repeatedly and never received a response. I was (am) not amused.
THE EXAM – EXAM DAY
I took the exam through Pearson Vue at my local community college after doing the background reading and studying for a little over two months. Frankly at this point I didn’t really care whether I passed or not, since I got the course for free and was just completely fed up at this point and wanted it over with. Not to mention that nobody in this area seems to have ever heard of this test, and even the testing center guy said I was the first one to take it since he’d been there (several years). I’d really just had it with this entire thing.
I finished the test in about fifteen minutes and got an 80% (needed a 70% to pass). The questions were a lot clearer than I was expecting, however there were a few that were a little tricky. I was disappointed I couldn’t view the questions that I got wrong. All of the questions had only one answer though, none of this “A and C” or “all of the above” stuff (whew!).
There were quite a few questions that I would NOT have known the answer to if I had not done all the background reading on my own. Things that were not covered anywhere in the official courseware or the study guide. Since I already got an 80% as it was, I’m not sure I would have passed had I not done my extra reading.
I had read on various forums that I should focus a lot on the laws when studying, which I did, and reviewed right before the test. Oddly though, I didn’t get ANY questions on anything legal.
Really, I don’t know. My friend had a good experience with this certification, but she took the training through InfoSec. That might be a better option if you are looking to take this class. AVOID EC-Council’s materials. I really have no faith in them at this point and they really just seem like a scam to me. I did the certification exam because I got most of my money back – so I really wasn’t losing anything. But I can’t believe they charge almost $1500 for that garbage. Their training is just HORRIBLE and I cannot stress that enough.
I was looking forward to taking CEH because it sounded interesting, but I will be avoiding EC-Council from now on. I do have to say that my friend was right; this course WAS a good introduction to the field, but most of that was due to the fact that I was forced to do so much extra reading on my own.
Does the certification mean anything? I don’t know. I really just wanted a training class to dip my toe into the subject, and also show that I had some type of foundational knowledge, since I’ve never taken any formal classes in computer science. It wasn’t much of a waste since I got a refund, but would I recommend it to others? No, especially if you are spending your own money like I did. If your job is paying for it, why not?
This post is a little long, however I wish I had read something like this before I took the class. If other people had good experiences with EC-Council and this exam, great! Unfortunately I did not.
April 1, 2011 at 8:43 pm #39089BillVParticipant
First of all, welcome to the EH-Net community! Thank you for such an elaborate post on your experience with the CHFI materials, course, and exam. This will surely help answer questions for others in the future.
Sorry to hear that your experience was such a bad one.
April 4, 2011 at 5:41 pm #39090Don DonzalKeymaster
Never too long of a post when you’re helping others.
Thanks and welcome to EH-Net,
April 4, 2011 at 5:54 pm #39091rattisParticipant
I actually liked this post and found it useful. The CHFI is on my current 3 year plan.
I know now to save my money on the course and self study like mad for the cert. When I get there.
April 4, 2011 at 9:32 pm #390922mike19Participant
Thank you Cafepithecus for your great review. I am on the track to take this and with you review – glad I’ll be saving a few bucks.
April 5, 2011 at 6:23 pm #39093JoshsevoParticipant
Yes thank you for the review. If you read over some of the threads you saw that I am interested in taking this cert. I am still planning on it and I will be doing the reading also and see how that goes.
I actually had the CHFI through InfoSec all paid for and booked but had to change it because of a conflict in my schedule. I would be taking it next week actually had the conflict not happened. I moved my money to the CEH course instead and will take the CHFI in Aug I think.
Once I am done with the cert also I will also post a review of my experiences.
May 15, 2011 at 5:11 pm #39094
New to EH, lurker for years. Great info here.
I think this is a great writeup and really appreciate the insight. I’m actually sitting in the EC-Council’s CHFI class at this very moment and will sit for the CHFI exam in a few days. Fortunately, I currently work in the field and have a few vendors certs in tis area. I am worried that we seem to be spending an inordinate amount of time in class on things like “photographing the crime scene” and “legal issues of forensics”. We have yet to actually do a single lab or any hands on stuff, although we were required to bring our own laptop with WinXP VMs ready to go. I paid over $2,000 to sit in this class and was offered the actual hardcopy of the courseware for another $250, but declined (based on this post). You GOT to be kidding me. They did throw in lunch. I overheard one attendee comment, “This is the best $2000 fajita I’ve ever had.” ;D (We did receive an iPad2)
I had the same experience with the CEH exam a few years ago using the EC-Council Official Curriculum. Disjointed, too much info, unclear practice tests, and just a lot of rote memorization, none of which appeared on the actual exam. First time I’ve ever failed any certification exam, so I was a bit perturbed.
How much would this organization benefit from a proof reader or decent content developer?
May 16, 2011 at 1:30 pm #39095R3B005tParticipant
Well there goes my faith in EC council, I was going to do a write up on the sheer amount of padding in their course ware but looks like someone beat me to the point. I can’t begin to figure out how EC took such a bad turn. It seems that the organization needs to take a long hard look at its materials. Untill I hear otherwise I’m going to remove them from my list of cert’s to get.
May 17, 2011 at 4:04 am #39096
Well there goes my faith in EC council,
Mine too…and I’m sitting for the exam tomorrow.
Just FYI, I just checked the CHFI class v4 TOC and there is over 4,000+ pages of material for you to cover (not including labs)!!! There is another complete DVD filled with “extra material” which is essentially just a huge conglomeration of whitepapers and stuff from academic journals on anything even remotely technical, that they couldn’t fit in the slides….and which I’m sure is considered testable. Today I did get a question on what attack uses UDP packets (Fraggle), which I’m not sure is relevant or a priority in this course given the amount fo real forensics material they could cover.
After this exam, I’m pretty much done with EC-Council. Bring on the SANS forensics courses or vendor specific stuff for me.
May 17, 2011 at 1:12 pm #39097silParticipant
Welcome to the beautiful world of marketing. Aside from any certifying body, what have you done for yourself via way of training. CHFI coureware is mainly bloat. It likely STILL consists of hundreds tools of which about 99.9% are never used in a real world forensic setting. Does this mean they’re not worth learning, no, what it means is that you as a student/professional need to make sense of it all. Find what works, what doesn’t, what others in the industry use, and focus on those. Learning any of the tools though is beneficial as one size will never fit all.
The big issue I had and have with CHFI is that it is not applicable to real world hardcore forensics, and you’ll likely gain nothing more than the knowledge of a bucketload of tools, 99.9% you will never use or even recall. If in the event of say going to court, most of these tools would be worthless as there is more of a reliance on EnCase and Access Data’s FTK as being the “industry standards.” With that said again, does it mean you shouldn’t know about alternatives? Not really.
The same goes for SANS 408. Let’s have a cherry picked brief look:
Windows File System Basics
Presentation and Reporting of Evidence and Analysis
Windows XP, VISTA, and Windows 7 Investigation and Analysis
Windows In-Depth Registry Forensics
Facebook, Gmail, Hotmail, Yahoo Chat and Webmail Analysis
E-mail Forensics (Host, Server, Web)
Microsoft Office Document Analysis
Windows Link File Investigation
Windows Recycle Bin Analysis
File and Picture Metadata Tracking and Examination
Firefox and Internet Explorer Browser Forensics
Deleted File Recovery
String Searching and Data Carving
Fully Updated to include full Windows 7 and Server 2008 Examinations
Examine cases involving Windows XP, VISTA, and Windows 7
What is missing from this picture? Here is a better question: “What will you be good at after this course?” Answer? Windows forensics. Nothing more. You WILL learn a lot more from SANS courses and you WILL LEARN real world applicability of REAL WORLD tools and scenarios. But at the end of this course, you will be a mighty fine WINDOWS forensics professional, maybe even expert. Problem is, you will be stuck in a Windows world. You may *touch* on some *nix based topics, but a TCT expert you will not be.
Now what about SANS 508 (Advanced Forensics)? Cherry picking here: (Day 2) “Advanced digital forensic investigation methods using: Intermediate Registry Analysis, Shadow Volume/Restore Point Examinations, Super Timeline Analysis, and Finding Unknown Malware using memory, artifact, and file system analysis”
Registry? How does this help me in analyzing a compromised Solaris/RHEL/Tru64/etc network? What have I learned from say the network analysis and forensics side? So classify what you would like to learn and now re-ask the question: “who do you think can best teach it to you?” The realistic answer is: Yourself. You need to set the stage of what is applicable and what is not. See what others are doing and why they are doing it. You WILL get more bang for your buck by going with SANS 100000% do not misinterpret my words, however, even that (going with SANS) is open to interpretation as it is all about marketing.
So regardless of who is delivering what (EC-Council, SANS, etc.) at the end of the day there is always going to be heavy marketing but this does not mean you won’t gain anything from either or (EC/SANS) it’s all about what YOU TAKE from it. The EC-Council books are horrible however, a good instructor will understand what they need to show you in order to be a decent forensics professional regardless of the content of the book.
Anyhow, for those looking for resources from the *nix side of the equation, I suggest:
End of rant/rambling
May 19, 2011 at 1:58 am #39098ziggy_567Participant
Its funny you should reference Deer Run as Hal Pomeranz is one of the instructors for SEC 408 and SEC 508. If you were to take either class with him, you could find no better instructor on *nix forensics. You may not get it through the regular course, but he’s available outside of the class for questions.
Btw, I took SANS 506 with him…
May 20, 2011 at 8:59 pm #39099
Passed CHFI with a 93.3% in 28 minutes.
They have over 4,000 pages of material and they choose to ask questions like which TCP ports some “well known” email services run over? The exam was loaded with tons of these types of questions and I was sorta dissapointed by how easy it was. Some looked like they pulled them straight out of a 1998 CEH exam…..very easy. I’m not sure that I even needed to sit through the class, but was glad I did as the instructor was very good and added a law enforcement aspect to the class. As mentioned earlier, some of the questions specifically pertaining to legal issues (particularly laws in foreign countries) really seemed out of place here.
I believe that the test would benefit from a practical exam like ACE, EnCE, CCE, etc. and it would certainly help it’s acceptance in the forensics industry. Probably not a bad test if you’re new to IT, but not really a good one if you’ve already established yourself in it.
Just my .02…
- You must be logged in to reply to this topic.