312-49 Exam Format | 312-49 Course Contents | 312-49 Course Outline | 312-49 Exam Syllabus | 312-49 Exam Objectives

Number of Questions: 150

Test Duration: 4 Hours

Test Format: Multiple Choice

Test Delivery: ECC EXAM

Exam Prefix: 312-49 (ECC EXAM)



Computer hacking forensic investigation is the process of detecting hacking attacks and properly extracting evidence to report the crime and conduct audits to prevent future attacks.



Computer crime in todays cyber world is on the rise. Computer Investigation techniques are being used by police, government and corporate entities globally and many of them turn to EC-Council for our Computer Hacking Forensic Investigator CHFI Certification Program.



Computer Security and Computer investigations are changing terms. More tools are invented daily for conducting Computer Investigations, be it computer crime, digital forensics, computer investigations, or even standard computer data recovery. The tools and techniques covered in EC-Councils CHFI program will prepare the student to conduct computer investigations using groundbreaking digital forensics technologies.
Computer forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. Evidence might be sought in a wide range of computer crime or misuse, including but not limited to theft of trade secrets, theft of or destruction of intellectual property, and fraud. CHFI investigators can draw on an array of methods for discovering data that resides in a computer system, or recovering deleted, encrypted, or damaged file information known as computer data recovery.



In order to maintain the high integrity of our certifications exams, EC-Council Exams are provided in multiple forms (I.e. different question banks). Each form is carefully analyzed through beta testing with an appropriate sample group under the purview of a committee of subject matter experts that ensure that each of our exams not only has academic rigor but also has “real world” applicability. We also have a process to determine the difficulty rating of each question. The individual rating then contributes to an overall “Cut Score” for each exam form. To ensure each form has equal assessment standards, cut scores are set on a “per exam form” basis. Depending on which exam form is challenged, cut scores can range from 60% to 85%.



• Understand computer forensics, and explain the objectives and benefits of computer forensics

• Apply the key concepts of Enterprise Theory of Investigation (ETI)

• Fuse computer network attack analyses with criminal and counterintelligence investigations and operations

• Identify elements of the crime

• Examine various computer crimes

• Understand various types of Web attacks

• Understand various types of email attacks

• Understand various types of network attacks

• Understand mobile based operating systems, their architectures, boot process, password/pin/pattern lock bypass mechanisms

• Understand the importance of cybercrime investigation

• Understand the methodology involved in Forensic Investigation

• Serve as technical experts and liaisons to law enforcement personnel and explain incident details, provide testimony, etc.

• Understand the role of expert witness in computer forensics

• Identify legal issues and reports related to computer forensic investigations

• Identify legal issues and reports related to computer forensic investigations

• Identify legal issues and reports related to log management

• Identify internal BYOD and information security policies of the organization

• Identify and/or determine whether a security incident is indicative of a violation of law that requires specific legal action

• Identify legal issues and reports related to computer forensic investigations

• Apply the key concepts of Enterprise Theory of Investigation (ETI)

• Understand various types and nature of digital evidence

• Understand the best evidence rule

• Secure the electronic device of information source, use specialized equipment and techniques to catalog, document, extract, collect, package, and preserve digital evidence

• Electronic Crime and Digital Evidence Consideration by Crime Category

• Create a forensically sound duplicate of the evidence (forensic image) that ensures the original evidence is not
unintentionally modified, to use for data recovery and analysis processes. This includes HDD SSD, CD/DVD, PDA, mobile phones, GPS, and all tape formats.

• Perform MAC timeline analysis on a file system

• Understand the Windows and Macintosh boot process, and handling volatile data

• Understand File Systems and help in digital forensic investigations

• Understanding Windows File Systems and help in digital forensic investigations

• Understand Linux File Systems and help in digital forensic investigations

• Understand Mac OS X File Systems and help in digital forensic investigations

• Understand RAID Storage System and help in digital forensic investigations

• Understand Carving Process and help in digital forensic investigations

• Understand Image File Formats

• Understand Computer Security Logs

• Perform MySQL Forensics

• Perform MSSQL Forensics

• Perform various steps involved in investigation of Email crimes

• Perform analysis of email headers and gather evidential information

• Perform static and dynamic malware analysis

• Understand the hardware and software characteristics of mobile devices

• Understand the different precautions to be taken before investigation

• Perform various processes involved in mobile forensics

• Exploit information technology systems and digital storage media to solve

and prosecute cybercrimes and fraud committed against people and property

• Identify, collect, and seize documentary or physical evidence, to include digital media and logs associated with cyber intrusion incidents, investigations, and operations

• Write and public Computer Network Defense guidance and reports on incident findings to appropriate constituencies

• Determine and develop leads and identify sources of information in order to identify and prosecute the responsible parties toan intrusion investigation

• Process crime scenes

• Track and document Computer Network Defense incidents from initial detection through final resolution

• Develop an investigative plan to investigate alleged crime, violation, or suspicious activity using computers and the internet

• Identify outside attackers accessing the system from Internet or insider attackers, that is, authorized users attempting
to gain and misuse non-authorized privileges

• Coordinate with intelligence analysts to correlate threat assessment data

• Ensure chain of custody is followed for all digital media acquired (e.g. indications, analysis, and warning standard operating procedure)

• Identify digital evidence for examination and analysis in such a way as to avoid unintentional alteration

• Assist in the gathering and preservation of evidence used in the prosecution of computer crimes

• Prepare digital media for imaging by ensuring data integrity (e.g., write blockers in accordance with standard operating procedures)

• Prepare reports to document analysis

• Decrypt seized data using technical means

• Establish relationships, if applicable, between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies, vendors, and public relations professionals)

• Coordinate with and provide expert technical support to enterprise-wide Computer Network Defense technicians to resolve Computer Network Defense incidents

• Perform Computer Network Defense incident triage to include determining scope, urgency, and potential impact; identify the specific vulnerability and make recommendations which enable expeditious remediation

• Document original condition of digital and/or associated evidence (e.g., via digital photographs, written reports, etc.)

• Perform initial, forensically sound collection of images and inspect to discern possible mitigation/remediation on enterprise systems

• Perform real-time Computer Network Defense Incident Handling (e.g., forensic collections, intrusion correlation/tracking, threat analysis, and direct system remediation) tasks to support deployable Incident Response Teams (IRTs)

• Provide technical assistance on digital evidence matters to appropriate personnel

• Conduct interviews and interrogations of victims, witnesses and suspects

• Use specialized equipment and techniques to catalog, document, extract, collect, package, and preserve digital evidence

• Document original condition of digital and/or associated evidence (e.g., via digital photographs, written reports, etc.)

• Independently conducts large-scale investigations of criminal activities involving complicated computer programs and networks

• Examine recovered data for items of relevance to the issue at hand

• Correlate incident data to identify specific vulnerabilities and make recommendations that enable expeditious remediation

• Perform static media analysis

• Review forensic images and other data sources for recovery of potentially relevant information

• Identify digital evidence for examination and analysis in such a way as to avoid unintentional alteration

• Identify data of intelligence to evidentiary value to support counterintelligence and criminal investigations

• Monitor external data sources (e.g., Computer Network Defense vendor sites, Computer Emergency Response Teams, SANS, Security Focus) to maintain currency of Computer Network Defense threat condition and determine which

security issues may have an impact on the enterprise

• Identify Anti-Forensics Techniques

• Recover Deleted Files and Partitions

• Bypass Windows and Applications passwords

• Detect steganography and identify the hidden content

• Perform command and control functions in response to incidents

• Analyze computer generated threats

• Perform Computer Network Defense trend analysis and reporting

• Confirm what is known about an intrusion and discover new information, if possible, after
identifying intrusion via dynamic analysis

• Develop reports which organize and document recovered evidence and forensic processes used

• Write and publish Computer Network Defense guidance and reports on incident findings to appropriate constituencies

• Perform file signature analysis, Perform tier 1, 2, and 3 malware analysis

• Analyze the file systems contents in FAT, NTFS, Ext2, Ext3, UFS1, and UFS2

• Collect Volatile and Non-Volatile Information

• Perform Windows registry analysis

• Perform Cache, Cookie, and History Analysis

• Perform Windows File Analysis

• Perform Metadata Investigation

• Analyze Windows Event Logs

• Collect Volatile and Non-Volatile Information

• Use various Shell Commands

• Examine Linux Log files

• Examine MAC Forensics Data

• Examine MAC Log Files

• Analyze MAC Directories

• Examine MAC Forensics Data

• Examine MAC Log Files

• Analyze MAC Directories

• Detect steganography

• Process images in a forensically sound manner

• Perform steganalysis to recover the data hidden using steganography

• Understand various password cracking techniques

• crack the password to recover protected information and data

• Conduct analysis of log files, evidence, and other information in order to determine best methods for identifying the perpetrator(s) of a network intrusion

• Conduct analysis of log files, evidence, and other information in order to determine best methods for identifying the perpetrator(s) of a network intrusion

• Receive and analyze network alerts from various sources within the enterprise and determine possible causes of such alerts Receive and analyze network alerts from various sources within the enterprise and determine possible causes of such alerts

• Investigate wireless attacks

• Perform analysis of log files from a variety of sources (e.g., individual host logs, network traffic logs, firewall logs, and intrusion detection system logs) to identify possible threats to network security

• Perform various steps involved in investigation of email crimes

• Perform various processes involved in mobile forensics

• Perform investigation on cloud storage services such as Google Drive and Dropbox

• Understand and perform static and dynamic malware analysis

• Maintain deployable Computer Network Defense toolkit (e.g., specialized Computer Network Defense software/ hardware) to support incident response team mission 16 10%

• Recognize and accurately report forensic artifact indicative of a particular operating system

• Perform live forensic analysis (e.g., using Helix in conjunction with LiveView)

• Perform dynamic analysis to boot an “image” of a drive (without necessarily having theoriginal drive) to see the intrusion as the user may have seen it, in a native environment

• Use data carving techniques (e.g., Autopsy) to extract data for further analysis

• Decrypt seized data using technical means

• Perform data acquisition (using UltraKit, Active@ Disk Image, DriveSpy, etc.)

• Use File Recovery Tools (e.g., Recover My Files, EaseUS Data Recovery Wizard, etc.), Partition Recovery Tools (e.g., Active@ Partition Recovery, 7-Data Partition Recovery, Acronis Disk Director Suite, etc.), Rainbow Tables Generating Tools (e.g., rtgen, Winrtgen), Windows Admin Password Resetting Tools (e.g., Active@ Password Changer, Windows Password Recovery Bootdisk, etc.).

• Understand the usage of Application Password Cracking Tools (e.g., Passware Kit Forensic, SmartKey Password Recovery Bundle Standard, etc.), Steganography Detection Tools (e.g., Gargoyle Investigator™ Forensic Pro, StegSecret, etc.)

• Use tools to locate and recover image files

• Use tools to perform database forensics (e.g., Database Forensics Using ApexSQL DBA, SQL Server Management Studio, etc.)

• Use tools to recover obstructed evidence

• Use network monitoring tools to capturer real-time traffic spawned by any running malicious code after identifying intrusion via dynamic analysis

• Understand the working of wireless forensic tools (e.g., NetStumbler, NetSurveyor, Vistumbler, WirelessMon, Kismet, OmniPeek, CommView for Wi-Fi, Wi-Fi USB Dongle: AirPcap, tcpdump, KisMAC, Aircrack-ng SuiteAirMagnet WiFi Analyzer, MiniStumbler, WiFiFoFum,

NetworkManager, KWiFiManager, Aironet Wireless LAN, AirMagnet WiFi Analyzer, Cascade Pilot Personal Edition,Network Observer, Ufasoft Snif, etc.)

• Understand the working of web Security Tools, Firewalls, Log Viewers, and Web Attack Investigation Tools (e.g., Acunetix Web Vulnerability Scanner, Falcove

Web Vulnerability Scanner, Netsparker, N-Stalker Web Application Security Scanner, Sandcat, Wikto, WebWatchBot, OWASP ZAP, dotDefender, IBM AppScan, ServerDefender, Deep Log Analyzer, WebLog Expert, etc.)

• Use Cloud Forensics Tools (e.g., UFED Cloud Analyzer, WhatChanged Portable, WebBrowserPassView, etc.)

• Use Malware Analysis Tools (e.g., VirusTotal, Autoruns for Windows, RegScanner, MJ Registry Watcher, etc.)

• Use email forensic tools (e.g., StellarPhoenix Deleted Email Recovery, Recover My Email, Outlook Express Recovery, Zmeil, Quick Recovery for MS Outlook, Email Detective, Email Trace

-Email Tracking, R-Mail, FINALeMAIL, eMailTrackerPro, Parabens email Examiner, Network Email Examiner by Paraben, DiskInternals Outlook Express Repair, Abuse.Net, MailDetective Tool, etc.)

• Use mobile forensic software tools (e.g., Oxygen Forensic Suite 2011, MOBILedit! Forensic, BitPim, SIM Analyzer, SIMCon, SIM Card Data Recovery, Memory Card Data Recovery, Device Seizure, Oxygen Phone Manager II, etc.)

• Use mobile forensic software tools

• Create well formatted computer forensic reports