EC-Council · 2026 Edition
A complete preparation guide written by EC-Council-certified engineers. Covers the exam format,all 13 blueprint domains, a week-by-week study plan, and proven tips for passing first time.
3–4 months
Prep time
Advanced
Difficulty
125
Exam questions
700/1000
Pass mark
Exam code
CHFI
Full name
Computer Hacking Forensic Investigator
Vendor
EC-Council
Duration
240 minutes
Questions
125 items
Passing score
700/1000 (scaled)
Domains covered
13 blueprint domains
Recommended experience
2+ years of information security or digital forensics work experience recommended
Typical prep time
3–4 months
CHFI is the leading digital forensics certification. It validates the skills to investigate computer crimes, collect and preserve digital evidence, perform forensic analysis, and present findings in court — skills required for incident response and law enforcement support roles.
Job roles this opens
Domain percentage weights are not currently available for this exam. The checklist below is still useful for planning your study.
Weeks 1–3
Computer Forensics Investigation Process: methodology, legal standards, chain of custody, documentation
Tip: The computer forensics investigation process: First Response (secure the scene, photograph equipment in place) → Seizure and Acquisition (create forensic image, document serial numbers) → Analysis (examine the image, not original) → Reporting (document findings in court-admissible format). Know what happens if any step is skipped — evidence may be inadmissible.
Weeks 4–6
Disk and File System Forensics: file systems (NTFS, FAT32, ext4), deleted file recovery, slack space
Tip: Know how file deletion works at the filesystem level: deleting a file marks the space as available but does not overwrite data until the OS writes new data to that location. This is why deleted file recovery is possible. Know tools: Autopsy, FTK (Forensic Toolkit), EnCase — and what each does.
Weeks 7–9
Network Forensics, Email Forensics, and Log Analysis
Tip: Email header analysis is a CHFI core skill. Know what each email header field contains: Received (each hop the email passed through, in reverse chronological order), From, Reply-To, X-Originating-IP (sender's IP address). Questions give an email header and ask you to trace the origin or identify spoofing.
Weeks 10–13
Mobile Forensics, Cloud Forensics, Malware Forensics, and Anti-Forensics
Tip: Mobile device forensics: know the acquisition types — physical (bit-by-bit image of flash memory, most complete), logical (file system level, misses deleted data), and cloud backup (quick but limited). Faraway/aviation mode must be enabled before imaging to prevent remote wipe. Know the Cellebrite UFED as the primary mobile forensics tool.
The order of volatility in evidence collection: CPU cache and registers → RAM → swap/paging file → network connections → running processes → hard disk → removable media → backup media. Collect the most volatile evidence first — it is lost when the system is powered off.
Write blockers are mandatory when acquiring disk images to prevent accidental modification of evidence. Know hardware write blockers (physical device between disk and computer) and software write blockers (block write system calls). The acquisition must produce a forensic image with hash verification (MD5 or SHA-256) to prove integrity.
Steganography detection tools appear on CHFI: Stegdetect identifies JPEG files with hidden data, StegSpy detects multiple steganography tools. Know that steganography detection is statistical — tools look for anomalies in file data that suggest hidden content.
Anti-forensics techniques tested on CHFI: secure deletion (overwrite data before release — wipe utilities vs simple delete), encryption (makes data inaccessible without the key), steganography (hides data in plain sight), and log tampering (clearing Windows Event Log, modifying system logs). Know how investigators detect and counter each technique.
CHFI CHFIv10 exam: 150 questions, 4 hours. The practical component requires hands-on lab skills with forensic tools. If your exam includes a practical component, ensure you have used Autopsy, FTK Imager, Wireshark, Volatility (memory forensics), and basic Kali Linux forensics tools before exam day.
Apply everything in this guide with adaptive practice questions, detailed answer explanations, and domain analytics.
Deep-dive explanations of the key topics tested on CHFI — with exam key points and common misconceptions.