EC-Council № 06 of 14 ATC Accredited Defensive

CHFI
Forensic Investigator

The EC-Council credential for experts from banking, legal, insurance and e-business security sectors — learn all the skills through which you can identify, prosecute and track down the cybercriminal.

Enroll Now View Curriculum

5^day

Bootcamp Format

CHFI Modules

1:1

Mentor Pairing

200^q

Practice Bank

Cohort 2026 · 03

Tuition

^$2,795

or 6 payments of $469 via Mia-Share

EC-Council Accredited Training Center delivery
All 16 CHFI modules — disk, OS, network, cloud, mobile and IoT forensics
Hands-on forensic imaging and triage labs
Chain-of-custody, evidence handling and reporting templates
One-on-one mentor — a working incident responder from Mac Jason Consult
200+ practice questions with rationale walkthroughs
CHFI exam voucher options available — ask admissions
Lifetime access to recordings, lab images and slides

Begin Enrollment Speak to an Advisor

№ 01 / Overview

Follow the evidence. Build the case.

This EC-Council course is ideal for experts from the banking, legal, insurance and e-business security sectors. With the help of CHFI certification, you will gain the ability to prove knowledge of the position you apply for, and stand out as proof that you are certified to investigate cybercrime.

CHFI is the natural next step for CEH-trained professionals who want to move from "I can break in" to "I can prove what happened." Where CEH teaches offence, CHFI teaches you to reconstruct the attacker's path — preserve volatile evidence, image disks without tainting them, parse Windows and Linux artefacts, follow attackers through dark-web infrastructure and present findings that hold up in court.

Who this is for: Incident responders, SOC analysts going deeper, law enforcement, federal investigators, e-discovery practitioners, insurance fraud teams, internal audit, and bank security officers responsible for fraud investigations.

№ 02 / Outcomes

What you'll walk away with.

01Sit for the EC-Council CHFI exam with confidence16 modules of accredited training mapped to the current CHFI exam blueprint.
02Preserve digital evidence to court-admissible standardsChain of custody, write-blockers, hash verification — done properly the first time.
03Acquire and analyse disk, RAM and mobile evidenceWindows, Linux and macOS forensics with industry-standard tooling.
04Investigate network, web and email attacksReconstruct attack timelines from logs, packet captures and email headers.
05Conduct cloud, dark-web and IoT forensicsThe modern crime scenes that legacy training won't prepare you for.
06Write a forensic report that lawyers can useExecutive summary, methodology, findings, exhibits — modelled on real Mac Jason Consult casework.

Network operations centre with monitor walls — Chapter 03 — In the lab

№ 03 / Curriculum

Sixteen modules. One investigation lifecycle.

Curriculum aligned to EC-Council's CHFI Exam Blueprint. Each module pairs theory with a guided lab using EnCase, FTK Imager, Autopsy, Volatility and Wireshark.

The forensic readiness model, types of cybercrime, the investigator's role, and the legal frameworks (HIPAA, SOX, GLBA, GDPR) that shape every engagement.

Pre-investigation, investigation, and post-investigation phases. Setting up the lab, building the team, securing the scene, chain of custody and report production.

NTFS, FAT, exFAT, ext3/4, HFS+, APFS internals. Slack space, MFT, journaling — the artefacts attackers don't realise they're leaving.

Live vs static acquisition, write-blockers, dd / FTK Imager / EnCase workflows. RAID, SSD and encrypted disk acquisition challenges.

Timestamp manipulation, log wiping, steganography, encryption — and how to detect each. The cat-and-mouse game of modern forensics.

Registry, prefetch, shellbags, jumplists, USN journal, event logs. The Windows artefacts that tell you exactly who did what, when.

Linux file system artefacts, syslog, bash history, cron. macOS plist analysis, FSEvents, KnowledgeC, unified logs.

Packet capture analysis, NetFlow, IDS log correlation, attack reconstruction. Hands-on Wireshark and Zeek labs.

IIS, Apache and Nginx log analysis. Web shells, defacement, SQLi exploitation traces, attacker IP attribution.

Tor, I2P, Freenet — investigating dark-web infrastructure, cryptocurrency tracing and marketplace artefacts.

MS SQL, MySQL, Oracle and Postgres artefact analysis. Recovering deleted records, transaction log reconstruction.

AWS, Azure and GCP forensics. Cloud trail analysis, evidence preservation in shared-tenancy environments, legal challenges.

Email header analysis, spoofing detection, business email compromise investigation, e-discovery workflows.

Static and dynamic malware analysis, sandboxing, IOC extraction, YARA rule writing, packed binary unpacking.

iOS and Android acquisition, encryption, app data extraction. Cellebrite/UFED workflow basics and open-source alternatives.

Smart device firmware, embedded artefacts, BLE/Zigbee traffic capture, industrial IoT incident reconstruction. Includes a full mock CHFI exam.

№ 04 / Faculty

Practitioners who teach.

Working DFIR consultants who run real investigations between cohorts.

Lead Instructor · CHFI · GCFA · EnCE

Senior DFIR Lead

Twenty-plus years of incident response and forensic engagements across banking, healthcare and federal clients. Court-qualified expert witness.

Mentor · CHFI · GCFE

Lead Mentor, Forensic Practice

Mentors students through the case-style labs, modelled on real Mac Jason Consult investigations. Focuses on evidence rigour over flashy tooling.

№ 05 — From a graduate

"Materials are top-notch, and the trainers are SMEs in their respective domains. Fully supported with hands-on training and real-world projects."

Timi Pere

Cyber Security Graduate

№ 06 / Questions

The questions we hear most.

EC-Council recommends knowledge of Certified Ethical Hacker (CEH) concepts. You don't need the cert in hand, but you should be comfortable with attack basics — TCP/IP, OS internals, scanning and enumeration. If you're rusty, we'll point you at the right CEH modules to brush up first.

Exam voucher options are available — the standard tuition does not include the voucher by default. Speak to admissions about bundled packages and the EC-Council iLearn options we can arrange as an ATC.

Sit in on the next cohort free of charge. We'd rather you pass than walk away. CHFI rewards careful, methodical study — most retakes succeed once students slow down on the file-system and Windows artefact modules.

Yes — labs use FTK Imager, Autopsy, Volatility, Wireshark and EnCase trial versions. Cohort fees include access to our preconfigured forensic lab images for the duration of the course.

Two evening sessions per week (Tuesday and Thursday, 6:30–9:00pm CT), plus a Saturday lab workshop. Five-day bootcamp formats run quarterly for accelerated learners.

Yes — we partner with Mia-Share / Meritize for tuition financing with monthly payment plans. See Financial Aid for full details.

№ 07 — Enroll

Cohort opens in weeks, not months.

Hold your seat with a deposit. Speak to admissions if you'd prefer a quick fit-check first — no high-pressure pitch, just a candid conversation about whether CHFI is the right next step for you.

Hold My Seat Call Admissions

CHFI Forensic Investigator