English and Arabic 

5 Days Course


This EC-Council Computer Hacking Forensic Investigator (CHFI) certification course will prepare you to achieve this in-demand certification. Learn a detailed, methodological approach to computer forensic and evidence analysis, including searching and seizing, chain-of-custody, acquisition, preservation, analysis and reporting of digital evidence. This CHFI certification course provides the necessary skills to perform effective digital forensic investigations and covers the major tools and theories used by cyber forensic experts today.

Enroll for 5-day Computer Hacking Forensic Investigator (CHFI) V 10 training course from XCEED accredited by EC-Council.  EC-Council Computer Hacking Forensic Investigation (CHFI) is the method of detecting cyber-attacks and systematically extracting evidence to support the cyber-crime investigation report, and conducting periodic audits to prevent similar attacks in future. CHFI certification training validates an individual’s knowledge of computer forensics for reporting hacking attempts and attacks in the courts of law.

CHFI v10 is a complete vendor-neutral course covering all major forensics investigation technologies and solutions. The CHFI v10 program has been redesigned and updated after a thorough investigation into current market requirements, job tasks analysis, and the recent industry focus on forensic skills. The CHFI v10 course is the most extensive and propelled accreditation program that summarizes the essential knowledge of digital forensic techniques and standard forensic tools to collect the intruder’s footprints necessary for his investigation. From identifying the footprints of a breach to collecting evidence for a prosecution, CHFI v10 walks students through every step of the process with experiential learning.

The course focuses on the latest technologies including I oT Forensics, Dark Web Forensics, Cloud Forensics (including Azure and AWS), Network Forensics, Database Forensics, Mobile Forensics, Malware Forensics (including Emotet and Eternal Blue), OS Forensics, RAM forensics and Tor Forensics, CHFI v10 covers the latest tools, techniques, and methodologies along with ample crafted evidence files.


  • IT/forensics professionals with basic knowledge of IT/cybersecurity, computer forensics, and incident response.
  • Knowledge of Threat Vectors.


The CHFI program is designed for all IT professionals involved with information system security, computer forensics, and incident response.

  • Police and other law enforcement personnel
  • Defense and Security personnel
  • e-Business Security professionals
  • Legal professionals
  • Banking, Insurance, and other professionals
  • Government agencies
  • IT managers


By the end of the course, you will be able to:

  • Finding out about various kinds of cyber laws for investigating cyber-crimes.
  • Analyzing digital evidence through rules of evidence by considering crime category.
  • Roles of the first responder, first responder toolkit, securing and assessing electronic crime scene, directing preliminary interviews, archiving electronic crime scene, gathering and safeguarding electronic proof, bundling and transporting electronic crime scene, and detailing electronic crime scene.
  • Setting up the computer forensics lab and creating investigation reports.
  • Steganography, Steganalysis and image forensics.
  • Learn about Malware Forensics processes, along with new modules such as Dark Web Forensics and IoT Forensics.
  • Forensic methodologies for public cloud infrastructure, including Amazon AWS and Azure.
  • In-depth focus on Volatile data acquisition and examination processes (RAM Forensics, Tor Forensics, etc.).
  • Skills to meet regulatory compliance standards such as ISO 27001, PCI DSS, SOX, HIPPA, etc.
  • Kinds of log capturing, log management, Investigation logs, network traffic, wireless attacks, and web assaults.
  • Gathering volatile and non-volatile data from Windows and recouping erased documents from Windows, Mac OS X, and Linux. Researching password secured documents by utilizing password cracking concepts and tools


Module – 01

Understand different types of cyber crimes and list various forensic investigations challenges

  • Types of Computer Crimes
  • Impact of Cybercrimes at Organizational Level
  • Cyber Crime Investigation
  • Challenges Cyber Crimes Present for Investigators
  • Network Attacks
  • Indicators of Compromise (IOC)
  • Web Application Threats
  • Challenges in Web Application Forensics
  • Indications of a Web Attack
  • What is Anti-Forensics?
  • Anti-Forensics Techniques
Module – 02

Understand the fundamentals of computer forensics and determine the roles and responsibilities of forensic investigators

  • Understanding Computer Forensics
  • Need for Computer Forensics
  • Why and When Do You Use Computer Forensics?
  • Forensic Readiness
  • Forensic Readiness and Business Continuity
  • Forensics Readiness Planning
  • Incident Response
  • Computer Forensics as part of Incident Response Plan
  • Overview of Incident Response Process Flow
  • Role of SOC in Computer Forensics
  • Need for Forensic Investigator
  • Roles and Responsibilities of Forensics Investigator
  • What makes a Good Computer Forensics Investigator?
  • Code of Ethics
  • Accessing Computer Forensics Resources
  • Other Factors That Influence Forensic Investigations
  • Introduction to Web Application Forensics
  • Introduction to Network Forensics
  • Post-mortem and Real-Time Analysis
Module – 03

Understand data acquisition concepts and rules

  • Understanding Data Acquisition
  • Live Acquisition
  • Order of Volatility
  • Dead Acquisition
  • Rules of Thumb for Data Acquisition
  • Types of Data Acquisition
  • Determine the Data Acquisition Format
Module – 04

Understand the fundamental concepts and working of databases, cloud computing, Emails, IOT, Malware (file and fileless), and dark web

  • Understanding Dark Web
  • TOR Relays
  • How TOR Browser works
  • TOR Bridge Node
  • Internal architecture of MySQL
  • Structure of data directory
  • Introduction to Cloud Computing
  • Types of Cloud Computing Services
  • Cloud Deployment Models
  • Cloud Computing Threats
  • Cloud Computing Attacks
  • Introduction to an email system
  • Components involved in email communication
  • How email communication works
  • Understanding parts of an email message
  • Introduction to Malware
  • Components of Malware
  • Common Techniques Attackers Use to Distribute Malware across Web
  • Introduction to Fileless Malware
  • Infection Chain of Fileless Malware
  • How Fileless Attack Works via Memory Exploits
  • How Fileless Attack Happens Via Websites
  • How Fileless Attack Happens Via Documents
  • What is IoT?
  • IoT Architecture
  • IoT Security Problems
  • OWASP Top 10 Vulnerabilities
  • IoT Threats
  • IoT Attack Surface Areas
Module – 05

Understand rules and regulations pertaining to search & seizure of the evidence, and evidence examination

  • Rules of Evidence
  • Best Evidence Rule
  • Federal Rules of Evidence
  • Scientific Working Group on Digital Evidence (SWGDE)
  • ACPO Principles of Digital Evidence
  • Seeking Consent
  • Obtaining Witness Signatures
  • Obtaining Warrant for Search and Seizure
  • Searches Without a Warrant
  • Initial Search of the Scene
  • Preserving Evidence
  • Chain of Custody
  • Sanitize the Target Media
  • Records of Regularly Conducted Activity as Evidence
  • Division of Responsibilities
Module – 06

Understand different laws and legal issues that impact forensic investigations

  • Computer Forensics: Legal Issues
  • Computer Forensics: Privacy Issues
  • Computer Forensics and Legal Compliance
  • Other Laws that May Influence Computer Forensics
  • U.S. Laws Against Email Crime: CAN-SPAM Act
Module – 07

Understand the fundamental characteristics and types of digital evidence

  • Introduction to Digital Evidence
  • Types of Digital Evidence
  • Characteristics of Digital Evidence
  • Role of Digital Evidence
  • Sources of Potential Evidence
  • Understanding Hard Disk
  • Understanding Solid State Drive (SSD)
  • RAID Storage System
  • NAS/SAN Storage
  • Disk Interfaces
  • Logical Structure of Disks
Module – 08

Understand the fundamental concepts and working of desktop and mobile Operating Systems

  • What is the Booting Process?
  • Essential Windows System Files
  • Windows Boot Process: BIOS-MBR Method
  • Windows Boot Process: UEFI-GPT
  • Macintosh Boot Process
  • Linux Boot Process
  • Windows File Systems
  • Linux File Systems
  • Mac OS X File Systems
  • MAC Forensics Data
  • MAC Log Files
  • MAC Directories
  • CD-ROM / DVD File System
  • Virtual File System (VFS) and Universal Disk Format File System (UDF)
  • Architectural Layers of Mobile Device Environment
  • Android Architecture Stack
  • Android Boot Process
  • iOS Architecture
  • iOS Boot Process
  • Mobile Storage and Evidence Locations
  • Mobile Phone Evidence Analysis
  • Data Acquisition Methods
  • Components of Cellular Network
  • Different Cellular Networks
  • Cell Site Analysis: Analyzing Service Provider Data
  • CDR Contents
  • Subscriber Identity Module (SIM)
  • Different types of network-based evidence
Module – 09

Understand different types of logs and their importance in forensic investigations

  • Understanding Events
  • Types of Logon Events
  • Event Log File Format
  • Organization of Event Records
  • ELF_LOGFILE_HEADER structure
  • EventLogRecord Structure
  • Windows 10 Event Logs
  • Other Audit Events
  • Evaluating Account Management Events
  • Log files as evidence
  • Legal criteria for admissibility of logs as evidence
  • Guidelines to ensure log file credibility and usability
  • Ensure log file authenticity
  • Maintain log file integrity
  • Implement centralized log management
  • IIS Web Server Architecture
  • IIS Logs
  • Analyzing IIS Logs
  • Apache Web Server Architecture
  • Apache Web Server Logs
  • Apache Access Logs
Module – 10

Understand various encoding standards and analyze various file types

  • Character Encoding Standard: ASCII
  • Character Encoding Standard: UNICODE
  • Understanding Hex Editors
  • Understanding Hexadecimal Notation
  • Image File Analysis: JPEG
  • Image File Analysis: BMP
  • Understanding EXIF data
  • Hex View of Popular Image File Formats
  • PDF File Analysis
  • Word File Analysis
  • PowerPoint File Analysis
  • Excel File Analysis
  • Hex View of Other Popular File Formats
Module – 11

Understand the fundamental working of WAF and MySQL Database

  • Web Application Firewall (WAF)
  • Benefits of WAF
  • Limitations of WAF
  • Data Storage in SQL Server
  • Database Evidence Repositories
  • MySQL Forensics
  • Viewing the Information Schema
Module – 12

Understand Forensic Investigation Process

  • Forensic investigation process
  • Importance of the Forensic investigation process
  • Setting up a computer forensics lab
  • Building the investigation team
  • Understanding the hardware and software requirements of a forensic lab
  • Validating laboratory software and hardware
  • Ensuring quality assurance
  • First response basics
  • First response by non-forensics staff
  • First response by system/network administrators
  • First response by laboratory forensics staff
  • Documenting the electronic crime scene
  • Search and seizure
  • Evidence preservation
  • Data acquisition
  • Data analysis
  • Case analysis
  • Reporting
  • Testify as an expert witness
  • Generating Investigation Report
  • Mobile Forensics Process
  • Mobile Forensics Report Template
  • Sample Mobile Forensic Analysis Worksheet
Module – 13

Understand the methodology to acquire data from different types of evidence

  • Data Acquisition Methodology
  • Step 1: Determine the Best Data Acquisition Method
  • Step 2: Select the Data Acquisition Tool
  • Step 3: Sanitize the Target Media
  • Step 4: Acquire Volatile Data
  • Acquire Data From a Hard Disk
  • Remote Data Acquisition
  • Step 5: Enable Write Protection on the Evidence Media
  • Step 6: Acquire Non-Volatile Data
  • Step 7: Plan for Contingency
  • Step 8: Validate Data Acquisition Using
  • Collecting Volatile Information
  • Collecting Non-Volatile Information
  • Collecting Volatile Database Data
  • Collecting Primary Data File and Active Transaction Logs Using SQLCMD
  • Collecting Primary Data File and Transaction Logs
  • Collecting Active Transaction Logs Using SQL Server Management Studio
  • Collecting Database Plan Cache
  • Collecting Windows Logs
  • Collecting SQL Server Trace Files
  • Collecting SQL Server Error Logs
Module – 14

Illustrate Image/Evidence Examination and Event Correlation

  • Getting an Image ready for examination
  • Viewing an image on a Windows, Linux, and MAC Forensic Workstations
  • Windows Memory Analysis
  • Windows Registry Analysis
  • File System Analysis Using Autopsy
  • File System Analysis Using The Sleuth Kit (TSK)
  • Event Correlation
  • Types of Event Correlation
  • Prerequisites of Event Correlation
Module – 15

Explain Dark Web and Malware Forensics

  • Dark web forensics
  • Identifying TOR Browser Artifacts: Command Prompt
  • Identifying TOR Browser Artifacts: Windows Registry
  • Identifying TOR Browser Artifacts: Prefetch Files
  • Introduction to Malware Forensics
  • Why Analyze Malware?
  • Malware Analysis Challenges
  • Identifying and Extracting Malware
  • Prominence of Setting up a Controlled Malware Analysis Lab
  • Preparing Testbed for Malware Analysis
  • Supporting Tools for Malware Analysis
  • General Rules for Malware Analysis
  • Documentation Before Analysis
  • Types of Malware Analysis
Module – 16

Review Various Anti-Forensic Techniques and Ways to Defeat Them

  • Anti-Forensics Technique: Data/File Deletion
  • What Happens When a File is Deleted in Windows?
  • Recycle Bin in Windows
  • File Carving
  • Anti-Forensics Techniques: Password Protection
  • Bypassing Passwords on Powered-off Computer
  • Anti-Forensics Technique: Steganography
  • Anti-Forensics Technique: Alternate Data Streams
  • Anti-Forensics Techniques: Trail Obfuscation
  • Anti-Forensics Technique: Artifact Wiping
  • Anti-Forensics Technique: Overwriting Data/Metadata
  • Anti-Forensics Technique: Encryption
  • Anti-Forensics Technique: Program Packers
  • Anti-Forensics Techniques that Minimize Footprint
  • Anti-Forensics Technique: Exploiting Forensics Tools Bugs
  • Anti-Forensics Technique: Detecting Forensic Tool Activities
  • Anti-Forensics Countermeasures
  • Anti-Forensics Tools
Module – 17

Analyze Various Files Associated with Windows and Linux and Android Devices

  • Windows File Analysis
  • Metadata Investigation
  • Windows ShellBags
  • Analyze LNK Files
  • Analyze Jump Lists
  • Event logs
  • File System Analysis using The Sleuth Kit (TSK)
  • Linux Memory Forensics
  • APFS File System Analysis: Biskus APFS Capture
  • Parsing metadata on Spotlight
  • Logical Acquisition of Android Devices
  • Physical Acquisition of Android Devices
  • SQLite Database Extraction
Module – 18

Analyze various logs and perform network forensics to investigate network attacks

  • Analyzing Firewall Logs
  • Analyzing IDS Logs
  • Analyzing Honeypot Logs
  • Analyzing Router Logs
  • Analyzing DHCP Logs
  • Why investigate Network Traffic?
  • Gathering evidence via Sniffers
  • Sniffing Tool: Tcpdump
  • Sniffing Tool: Wireshark
  • Analyze Traffic for TCP SYN flood DOS attack
  • Analyze Traffic for SYN-FIN flood DOS attack
  • Analyze traffic for FTP password cracking attempts
  • Analyze traffic for SMB password cracking attempts
  • Analyze traffic for sniffing attempts
  • Analyze traffic to detect malware activity
  • Centralized Logging Using SIEM Solutions
  • SIEM Solutions: Splunk Enterprise Security (ES)
  • SIEM Solutions: IBM Security QRadar
  • Examine Brute-Force Attacks
  • Examine DoS Attack
  • Examine Malware Activity
  • Examine data exfiltration attempts made through FTP
  • Examine network scanning attempts
  • Examine ransomware attack
  • Detect rogue DNS server (DNS hijacking/DNS spoofing)
  • Wireless network security vulnerabilities
  • Performing attack and vulnerability monitoring
  • Detect a rogue access point
  • Detect access point MAC spoofing attempts
  • Detect misconfigured access point
  • Detect honeypot access points
  • Detect signal jamming attack
Module – 19

Analyze Various Logs and Perform Web Application Forensics to Examine Various Web Based Attacks

  • Investigating Cross-Site Scripting Attack
  • Investigating SQL Injection Attack
  • Investigating Directory Traversal Attack
  • Investigating Command Injection Attack
  • Investigating Parameter Tampering Attack
  • Investigating XML External Entity Attack
  • Investigating Brute Force Attack
Module – 20

Perform Forensics on Databases, Dark Web, Emails, Cloud and IoT devices

  • Database Forensics Using SQL Server Management Studio
  • Database Forensics Using ApexSQL DBA
  • Common Scenario for Reference
  • MySQL Forensics for WordPress Website Database: Scenario 1
  • MySQL Forensics for WordPress Website Database: Scenario 2
  • Tor Browser Forensics: Memory Acquisition
  • Collecting Memory Dumps
  • Memory Dump Analysis: Bulk Extractor
  • Forensic Analysis of Memory Dumps to Examine Email Artifacts (Tor Browser Open)
  • Forensic Analysis of Storage to Acquire the Email Attachments (Tor Browser Open)
  • Forensic Analysis of Memory Dumps to Examine Email Artifacts (Tor Browser Closed)
  • Forensic Analysis of Storage to Acquire the Email Attachments (Tor Browser Closed)
  • Forensic Analysis: Tor Browser Uninstalled
  • Dark Web Forensics Challenges
  • Introduction to email crime investigation
  • Steps to investigate email crimes
  • Division of Responsibilities
  • Where Is the Data Stored in Azure?
  • Logs in Azure
  • Acquiring A VM in Microsoft Azure
  • Acquiring A VM Snapshot Using Azure Portal
  • Acquiring A VM Snapshot Using PowerShell
  • AWS Forensics
  • Wearable IoT Device: Smartwatch
Module – 21

Perform Static and Dynamic Malware Analysis in a Sandboxed Environment

  • Malware Analysis: Static
  • Analyzing Suspicious MS Office Document
  • Analyzing Suspicious PDF Document
  • Malware Analysis: Dynamic
Module – 22

Analyze Malware Behavior on System and Network Level, and Analyze Fileless Malware

  • System Behavior Analysis: Monitoring Registry Artifacts
  • System Behavior Analysis: Monitoring Processes
  • System Behavior Analysis: Monitoring Windows Services
  • System Behavior Analysis: Monitoring Startup Programs
  • System Behavior Analysis: Monitoring Windows Event Logs
  • System Behavior Analysis: Monitoring API Calls
  • System Behavior Analysis: Monitoring Device Drivers
  • System Behavior Analysis: Monitoring Files and Folders
  • Network Behavior Analysis: Monitoring Network Activities
  • Network Behavior Analysis: Monitoring Port
  • Network Behavior Analysis: Monitoring DNS
  • Fileless Malware Analysis: Emotet
  • Emotet Malware Analysis
Module – 23

Identify various tools to investigate Operating Systems including Windows, Linux, Mac, Android and iOS

  • File System Analysis Tools
  • File Format Analyzing Tools
  • Volatile Data Acquisition Tools
  • Non-Volatile Data Acquisition Tools
  • Data Acquisition Validation Tools
  • Tools for Examining Images on Windows
  • Tools for Examining Images on Linux
  • Tools for Examining Images on Mac
  • Tools for Carving Files on Windows
  • Tools for Carving Files on Linux
  • Tools for Carving Files on Mac
  • Recovering Deleted Partitions: Using R-Studio
  • Recovering Deleted Partitions: Using EaseUS Data Recovery Wizard
  • Partition Recovery Tools
  • Using Rainbow Tables to Crack Hashed Passwords
  • Password Cracking Using: L0phtCrack and Ophcrack
  • Password Cracking Using Cain & Abel and RainbowCrack
  • Password Cracking Using pwdump7
  • Password Cracking Tools
  • Tool to Reset Admin Password
  • Steganography Detection Tools
  • Detecting Data Hiding in File System Structures Using OSForensics
  • ADS Detection Tools
  • Detecting File Extension Mismatch using Autopsy
  • Tools to detect Overwritten Data/Metadata
  • Program Packers Unpacking Tools
  • USB Device Enumeration using Windows PowerShell
  • Tools to Collect Volatile Information
  • Tools to Non-Collect Volatile Information
  • Tools to perform windows memory and registry analysis
  • Tools to examine the cache, Cookie and history recorded in web browsers
  • Tools to Examine Windows Files and Metadata
  • Tools to Examine ShellBags, LNK files and Jump Lists
  • Tools to Collect Volatile Information on Linux
  • Tools to Collect Non-Volatile Information on Linux
  • Linux File system Analysis Tools
  • Tools to Perform Linux Memory Forensics
  • APFS File System Analysis
  • Parsing metadata on Spotlight
  • MAC Forensic Tools
  • Network Traffic Investigation Tools
  • Incident Detection and Examination with SIEM tools
  • Detect and Investigate Various Attacks on Web Applications by Examining Various Logs
  • Tools to Id entify TOR Artifacts
  • Tools to Acquire Memory Dumps
  • Tools to Examine the Memory Dumps
  • Tools to Perform Static Malware Analysis
  • Tools to Analyze Suspicious Word and PDF documents
  • Tools to Perform Static Malware Analysis
  • Tools to Analyze Malware Behavior on a System
  • Tools to Analyze Malware Behavior on a Network
  • Tools to Perform Logical Acquisition on Android and iOS devices
  • Tools to Perform Physical Acquisition on Android and iOS devices
Module – 24

Determine the various tools to investigate MSSQL, MySQL, Azure, AWS, Emails and IoT devices

  • Tools to Collect and Examine the Evidence Files on MSSQL Server
  • Tools to Collect and Examine the Evidence Files on MySQL Server
  • Investigating Microsoft Azure
  • Investigating AWS
  • Tools to Acquire Email Data
  • Tools to Acquire Deleted Emails


The EC-Council CHFI certification is mainly targeted to those candidates who want to build their career in Cyber Security domain. The EC-Council Computer Hacking Forensic Investigator (CHFI) exam verifies that the candidate possesses the fundamental knowledge and proven skills in the area of EC-Council CHFI v10.


EC-Council CHFI Exam Summary:


Exam Name : EC-Council Computer Hacking Forensic Investigator (CHFI)

Exam Code : 312-49

Duration: 240 mins

Number of Questions: 150

Passing Score: 70%