CFIP Exam Syllabus

1. Introduction to Computer Forensics

2. Introduction to Investigations
a. Areas involved in a forensic investigation
b. Investigation awareness phase of a forensic investigation
c. Principles of forensic computing
d. The ‘Chain of Custody’ process
e. Applying the chain of custody process

3. Identification and Seizure
a. Common electronic evidence devices
c. Seizure process of electronic evidence
d. Evidential items of interest
e. Actions performed on an electronic device

4. Understanding Electronic Data
a. Multiple bits
b. Large quantities of bytes in data storage
c. Decimal, Hexadecimal, ASCII, Unicode

5. Storage and File Systems
a. Preparing a hard drive for data storage
b. Physical disks and logical drives.
c. Differences between data and metadata
d. Common file system metadata
e. The purpose of file systems
f. Various file systems’ features
g. Live Data, Deleted Data, Unallocated Data

6. Forensic Acquisition
a. Differences between a forensic image and a clone
b. Hashing within the forensic acquisition process
c. Common tools and hardware
d. Forensic acquisition and verification of an electronic device

7. Data Management
a. Data backups of electronic evidence
b. Logistical issues with data backups
c. Working copies of electronic evidence
d. Data retention periods of electronic evidence

8. Forensic Analysis Techniques
a. Five possible analysis environments
b. Recovering data from an electronic device using data carving
c. Keyword searching
d. Issues associated with data extraction
e. Strengths and weaknesses of hash analysis
f. Common file type specific metadata
g. Date and time analysis

CFIP taught me what I was seeing, and why.

Claire Pater, Nuix