Are you ready for the challenge?

The exam will be an investigation of a semi-world case using your forensic skills. The exam assumes you have the knowledge and skills that are covered in CDFA. Please note that this is not a Multiple Choice Question (MCQ) exam and requires you to do a full digital forensic investigation, document your findings, and submit a forensics report

Your report will be evaluated by a committee of DFIR professionals

After the report evaluation, you will be asked to meet with the committee to discuss your work and findings

70% is the passing grade to earn you the CCDFA certification

If unfortunately you do not pass, you can retake the exam again after one month from the time of your last exam attempt

Required Skills

what are the skills needed to pass the exam?

    To pass the CCDFA exam, you need to be able to:
  • Identify, Acquire, and Validate a Digital Evidence
  • Mount and Navigate Case Evidence
  • Analyze Files and Work with a Hexadecimal Editor
  • Performing Disk Analysis and Fix corrupted disks and volumes
  • Analyze NTFS and FAT32 file systems
  • Perform data and file carving
  • Perform Windows Forensic analysis on Recycle Bin, Thumbnails, LNK Files and Jump Lists
  • Locate and analyze System and User Program Execution Artifacts
  • Extract Windows Registry files and analyze them to find relevant evidence
  • Analyze Volume Shadow Copies & File History
  • Analyze Windows Events and Scheduled Tasks
  • Document Forensic investigation Findings and Writing a Forensic Report


What you need to know about CCDFA?

  • How much time do I have to complete the exam?

    One Week to complete the investigation and the report.

  • What does the exam format looks like, is it a multiple choice question (MCQ), or what exactly?

    The exam will be a description of a semi-world case study. You'll be given the data and asked to conduct an investigation and report your findings. No guiding questions and no MCQs.

  • What tools do I need for the exam? Will you provide me with a lab environment?

    You will need a computer with at least 50GB of empty disk space, a relatively good processor, 16GB of RAM, and a Windows VM with your favorite forensic tools. Please refer to the CDFA course for what tools are covered within the course and are recommended.

  • Do I need to write a Forensic Report?
    Is there a particular template for the report

    Yes, this is a critical part of being a professional forensic investigator and CCDFA focuses on this part.
    There is no preference on the used report template. However, you will be provided with a template so you have an idea what is expected from you.

  • How will my work be evaluated, are there any rubrics used?

    Your report will be evaluated based on your case findings, explanations, and documentation. Following that, all students will be interviewed by a committee of DFIR professionals.

  • Is the evaluation meeting recorded?

    Yes, it will be recorded for future references, credibility, and quality assurance.

  • I took the CDFA course but I am still not prepared, do I lose my exam voucher?
    What is the expiration date for the certificate?

    You will have 1 year to attempt the exam, starting from the date you purchased the CDFA course or exam voucher.
    There is no expiration date for the certificate. However, we encourage students to retake the exam every 2-3 years to stay current with the DFIR field.

  • When can I take the exam?
    Can I do an immediate retake of the exam if I fail?

    You can take the exam anytime you are ready and before the expiration date of the course/exam voucher.
    No, you will be able to retake the exam after at least one month from your first attempt.

  • Is there any support to contact during my exam period?

    You are welcome to email our team info [at] cyber5w [dot] com, but please note that we will not be able to answer any question related to the exam itself. In other words, we won’t be giving any hints to the investigation given for your exam.