CHFI – Hacking Forensic Investigator

CHFI Hacking Forensic Investigator Course enables professionals to conduct digital forensic investigations, covering the collection, preservation, analysis and presentation of digital evidence. The training focuses on computer forensics methodologies and tools, supporting incident response and root cause analysis.

Register
Companies: request a proposal

Quick Access:   Introduction· Why this course exists· What this course enables· Frameworks and models· Value· Objectives· Target audience· Prerequisites· Programme· Exam & Certification· Other information· Benefits· Logistics· FAQs· Registration

Upcoming dates

Public dates on the website.
Synchronous, live training. Interaction with the trainer and the group.

20 April 2026
Live Online • next edition
15 June 2026
Live Online • base price
Duration: 5 days / 40h
Language: available in Portuguese or English
Training: digital forensics + practical labs
Exam: 4h (150 questions) • included
SPECIALIST LEVEL – The depth that matters. Expertise that transforms.

Why CHFI Hacking Forensic Investigator course exists

To develop advanced digital forensic investigation competences, with methodology, tools and forensically sound practices.

As sophisticated attacks, data breaches, corporate espionage and insider threats evolve, there is a growing need for teams capable of identifying, preserving, analysing and presenting digital evidence in a technically rigorous and defensible manner.
The CHFI Hacking Forensic Investigator course was designed to develop practical competences in the acquisition, handling and analysis of evidence, supporting investigations across different types of incidents and organisational contexts.

What this course enables you to do

Collect and preserve evidence

Apply best practices for evidence collection and preservation, ensuring integrity and chain of custody in an organisational context.

Analyse systems and files

Understand disks and file systems, and apply analysis techniques in Windows, Linux and Mac environments, using forensic examination tools.

Investigate network, malware and cloud

Apply the fundamentals of network forensics, web attack investigation, malware analysis and forensics in cloud environments.

Produce evidence and reporting

Structure findings and evidence for technical reporting and to support internal processes, incident response and investigation.

Frameworks, models and structures addressed throughout the course

Forensic Investigation Process (phases)
Data Acquisition and Duplication (forensic imaging)
Anti-forensics: detection and countermeasures
Windows Forensics (memory, registry, artefacts)
Linux & Mac Forensics
Network Forensics and event correlation
Web Attack Investigation
Dark Web / Tor Forensics
Cloud Forensics (AWS/Azure/GCP)
Email, Social Media, Mobile and IoT Forensics
CHFI preparation

Value for the organisation

  • Internal capability for incident response with evidence collection and preservation.
  • Improved investigation of data breaches, insider threats and complex incidents with structured analysis.
  • Strengthened forensic practices to support root cause, corrective actions and control improvement.
  • Greater maturity in technical investigation with defensible reporting and evidence.

Introduction

The CHFI Hacking Forensic Investigator Course is a professional training course in digital forensics and investigation, oriented to real forensic investigation scenarios and the development of practical experience in standard techniques and tools.

The programme covers forensic fundamentals and relevant regulation, the investigation process, disks and file systems, data acquisition, anti-forensics, Windows/Linux/Mac forensics, network forensics, web attack investigation, dark web, cloud, email and social media, mobile and IoT.

This Training Plan and all associated documents are protected by Copyright and registered by EC-COUNCIL®.

General Objectives

At the end of the course, participants should be able to:

  • Understand computer forensics fundamentals, types of cybercrime, investigation procedures and standards that influence forensic investigation.
  • Apply the phases of the digital forensic investigation process.
  • Understand disks, boot and file systems in Windows, Linux and Mac, including format and storage analysis (RAID, NAS/SAN).
  • Apply data acquisition methodology and prepare forensic images, including eDiscovery.
  • Recognise anti-forensics techniques, detection methods and countermeasures.
  • Perform acquisition and analysis of volatile and non-volatile data in Windows, including memory, registry and artefacts.
  • Perform acquisition and analysis in Linux and Mac, including memory forensics.
  • Apply network forensics fundamentals, correlation, IOCs and traffic and incident investigation.
  • Understand malware forensics and analysis (static/dynamic), including ransomware.
  • Investigate web application attacks and logs, including attack detection and investigation.
  • Apply Tor/Dark Web forensics methodology.
  • Understand cloud forensics and its challenges, including processes in AWS, Azure and Google Cloud.
  • Investigate email and social media crimes, and apply mobile and IoT forensics fundamentals.

Target Audience

  • IT professionals involved in security, digital forensics and incident response.
  • Security Officers, system administrators, analysts and SOC/IR teams.
  • Auditors, consultants and professionals who need applied forensic competences.

Prerequisites

There are no mandatory formal prerequisites. However, experience or prior exposure to cybersecurity, networks, operating systems and technical investigation fundamentals is recommended, as well as attending the CEH course before enrolling in the CHFI programme.

Other specific requirements may apply, where relevant, depending on the quotation or proposal presented (please consult the proposal).

Programme

Modules (CHFI)
  1. Computer Forensics in Today’s World
  2. Computer Forensic Investigation Process
  3. Understanding Hard Disks and File Systems
  4. Data Acquisition and Duplication
  5. Defeating Anti-Forensics Techniques
  6. Windows Forensics
  7. Linux and Mac Forensics
  8. Network Forensics
  9. Investigating Web Attacks
  10. Dark Web Forensics
  11. Cloud Forensics
  12. Email and Social Media Forensics
  13. Mobile Forensics
  14. IoT Forensics
Labs and practice
  • Hands-on labs and practical environments to consolidate investigation techniques
  • Use of standard forensic and analysis tools in investigation scenarios
  • Focus on forensically sound acquisition, preservation and analysis

Exam(s) and Certification

Exam “CHFI Hacking Forensic Investigator”

The CHFI 312-49 certification exam is not included in the course price.

Number of questions: 150.
Duration: 4 hours.
Format: Multiple Choice.
Pass mark: 70%.
Issuing entity: EC-Council
Mode: Online Proctoring (according to exam conditions).

Certification (framework)

The C|HFI certification validates digital forensics competences from a vendor-neutral perspective, strengthening the ability to support investigation, incident response and digital evidence analysis, according to EC-Council rules.

Other Information

General Information
  • Live Online training in Portuguese or English.
  • CHFI online materials in English, with access for 11 months from the course start date.
  • Access to a private area to download tools.
  • Hands-on-Labs with remote access to official CHFI iLabs, during and after the course, for a period of 6 months.
  • Behaviour digital Training Attendance Certificate with 40 CPD/CPE credits.
  • Online CHFI exam included, available up to 11 months after the start of the training.
  • EC-COUNCIL exam: the exam may be scheduled up to 11 months after the training (according to programme conditions); exam available online.
Trainer(s)
EC-COUNCIL certified trainers.

Benefits

View benefits
  • Practical competences for digital forensic investigation with method and standard tools.
  • Greater ability to collect, preserve and analyse digital evidence in a structured manner.
  • Strengthened incident response and investigation across multiple scenarios (breaches, insider threats, corporate espionage).
  • Ability to support reporting and technical evidence in an organisational context.
  • Structured preparation for the CHFI exam.

Logistics

Useful information
  • Live Online (synchronous time): 09h30–17h30 (Lisbon time), with lunch break and short breaks
  • Classroom (synchronous time): 09h30–17h30 (Lisbon time), with lunch break and short breaks
  • 35 hours of synchronous training, distributed across 4 consecutive days
  • Estimated 5 hours of guided autonomous work, intended for content consolidation, carried out flexibly outside synchronous sessions
  • Requirements: computer with stable internet, browser, PDF reader and audio/video
Hotels in Lisbon
Find out where you can stay in Lisbon, near Behaviour, for classroom training.

Frequently Asked Questions

Objective answers to common questions about the CHFI Hacking Forensic Investigator Course.

Is it recommended to take CEH before CHFI?
Yes. Attending CEH before CHFI is recommended, to strengthen the offensive security basis and technical context that are useful in forensic investigations.
Is this course suitable for internal teams (SOC/IR/IT), or is it more focused on forensic consulting?
It is suitable for both. For internal teams, it strengthens competences in evidence collection and analysis during incidents and supports technical decision-making. For consulting, it consolidates forensic investigation method, rigour and language, with a focus on techniques and tools applicable in multiple contexts.
What types of incidents and investigations does this course prepare for?
CHFI prepares participants for investigations in contexts such as data breach, account compromise, malware/ransomware, insider threats, privilege abuse, digital fraud and incidents requiring evidence preservation and analysis to support incident response and control improvement.
Does the course help structure chain of custody and defensible evidence for audit?
Yes. The course strengthens acquisition, preservation and documentation practices for digital evidence, including integrity and chain of custody principles, which are essential to support internal audits, disciplinary processes and technically rigorous investigations.
What types of audits and assessments does this course support?
CHFI Hacking Forensic Investigator strengthens the ability to support technical audits and evidence-based assessments, particularly in incident and compliance contexts: validation of records and artefacts (logs, endpoints, forensic images), verification of chain of custody, analysis of audit trails and evidence to support conclusions in internal audits, security audits and post-incident assessments.

For general questions about registration, delivery modes, exams, certification and recertification, please consult the BEHAVIOUR® FAQs.

Registration

Complete the form to request your registration for the preferred edition. Check the upcoming dates.

Contact name
=

Request more information

If you would like help to frame the course within your professional or organisational context, contact us and we will indicate the most suitable path.
Request Information

Companies: request a proposal

For team registrations, we provide volume conditions and a proposal tailored to the organisational need.
Request Proposal

This course may be attended by individual professionals. It may also be integrated into technical capability-building pathways in forensic investigation, collection, preservation and analysis of digital evidence to support incidents.