Cellebrite Certified Mobile Examiner Certification FAQ

Graphic: CCME Examination

Cost of CCME Examination: $300 USD

Button: Register for CCME

An updated version of the CCME examination will be released in early 2018.

Those enrolling in the CCME examination after this date should have database analysis experience.

Completion of the Cellebrite Advanced Smartphone Analysis (CASA) course is highly recommended.

What is the CCME Exam?

The CCME is Cellebrite’s top certification; it certifies that mobile device examiners have attained a level of mastery in the discipline of mobile device forensic investigation methodology as well as a high degree of proficiency with Cellebrite’s Physical Analyzer software and a high level of working and practical knowledge regarding Cellebrite’s UFED technology. The examination tests basic knowledge, tool knowledge, and practical experience using three popular mobile device operating systems including Android, iOS, and Blackberry. CCME certification indicates that an investigator is a skilled mobile device examiner.

What are the prerequisites?

The CCME is available to applicants who hold current certificates in Cellebrite’s CMFF (Cellebrite Mobile Forensic Fundamentals) or CMFF Test Out, CCLO or CCO (Cellebrite Certified Logical Operator or Cellebrite Certified Operator), and CCPA (Cellebrite Certified Physical Analyst). To be current, a student possessing these certifications in current status shall be eligible to take the exam.

Any other mobile device forensic training, such as courses offered through SANS, the Federal Law Enforcement Training Center, or the National Computer Forensics Institute, may prove helpful in successfully completing the CCME process, but is not required. The examination will focus on the skill sets and domain knowledge imparted in the CMFF, CCO, and CCPA classes. Additionally, examiners should be familiar with open source and general forensic utilities normally used in mobile device forensics. Finally, applicants are required to file a “Declaration of Independent Work” (DIW) which is available online. The DIW must be completed in its entirety before you submit it online, or the process may be delayed.

What is the Declaration of Independent Work?

The Declaration of Independent Work (DIW) is a form that an applicant fills in electronically, attesting that they will complete the CCME Examination by their own independent work. While the test is open book, contacting any CCME holders or trainers or seeking the help of a third party to answer questions on the CCME examination while you are undergoing either the written or the practical CCME exams will be considered cheating. This will result in immediate failure and exclusion from future testing.

Once I am registered and found eligible, how long do I have to complete the CCME test?

Once you receive the email notice that you have been approved for the test, you have 90 days to complete Part 1 and Part 2 in their entirety. After that time expires, the attempt is marked as a failure if you have not completed both Part 1 and Part 2. Applicants who do not complete the process in 90 days will be subject to the procedure regarding failed attempts. (See “What happens if I don’t pass the exam?” below.)

What about my legacy certificates I obtained from a third party that provided training and provided me a legacy Cellebrite Certificate?

The training you received from third party training entities before Cellebrite launching the new Cellebrite Forensic Training System (CFTS) may be relevant and valid certification in Cellebrite methodology and useful in the performance of your current job task.

However, since there was no standardized curriculum or formal instructor vetting process before implementation of the Cellebrite Forensic Training System, it is not possible for Cellebrite to know what skill sets you were trained in. Therefore, it is not possible to determine if you have had the prerequisite training in specific tools and methodology.

It is, however, certain that no third party providers were providing training on UFED Touch Ultimate, Touch2 or UFED4PC technology before implementation of the new CFTS. The CCME exam does not test the students’ knowledge or practical ability to use the UFED Classic device; it only focuses on UFED technology-- UFED Touch, Touch2 and UFED4PC-- that has been distributed since the CFTS was implemented.

Therefore, holders of legacy certificates are not eligible for the CCME test without first obtaining the required CMFF, CCO and CCPA certifications. While this may seem cost and time prohibitive, remember that mobile device technology is the most rapidly evolving facet of digital forensics. That is why we recommend examiners refresh their knowledge and certifications in the field at least every two years.

The CCME examination is delivered in two parts:

Part I - Knowledge Based Examination: 

The first part of the CCME examination consists of a timed knowledge test.

  • Participants are allotted one hour and fifteen minutes (75 minutes) in which to complete this portion.
  • Participants will respond to 50 randomly selected questions from the domains in the CMFF, CCO and CCPA classes.
  • A score of 80% on the knowledge-based examination is required to proceed to the practical examination.
  • If a score of less than 80% is obtained, the test attempt is counted as a failure, and the CCME examination attempt is over. No practical exam will be administered.

Part II - Practical Examination: 

The second part of the CCME examination consists of a timed practical test.

  • Participants are allotted two hours and fifteen minutes in which to complete this portion.
  • This part consists of 3 separate quizzes, one for each of the following devices - Android, iPhone, and BlackBerry. Participants will receive approximately 12 questions about each piece of evidence (3 OS related evidence items for Android, Blackberry, and iOS).
  • Participants will download and process the device specific extraction in UFED Physical Analyzer before beginning the timed portion of that device specific section of the practical examination.
  • The cumulative score on the practical exam must total 80% to be considered a passing grade.
  • Participants who earn a cumulative 80% or better on the practical examination will earn the CCME credential.
  • Cellebrite’s UFED Physical Analyzer will be the preferred tool, although other tools and utilities may be required to complete certain questions. (See “What software, hardware, and resources will I need to be able to take the test?” below.)

What software, hardware, and resources will I need to be able to take the test?

Before you begin the knowledge based test, it is advisable (but not mandatory) to have your Cellebrite class manuals on hand, and to have a licensed copy of UFED Physical Analyzer installed and running with a piece of evidence processed in the tool.

It may also prove helpful to have a functional UFED Touch2 device or UFED 4PC for reference at your disposal. However, participants will not be asked to perform an extraction during the examination.

Before you begin the practical portion of this exam, you will need to ensure several items routinely used in mobile phone examinations are present on your computer:

  • A licensed copy of the latest version of UFED Physical Analyzer.
  • The CCME data set files, unzipped and ready to process or already processed in UFED Physical Analyzer (A download link will be made available for approved applicants; alternatively, a USB drive containing the files may be shipped at the applicant’s request).
  • A multimedia player that can play a variety of audio and video files commonly found on mobile devices. Either the free VLC player (Video Lan - freely available here: http://www.videolan.org/index.html) or Apple QuickTime software for Windows (freely available here: http://www.apple.com/quicktime/download/) will give you all the capability you will need in this regard. Note that Windows Media Player will not have all the capability you need to answer some questions in the practical section, so please ensure you have a multipurpose media player installed before you begin the timed portion of the exam.
  • A time decoding utility (like Decode, freely available here: http://www.digital-detective.net/digital-forensic-software/free-tools).
  • Mapping and location freeware, such as Google Earth or Google Maps, to interpret location data.
  • Any other forensic utilities you would normally use in a deep dive investigation (Irfan view, etc., if you so desire). The exam assumes you will use UFED Physical Analyzer as a primary examination tool supplementing as needed with other utilities for verification.

Additionally, test takers will need continuous, reliable Internet connectivity on the testing machine and access to a web browser to consult online external resources, as mentioned in previous Cellebrite training classes, when appropriate.

How should I prepare for the exam?

Review the manuals from the Cellebrite forensic training courses you have taken. Conduct examinations on well-populated devices that have fairly current Android OS, Blackberry devices and iOS devices using UFED Physical Analyzer. Be familiar with additional concepts and tools frequently used to supplement a mobile device examination. Be versed in the manual recovery of artifacts from unallocated space, interpreting time stamps in mobile devices, and encoding concepts found on mobile devices.

Additionally, Cellebrite Internal Training staff will occasionally conduct an optional CCME preparation workshop in an instructor-led format at conferences, or in a live online environment. Attending one of these sessions will provide an opportunity to review the concepts necessary to be successful on the CCME examination, but should not be considered adequate preparation by itself.

What happens if I don’t pass the exam?

Regarding the knowledge-based (Part 1) portion of the exam:

  • If a candidate scores less than 80%, the test attempt is counted as a failure and the CCME examination attempt is over. No practical exam will be administered. Those who fail Part 1, the knowledge-based portion, must wait 30 days before retesting. To retake the test, the candidate must submit an application for re-testing (downloadable here) to the certification manager after the 30 day waiting period. You must pay the testing fee again if you fail Part I. The certification manager will instruct applicants who did not pass as to how to pay and properly register online to take re-take the CCME.

Regarding the practical portion of the exam:

  • If a cumulative score of less than 80% is obtained on the practical examination, the test attempt is counted as a failure, and the CCME examination attempt is over. For example, a test taker might score 70% on the first practical device examination and 90% on the next two practical device examinations. This person would end up with a cumulative passing score of 83% which would be a passing score for the practical portion of the exam.
  • The score on Part 1 (the knowledge-based exam) is not factored into the cumulative average on the practical portion of the exam. For example, a test taker who scores 100% on the knowledge-based portion and 79% on the practical portion cannot be considered having passed the CCME. The two sections are independently scored, and each requires a score of 80% or better to obtain the CCME credential.
  • If a test taker fails to pass the CCME examination Part 2 on the first attempt, there is a 30 day waiting period required before the test may be retaken. Participants who successfully complete Part 1, but fail Part 2, will be allowed to retake Part 2 a single time at no additional cost. Note: If you pass Part 1 and fail part 2, your only retake attempt will begin at Part 2.

A participant must contact the Manager of Certification within 30 days of the failed Part 2 attempt regarding their eligibility date for retesting. Failure to communicate with the Manager of Certification on your eligibility date will require a participant to start from Phase I of the testing process. If after retaking Part 2, a student fails again, the student must begin the retesting process from Part 1. Any participant re-entering Part 1 will be required to pay the testing fee.

How do I contact the Manager of Certification at Cellebrite?

Please complete the Cellebrite Training Technical Support form. Select "Recertification Questions" from the topic menu, and your inquiry will be directed to our Certification Team for further assistance.

What happens when I pass the exam?

Those who pass the Part 2 practical examination will be notified via e-mail, then issued a CCME Certificate (hard copy and a downloadable version will be available on the Cellebrite Learning Center).

CCME certifications are valid for two (2) years from the date obtained. Detailed information about the renewal process and the application for renewal are available on the CCME certification renewal page.

Please be aware that CCME certificate holders are responsible for knowing their certification expiration date. Should your certification expire, you will be required to restart the CCME process from Part I. Extensions will not be granted. If you are unsure of your expiration date, please complete the Cellebrite Training Technical Support form. Select "Recertification Questions" from the topic menu, and your inquiry will be directed to our Certification Team for further assistance.

How do I renew my CCME certification? 

Those due to recertify will be contacted via email with details on when and how to submit your recertification request.

As with all of Cellebrite’s certifications, the CCME should be refreshed every two years. Cellebrite requires certifications be renewed by the end of the second year after achievement. For example, certificates earned in 2015 must be renewed by 31 December 2017.

If your certification expired in 2016, you are currently in a redemption period. Please complete the Cellebrite Training Technical Support form. Select "Recertification Questions" from the topic menu, and your inquiry will be directed to our Certification Team for further assistance.

The cost to recertify your CCME is $89 USD (this includes refreshing your CCO and CCPA certifications).

If your CCME certification is current and due to expire in the current year, you must meet the following qualifications to recertify:

Image: Checkmark

Your CCME must be current. 

The first requirement is that your CCME certification must be current. If you are holding an expired certification which is within 12 months of expiration, you are currently in a redemption period. Please complete the Cellebrite Training Technical Support form. Select "Recertification Questions" from the topic menu, and your inquiry will be directed to our Certification Team for further assistance.

Image: Checkmark

Provide proof of continuing professional development or education (CPE) since the initial certification or prior recertification date through the application date.

You must attend a minimum of 24 hours of documented ongoing learning, growth and professional development within the field of digital forensic examination.

The training may be from Cellebrite, your agency, or an accredited source such as IACIS, USSS NCFI or an accredited college providing official curriculum in forensics. Training should be either in a classroom lab setting or online.

Acceptable ongoing professional development includes time presenting training courses, workshops, or conference speaking engagements related to digital forensic or mobile forensic examinations.

All submissions must be accompanied with documented independent verification of hours awarded. This documentation may include certificates of attendance, transcripts, or official letter to the Manager of Certification at Cellebrite.

Image: Checkmark

Relevant work experience related to digital forensic or mobile forensic examinations.

During the preceding certification period, you must provide proof of conducting or supervising case preparation and investigations related to digital forensic or mobile forensic examinations (paid or not).

Cellebrite Certified Instructors and Cellebrite Certified Master Instructors may qualify for CCME recertification by having taught 120 hours of curriculum under the Cellebrite Forensic Training System in the two years since earning the CCME.

Cellebrite Certified Mobile Examiner Certification Process Overview

Button: Register for CCME

Last modified: Thursday, 25 January 2018, 3:31 PM