The IT Certification Resource Center

Featured Deal

Get CompTIA, Cisco, or Microsoft training courses free for a week.
Learn More ❯

The Certified Computer Examiner Certification

Part 1 - The Written Exam

The written exam is multiple choice. There are 75 questions and a 60-minute time limit. It covers a range of basic knowledge including:

  • Acquisition, marking, handing, and storage of evidence procedures
  • Chain of custody
  • Basic PC hardware construction and theory
  • Very basic networking theory
  • Basic data recovery techniques
  • Authenticating MS Word documents and accessing and interpreting metadata
  • Basic CDR recording processes and accessing data on CDR media
  • Basic password recovery techniques
  • Basic Internet issues

If you are A+, Network+, and Security + certified, possess good hardware troubleshooting skills, and have a basic understanding of the rules of forensics you can successfully pass the written portion of the exam. If it's been a while since you've dealt with these types of issues, you might consider reviewing Upgrading and Repairing PCs by Scott Mueller, The IACIS® Forensic Examination Procedures, and DOJ Computer Crime Procedures. Even if you breeze through this portion of the certification process, don't become overconfident. The written exam only represents one-forth of your grade. Three-fourths of your grade requires hands-on skills.

Part 2, 3, & 4 - Examination of Test Media

Once the written examination has been completed, you will be provided with the first test media. Your first challenge will be to examine and recover the information on a floppy disk. You will be expected to write a complete report on the examination of this disk. It's important to remember to take nothing for granted. You need to handle the media in a way that is forensically sound and that could be supported if you were called into a court of law. It's a good idea to purchase a cloth bound, page numbered notebook. Use this to record each step of the process, making sure to note the date and time of each action performed.

When you successfully complete the examination of the floppy disk, you'll be provided with a CD. This will raise the bar on the skills required to make a successful analysis. The CD will present you with several additional technical hurdles to overcome. Finally, you will be tasked with the examination of a hard drive. This will be the most technically challenging of the three.

Throughout the examination process, you may encounter deleted files, encrypted files, fragments of data, and other obscure artifacts. You will need to have a variety of tools at your disposal to be victorious. The most important of these tools is your brain. If you like puzzles and have some basic detective skills, you can be successful.

Tools of the Trade

There's a wide array of tools that are available for computer forensics. Some of these are rather expensive. The most well-known dedicated forensic software packages include Forensic Toolkit by AccessData and EnCase by Guidance Software. Fortunately, Access Data provides a demo version that will work for all three media examinations, however, you will still need other programs to complete the examination process. Most of these are not free and you'll need to budget for these if you are going to pursue a career in computer forensics. You would not want to explain to a judge or an attorney why you are using pirated or illegal versions of forensic software! This would lose the case and most likely, end your career in computer forensics. You will want to consider purchasing some of the following types of programs:

Final Thoughts

Historically, computer forensics was the exclusive domain of the police and law enforcement, however, corporations are increasingly becoming concerned with security and computer forensics. More than ever, companies are tasked with the examination of attempted hacking attacks and allegations of employee computer misuse. Mishandling of these concerns can cost companies millions. Companies must handle each in a legal and defensible manner. This requires trained employees that possess computer forensic skills. If you are looking to gain this type of knowledge, the CCE is one certification to consider.

Michael C. Gregg (CISSP, MCSE, MCT, CTT+, A+, Network+, Security+, MCP+I, CNA, CCNA, TICSA, CIW SA, CEH, CEI, and CCE) is a consultant, trainer, and author. He is a contributing author to Computer Forensics: Handling Evidence of Cybercrime. His consulting firm, Superior Solutions, Inc., is based in Houston, Texas. You can contact Michael at This email address is being protected from spambots. You need JavaScript enabled to view it..