Summer Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: sixtybuddy

412-79 EC-Council Certified Security Analyst (ECSA) Questions and Answers

Questions 4

Which Intrusion Detection System (IDS) usually produces the most false alarms due to the unpredictable behaviors of users and networks?

Options:

A.

network-based IDS systems (NIDS)

B.

host-based IDS systems (HIDS)

C.

anomaly detection

D.

signature recognition

Buy Now
Questions 5

If you see the files Zer0.tar.gz and copy.tar.gz on a Linux system while doing an investigation, what can you conclude?

Options:

A.

The system files have been copied by a remote attacker

B.

The system administrator has created an incremental backup

C.

The system has been compromised using a t0rnrootkit

D.

Nothing in particular as these can be operational files

Buy Now
Questions 6

Hackers can gain access to Windows Registry and manipulate user passwords, DNS settings, access rights or others features that they may need in order to accomplish their objectives. One simple method for loading an application at startup is to add an entry (Key) to the following Registry Hive:

Options:

A.

HKEY_LOCAL_MACHINEhardwarewindowsstart

B.

HKEY_LOCAL_USERSSoftware|MicrosoftoldVersionLoad

C.

HKEY_CURRENT_USERMicrosoftDefault

D.

HKEY_LOCAL_MACHINESoftwareMicrosoftCurrentVersionRun

Buy Now
Questions 7

Windows identifies which application to open a file with by examining which of the following?

Options:

A.

The File extension

B.

The file attributes

C.

The file Signature at the end of the file

D.

The file signature at the beginning of the file

Buy Now
Questions 8

Chris has been called upon to investigate a hacking incident reported by one of his clients. The company suspects the involvement of an insider accomplice in the attack. Upon reaching the incident scene, Chris secures the physical area, records the scene using visual mediA. He shuts the system down by pulling the power plug so that he does not disturb the system in any way. He labels all cables and connectors prior to disconnecting any. What do you think would be the next sequence of events?

Options:

A.

Connect the target media; prepare the system for acquisition; Secure the evidence; Copy the media

B.

Prepare the system for acquisition; Connect the target media; copy the media; Secure the evidence

C.

Connect the target media; Prepare the system for acquisition; Secure the evidence; Copy the media

D.

Secure the evidence; prepare the system for acquisition; Connect the target media; copy the media

Buy Now
Questions 9

This is original file structure database that Microsoft originally designed for floppy disks. It is written to the outermost track of a disk and contains information about each file stored on the drive.

Options:

A.

Master Boot Record (MBR)

B.

Master File Table (MFT)

C.

File Allocation Table (FAT)

D.

Disk Operating System (DOS)

Buy Now
Questions 10

Melanie was newly assigned to an investigation and asked to make a copy of all the evidence from the compromised system. Melanie did a DOS copy of all the files on the system. What would be the primary reason for you to recommend a disk imaging tool?

Options:

A.

A disk imaging tool would check for CRC32s for internal self checking and validation and have MD5 checksum

B.

Evidence file format will contain case data entered by the examiner and encrypted at the beginning of the evidence file

C.

A simple DOS copy will not include deleted files, file slack and other information

D.

There is no case for an imaging tool as it will use a closed, proprietary format that if compared to the original will not match up sector for sector

Buy Now
Questions 11

You are working as a Computer forensics investigator for a corporation on a computer abuse case. You discover evidence that shows the subject of your investigation is also embezzling money from the company. The company CEO and the corporate legal counsel advise you to contact law enforcement and provide them with the evidence that you have founD. The law enforcement officer that responds requests that you put a network sniffer on your network and monitor all traffic to the subjects computer. You inform the officer that you will not be able to comply with that request because doing so would:

Options:

A.

Violate your contract

B.

Cause network congestion

C.

Make you an agent of law enforcement

D.

Write information to the subjects hard drive

Buy Now
Questions 12

Which of the following refers to the data that might still exist in a cluster even though the original file has been overwritten by another file?

Options:

A.

Sector

B.

Metadata

C.

MFT

D.

Slack Space

Buy Now
Questions 13

Office Documents (Word, Excel and PowerPoint) contain a code that allows tracking the MAC or unique identifier of the machine that created the document. What is that code called?

Options:

A.

Globally unique ID

B.

Microsoft Virtual Machine Identifier

C.

Personal Application Protocol

D.

Individual ASCII string

Buy Now
Questions 14

____________________ is simply the application of Computer Investigation and analysis techniques in the interests of determining potential legal evidence.

Options:

A.

Network Forensics

B.

Computer Forensics

C.

Incident Response

D.

Event Reaction

Buy Now
Questions 15

Which part of the Windows Registry contains the user‟s password file?

Options:

A.

HKEY_LOCAL_MACHINE

B.

HKEY_CURRENT_CONFIGURATION

C.

HKEY_USER

D.

HKEY_CURRENT_USER

Buy Now
Questions 16

When examining a file with a Hex Editor, what space does the file header occupy?

Options:

A.

the last several bytes of the file

B.

the first several bytes of the file

C.

none, file headers are contained in the FAT

D.

one byte at the beginning of the file

Buy Now
Questions 17

The offset in a hexadecimal code is:

Options:

A.

The last byte after the colon

B.

The 0x at the beginning of the code

C.

The 0x at the end of the code

D.

The first byte after the colon

Buy Now
Questions 18

What type of file is represented by a colon (:) with a name following it in the Master File Table of NTFS disk?

Options:

A.

A compressed file

B.

A Data stream file

C.

An encrypted file

D.

A reserved file

Buy Now
Questions 19

You are working as an investigator for a corporation and you have just received instructions from your manager to assist in the collection of 15 hard drives that are part of an ongoing investigation. Your job is to complete the required evidence custody forms to properly document each piece of evidence as it is collected by other members of your team. Your manager instructs you to complete one multi-evidence form for the entire case and a single-evidence form for each hard drive. How will these forms be stored to help preserve the chain of custody of the case?

Options:

A.

All forms should be placed in an approved secure container because they are now primary evidence in the case.

B.

The multi-evidence form should be placed in the report file and the single-evidence forms should be kept with each hard drive in an approved secure container.

C.

The multi-evidence form should be placed in an approved secure container with the hard drives and the single-evidence forms should be placed in the report file.

D.

All forms should be placed in the report file because they are now primary evidence in the case.

Buy Now
Questions 20

When examining a hard disk without a write-blocker, you should not start windows because Windows will write data to the:

Options:

A.

Recycle Bin

B.

MSDOS.sys

C.

BIOS D.

Case files

Buy Now
Questions 21

When investigating a potential e-mail crime, what is your first step in the investigation?

Options:

A.

Trace the IP address to its origin

B.

Write a report

C.

Determine whether a crime was actually committed

D.

Recover the evidence

Buy Now
Questions 22

You are a security analyst performing reconnaissance on a company you will be carrying out a penetration test for. You conduct a search for IT jobs on Dice.com and find the following information for an open position:

7+ years experience in Windows Server environment

5+ years experience in Exchange 2000/2003 environment

Experience with Cisco Pix Firewall, Linksys 1376 router, Oracle 11i and MYOB v3.4 Accounting software are required MCSA desired,

MCSE, CEH preferred

No Unix/Linux Experience needed

What is this information posted on the job website considered?

Options:

A.

Information vulnerability

B.

Social engineering exploit

C.

Trade secret

D.

Competitive exploit

Buy Now
Questions 23

What is the following command trying to accomplish?

Options:

A.

Verify that NETBIOS is running for the 192.168.0.0 network

B.

Verify that TCP port 445 is open for the 192.168.0.0 network

C.

Verify that UDP port 445 is open for the 192.168.0.0 network

D.

Verify that UDP port 445 is closed for the 192.168.0.0 network

Buy Now
Questions 24

You are carrying out the last round of testing for your new website before it goes live. The website has many dynamic pages and connects to a SQL backend that accesses your product inventory in a database. You come across a web security site that recommends inputting the following code into a search field on web pages to check for vulnerabilities:

When you type this and click on search, you receive a pop-up window that says:

"This is a test."

What is the result of this test?

Options:

A.

Your website is vulnerable to web bugs

B.

Your website is vulnerable to CSS

C.

Your website is not vulnerable

D.

Your website is vulnerable to SQL injection

Buy Now
Questions 25

A packet is sent to a router that does not have the packet destination address in its route table, how will the packet get to its properA packet is sent to a router that does not have the packet? destination address in its route table, how will the packet get to its proper destination?

Options:

A.

Root Internet servers

B.

Border Gateway Protocol

C.

Gateway of last resort

D.

Reverse DNS

Buy Now
Questions 26

You are working on a thesis for your doctorate degree in Computer Science. Your thesis is based on HTML, DHTML, and other web-based languages and how they have evolved over the years. You navigate to archive.org and view the HTML code of news.com. You then navigate to the current news.com website and copy over the source code. While searching through the code, you come across something abnormal:

What have you found?

Options:

A.

Trojan.downloader

B.

Blind bug

C.

Web bug

D.

CGI code

Buy Now
Questions 27

After attending a CEH security seminar, you make a list of changes you would like to perform on your network to increase its security. One of the first things you change is to switch the RestrictAnonymous setting from 0 to 1 on your servers. This, as you were told, would prevent anonymous users from establishing a null session on the server. Using Userinfo tool mentioned at the seminar, you succeed in establishing a null session with one of the servers. Why is that?

Options:

A.

RestrictAnonymous must be set to "2" for complete security

B.

RestrictAnonymous must be set to "3" for complete security

C.

There is no way to always prevent an anonymous null session from establishing

D.

RestrictAnonymous must be set to "10" for complete security

Buy Now
Questions 28

Simon is a former employee of Trinitron XML Inc. He feels he was wrongly terminated and wants to hack into his former company's network. Since Simon remembers some of the server names, he attempts to run the axfr and ixfr commands using DIG. What is Simon trying to accomplish here?

Options:

A.

Enumerate all the users in the domain

B.

Perform DNS poisoning

C.

Send DOS commands to crash the DNS servers

D.

Perform a zone transfer

Buy Now
Questions 29

Click on the Exhibit Button

Paulette works for an IT security consulting company that is currently performing an audit for the firm ACE Unlimited. Paulette's duties include logging on to all the company's network equipment to ensure IOS versions are up-to-date and all the other security settings are as stringent as possible. Paulette presents the following screenshot to her boss so he can inform the client about necessary changes need to be made. From the screenshot, what changes should the client company make?

Exhibit:

Options:

A.

The banner should not state "only authorized IT personnel may proceed"

B.

Remove any identifying numbers, names, or version information

C.

The banner should have more detail on the version numbers for the network equipment

D.

The banner should include the Cisco tech support contact information as well

Buy Now
Questions 30

You just passed your ECSA exam and are about to start your first consulting job running security audits for a financial institution in Los Angeles. The IT manager of the company you will be working for tries to see if you remember your ECSA class. He asks about the methodology you will be using to test the company's network. How would you answer?

Options:

A.

IBM Methodology

B.

LPT Methodology

C.

Google Methodology

D.

Microsoft Methodology

Buy Now
Questions 31

What is the target host IP in the following command?

Options:

A.

Firewalk does not scan target hosts

B.

172.16.28.95

C.

This command is using FIN packets, which cannot scan target hosts

D.

10.10.150.1

Buy Now
Questions 32

As a security analyst you setup a false survey website that will require users to create a username and a strong password. You send the link to all the employees of the company. What information will you be able to gather?

Options:

A.

The employees network usernames and passwords

B.

The MAC address of the employees?computers

C.

The IP address of the employees computers

D.

Bank account numbers and the corresponding routing numbers

Buy Now
Questions 33

On Linux/Unix based Web servers, what privilege should the daemon service be run under?

Options:

A.

You cannot determine what privilege runs the daemon service

B.

Guest

C.

Root

D.

Something other than root

Buy Now
Questions 34

Bill is the accounting manager for Grummon and Sons LLC in Chicago. On a regular basis, he needs to send PDF documents containing sensitive information through E-mail to his customers. Bill protects the PDF documents with a password and sends them to their intended recipients. Why PDF passwords do not offer maximum protection?

Options:

A.

PDF passwords can easily be cracked by software brute force tools

B.

PDF passwords are not considered safe by Sarbanes-Oxley

C.

PDF passwords are converted to clear text when sent through E-mail

D.

When sent through E-mail, PDF passwords are stripped from the document completely

Buy Now
Exam Code: 412-79
Exam Name: EC-Council Certified Security Analyst (ECSA)
Last Update: Apr 20, 2024
Questions: 232

PDF + Testing Engine

$130

Testing Engine

$95

PDF (Q&A)

$80