Insights into (ISC)2’s Certified Cyber Forensics Professional (CCFP) certification

Posted by

Glad to have just passed the Certified Cyber Forensics Professional (CCFP) certification. Although on the heels of my recent CompTIA Cybersecurity Analyst+ (CSA+) certification, I didn’t do any special preparation for the CSA+, my time for several months has actually been focused on digital forensics.

The CCFP was introduced in 2013 by (ISC)2 to expand their offering to better cover specializations like forensics. Sure, the CCFP is just another way for (ISC)2 to make money, but reading the CCFP Certified Cyber Forensics Professional All-in-One Exam Guide did teach me some new things.

Specifically, here are some new tidbits I learned:

  • Different forensic artifacts between VMware, VirtualBox, and Microsoft Virtual PC
  • Mobile device terminology like:
    • International Mobile Subscriber Identity (IMSI)
      • usually a 15 digit number to uniquely identify a phone
    • International Mobile Equipment Identity (IMEI)
      • unique number to identify GSM,  LTE, and satellite phones (available on most phones by entering #06# on the keypad)
    • Integrated Circuit Card Identification (ICCID)
      • engraved number used to identify the SIM card
  • Database types including: Oracle, Microsoft Access, MySQL, PostGres, NoSQL, etc.

I’ve spent most of my time doing physical Windows-based forensics, so being introduced to the world’s of mobile forensics and virtual system forensics has been helpful.

The CCFP exam itself was 125 questions and you are given 4 hours to complete it. The questions were overwhelmingly scenario-based and were focused on testing your experience and didn’t ask about technical specifics much (just a few questions about the windows registry).

Now for the FAQs…

  1. How did you prepare for the exam?
    I started by reading the CCFP Certified Cyber Forensics Professional All-in-One Exam Guide cover to cover, reviewing GIAC Certified Forensics Examiner (GCFE) material, and in real-life interacting with a greater variety of forensic tools than I normally would. When taking the exam I found myself drawing from real-world experience more than anything, which is why this exam is catered to those with 5+ years of experience.
  2. What would you recommend to others interested in this exam?
    Wait. The CCFP is expensive and the questions are difficult to prepare for, maybe other certifications would be a better use of your time. The (ISC)2 organization enjoys questions that are worded in a complex manner and nearly 1/2 of the questions involved a very stressful “BEST ANSWER”, “MOST APPROPRIATE”, or “MOST LIKELY” analysis of 2-3 solid answers.
  3. Was the exam easy?
    Not easy at all. It covered a variety of real-world situations that I’ve never dealt with. It also offered questions worded purposely to confuse a lazy reader, like myself.
  4. What was the hardest part of the exam?
    I did quite well on the legal concepts covered under the EC-Council Computer Hacking Forensic Investigator (CHFI) so didn’t prepare as well for the CCFP and I felt it. There are a variety of situations between the defendant and the prosecutor that came up that were completely new to me, so that was probably the hardest part.
  5. Is the CCFP a good alternative to the EC-Council CHFI?
    The CHFI has more emphasis on computer hacking and the CCFP has more emphasis on criminal proceedings. The CHFI was written for an international audience which makes it a less natural reading. The CCFP was written with significant ambiguity built-in to pressure participants into over analyzing each question. The CCFP adds a fresh 10-20% of material that the CHFI doesn’t bother to cover since it’s catered to those fresh off the Certified Ethical Hacker (CEH).
  6. What makes the CCFP a credible credential?
    To some extent the CCFP stakes it’s reputation on the credibility of the infamous Certified Information Systems Security Professional (CISSP) that’s been the de-facto standard (“yuck”) in cybersecurity for several years now. The CCFP also requires continuing education which tries to ensure your skills stay relevant.

Overall, the CCFP is a reasonable offering by (ISC)2 for real-life “forensicators” to add resume credentials for their inevitable “expert witness” call up, so the opposing lawyers focus on your findings and not your resume.

Leave a Reply

Your email address will not be published. Required fields are marked *