ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

CHFI - EC-Council Certified Hacking Forensic Investigator Quick Study Guide

Updated on January 31, 2012

According to EC-Council:

there is a high demand for Certified Hacking Forensic Investigator graduates, commanding salaries as high as $85,000 to $120,000 per year. This hub is based on my experience taking the certification test through Western Governors University and should help you prepare for the exam. It should be noted that this article merely suggests items that you may wish to familiarize yourself with and in no way is a confirmation of what may or may not be on the exam.

Some key points:

The CHFI, Certified Hacking Forensic Investigator, exam is 150 questions long and you have just over 4 hours to complete it. Before you go in, it's recommended that you have the knowledge equivalent to the Certified Ethical Hacker level. As with all big exams, you should try to get a good night's rest and a good breakfast, but don't eat anything that might give you stomach problems during your test. Save the celebration until after you've passed!

Some of the information you'll need to study for your CHFI certification might seem somewhat sketchy at first. It might even seem like you're learning many of the dirty little tricks that the bad guys use. As an Ethical Hacker or Forensics Investigator, you've got to understand the vulnerabilities of your systems and the methodology of those individuals or groups who might use their hacking abilities to further their own gain, or stifle the gain of someone else.

Hacking Attacks & Device Mechanics

  • What is a Fraggle attack?
  • What is a Smurf attack?
  • What is a Syn Flood?
  • What is DNS Poisoning?
  • How many characters is an MD5 Hash?
  • What does a sheepdip do?
  • What type of evidence might be stored in a StrongBag?
  • How do you hide a file using Mac OS X?

Already have the CHFI? You might consider studying for your CISSP exam!

Know your Laws and Legal Information!

  • Define the Trademark Law.
  • What is a Servicemark?
  • What is a patent?
  • The legal sequential numbering system is popular among lawyers and is used in pleadings.
  • Evidence Format = aaa/ddmmyy/nnnn/zz (You might want to understand what each of those letters means, in the event you ever have to handle potential evidence.)
  • What is specified in Title 18, Section 2703(f)? If an investigator contacts an ISP or phone company, citing this title, what can they expect to receive in return? What must the investigator provide the company in order to seize records of customers? What about employees?
  • What's the difference between expert testimony and opinion testimony? Who is authorized to be an expert witness? How is this authorization established? What type of testimony can be expected from a lay witness?
  • Explain the Copyright law. How long does a copyright stay valid once established?

A very helpful YouTube video for understanding DNS Hacking:

Networking Information

  • What are the 7 layers in the OSI Model and what devices and protocols operate at each layer?
  • At what layer of the OSI Model would a NIC in promiscuous mode operate on?
  • Define the services that run on these well known ports: 21, 22, 23, 25, 80, 110, 115, 137, 138, 139, 143, 161, 162, 389, 443

Know your DD commands and understand Linux syntax.

  • What does the dd command do?
  • Can you use the dd command in Windows?
  • How do you use the dd command to make a backup of the master boot record in Linux?
  • How do you use the dd command to make a backup image of the slave device on the secondary IDE cable?
  • Where are print jobs spooled on Linux servers?

Make sure you're confortable with these topics as well!

What are Alternate Data Streams?

  • How do you hide files using ADS?
  • How can you detect Alternate Data Stream files?

File Deletion and Data Recovery

  • What does Encase need before it can perform searches?
  • How is the Recycle Bin handled on systems using the FAT drive formatting standard? Where is this folder located?
  • How is the Recycle Bin handled by Windows NT, 2000, and XP using the NTFS standard? Where is this folder located?
  • How is the Recycle Bin handled by Windows Vista using the NTFS standard? Where is this folder located?
  • Where must you search to recover NTFS files?
  • Where must you search to look up deleted FAT partitions?
  • What is a lost cluster?
  • What is a sector?


  • Define the services that run on these well known ports:
  • 21, 22, 23, 25, 80, 110, 115, 137, 138, 139, 143, 161, 162, 389, 443

Portable Devices

  • Where do iPods store contact information?
  • What type of encryption is used by Blackberry devises?
  • How do Blackberry devices handle email messages?

What are vector graphics? As far as computing graphics are concerned, vectors can be described as the use of geometric primitives such as curves, lines, polygons, points, and shapes -- which are all based upon mathematical equations -- to represent images. In this manner, enlarging a vector image doesn't impact the image quality. The mathematical expressions allow the image to retain its quality as you resize it. The key point here is that the image is not static by nature, but allows flexibility.

  • What is lossy compression? Lossy compression occurs when a reduced instance or a file is restored imperfectly.
  • What is lossless compression? Lossless compression occurs when a full instance of a file can be restored for a high compression ratio. The results should be without flaw, or perfect.


This article is not meant to be an exam cram or all-inclusive study guide for the Certified Hacking Forensic Investigator test. As with all certifications, potential testers should take time to read over the certification knowledge requirements and ensure they are comfortable they meet the standards held by the organization offering the certification in question.

For more information, please see the official EC-Council Website:

Qualifications of the Author

As of this writing, Brady Frost has over 12 years of experience in the Information Technology industry with a completed undergraduate degree in Internet Systems Software Technology. He is currently working on his graduate degree through Western Governors University in Information Security and Assurance and holds the following applicable certifications:

  • Microsoft Certified Professional (MCP)
  • CompTIA Security+
  • CompTIA Network+
  • EC-Council Certified Ethical Hacker
  • EC-Council Certified Hacking Forensic Investigator


    0 of 8192 characters used
    Post Comment
    • BradyBones profile imageAUTHOR

      R. Brady Frost 

      6 years ago from Somewhere Between a Dream and Memory

      I hope your exam went well, skear! Drop back by and let us know, will ya?

    • skear profile image

      Sam Kear 

      7 years ago from Kansas City

      Great hub! Thanks for all information on the exam.


    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

    Show Details
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)