live chatMcAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Pass4Test 10%OFF Discount Code

EC-COUNCIL ECCouncil Computer Hacking Forensic Investigator (V9) - 312-49v9 Exam Questions

QUESTION NO: 1
To check for POP3 traffic using Ethereal, what port should an investigator search by?
Correct Answer: B
QUESTION NO: 2
An attacker has compromised a cloud environment of a company and used the employee information to perform an identity theft attack. Which type of attack is this?
Correct Answer: A
QUESTION NO: 3
While presenting his case to the court, Simon calls many witnesses to the stand to testify. Simon decides to call Hillary Taft, a lay witness, to the stand. Since Hillary is a lay witness, what field would she be considered an expert in?
Correct Answer: A
QUESTION NO: 4
What stage of the incident handling process involves reporting events?
Correct Answer: A
QUESTION NO: 5
Bob has encountered a system crash and has lost vital data stored on the hard drive of his Windows computer.
He has no cloud storage or backup hard drives. He wants to recover all the data, which includes his personal photos, music, documents, videos, official emails, etc. Which of the following tools shall resolve Bob's purpose?
Correct Answer: B
QUESTION NO: 6
In which implementation of RAID will the image of a Hardware RAID volume be different from the image taken separately from the disks?
Correct Answer: C
QUESTION NO: 7
The objective of this act was to protect consumers' personal financial information held by financial institutions and their service providers.
Correct Answer: B
QUESTION NO: 8
Which of the following Event Correlation Approach checks and compares all the fields systematically and intentionally for positive and negative correlation with each other to determine the correlation across one or multiple fields?
Correct Answer: C
QUESTION NO: 9
One technique for hiding information is to change the file extension from the correct one to one that might not be noticed by an investigator. For example, changing a .jpg extension to a .doc extension so that a picture file appears to be a document. What can an investigator examine to verify that a file has the correct extension?
Correct Answer: C
QUESTION NO: 10
After suspecting a change in MS-Exchange Server storage archive, the investigator has analyzed it. Which of the following components is not an actual part of the archive?
Correct Answer: D
QUESTION NO: 11
Jim's company regularly performs backups of their critical servers. But the company can't afford to send backup tapes to an off-site vendor for long term storage and archiving. Instead Jim's company keeps the backup tapes in a safe in the office. Jim's company is audited each year, and the results from this year's audit show a risk because backup tapes aren't stored off-site. The Manager of Information Technology has a plan to take the backup tapes home with him and wants to know what two things he can do to secure the backup tapes while in transit?
Correct Answer: D
QUESTION NO: 12
During an investigation, Noel found the following SIM card from the suspect's mobile. What does the code 89
44 represent?
Correct Answer: A
QUESTION NO: 13
When reviewing web logs, you see an entry for resource not found in the HTTP status code field.
What is the actual error code that you would see in the log for resource not found?
Correct Answer: C
QUESTION NO: 14
During the trial, an investigator observes that one of the principal witnesses is severely ill and cannot be present for the hearing. He decides to record the evidence and present it to the court. Under which rule should he present such evidence?
Correct Answer: B
QUESTION NO: 15
What is an investigator looking for in the rp.log file stored in a system running on Windows 10 operating system?
Correct Answer: A
QUESTION NO: 16
You should make at least how many bit-stream copies of a suspect drive?
Correct Answer: D
QUESTION NO: 17
What will the following Linux command accomplish?
dd if=/dev/mem of=/home/sam/mem.bin bs=1024
Correct Answer: A
QUESTION NO: 18
Which tool does the investigator use to extract artifacts left by Google Drive on the system?
Correct Answer: C
QUESTION NO: 19
Watson, a forensic investigator, is examining a copy of an ISO file stored in CDFS format. What type of evidence is this?
Correct Answer: B
QUESTION NO: 20
Jason has set up a honeypot environment by creating a DMZ that has no physical or logical access to his production network. In this honeypot, he has placed a server running Windows Active Directory. He has also placed a Web server in the DMZ that services a number of web pages that offer visitors a chance to download sensitive information by clicking on a button. A week later, Jason finds in his network logs how an intruder accessed the honeypot and downloaded sensitive information. Jason uses the logs to try and prosecute the intruder for stealing sensitive corporate information. Why will this not be viable?
Correct Answer: C
QUESTION NO: 21
Select the data that a virtual memory would store in a Windows-based system.
Correct Answer: B
QUESTION NO: 22
What is the size value of a nibble?
Correct Answer: B
QUESTION NO: 23
It takes _____________ mismanaged case/s to ruin your professional reputation as a computer forensics examiner?
Correct Answer: A
QUESTION NO: 24
What layer of the OSI model do TCP and UDP utilize?
Correct Answer: B
QUESTION NO: 25
What is the first step taken in an investigation for laboratory forensic staff members?
Correct Answer: C
QUESTION NO: 26
You are working for a local police department that services a population of 1,000,000 people and you have been given the task of building a computer forensics lab. How many law-enforcement computer investigators should you request to staff the lab?
Correct Answer: B
QUESTION NO: 27
What type of file is represented by a colon (:) with a name following it in the Master File Table of NTFS disk?
Correct Answer: D
QUESTION NO: 28
Travis, a computer forensics investigator, is finishing up a case he has been working on for over a month involving copyright infringement and embezzlement. His last task is to prepare an investigative report for the president of the company he has been working for. Travis must submit a hard copy and an electronic copy to this president. In what electronic format should Travis send this report?
Correct Answer: C
QUESTION NO: 29
Which code does the FAT file system use to mark the file as deleted?
Correct Answer: D
QUESTION NO: 30
An Expert witness give an opinion if:
Correct Answer: D
QUESTION NO: 31
Which of the following is a MAC-based File Recovery Tool?
Correct Answer: C
QUESTION NO: 32
Data is striped at a byte level across multiple drives, and parity information is distributed among all member drives.

What RAID level is represented here?
Correct Answer: C
QUESTION NO: 33
When marking evidence that has been collected with the aa/ddmmyy/nnnn/zz format, what does the nnn denote?
Correct Answer: D
QUESTION NO: 34
The following excerpt is taken from a honeypot log. The log captures activities across three days.
There are several intrusion attempts; however, a few are successful.
(Note: The objective of this question is to test whether the student can read basic information from log entries and interpret the nature of attack.) Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169 Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482 Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53 Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21 Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53 Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53 Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53 Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111 Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80 Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53 Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53 Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0) Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506) Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080 Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558 From the options given below choose the one which best interprets the following entry:
Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53
Correct Answer: D
QUESTION NO: 35
You are running through a series of tests on your network to check for any security vulnerabilities.
After normal working hours, you initiate a DoS attack against your external firewall. The firewall Quickly freezes up and becomes unusable. You then initiate an FTP connection from an external IP into your internal network. The connection is successful even though you have FTP blocked at the external firewall. What has happened?
Correct Answer: A
QUESTION NO: 36
Buffer overflow vulnerability of a web application occurs when it fails to guard its buffer properly and allows writing beyond its maximum size. Thus, it overwrites the_________. There are multiple forms of buffer overflow, including a Heap Buffer Overflow and a Format String Attack.
Correct Answer: D
QUESTION NO: 37
Which of the following refers to the data that might still exist in a cluster even though the original file has been overwritten by another file?
Correct Answer: D
QUESTION NO: 38
After passing her CEH exam, Carol wants to ensure that her network is completely secure. She implements a DMZ, stateful firewall, NAT, IPSEC, and a packet filtering firewall. Since all security measures were taken, none of the hosts on her network can reach the Internet. Why is that?
Correct Answer: B
QUESTION NO: 39
Which US law does the interstate or international transportation and receiving of child pornography fall under?
Correct Answer: C
QUESTION NO: 40
Which of the following Android libraries are used to render 2D (SGL) or 3D (OpenGL/ES) graphics content to the screen?
Correct Answer: D
QUESTION NO: 41
What is the name of the Standard Linux Command that is also available as windows application that can be used to create bit-stream images?
Correct Answer: C
QUESTION NO: 42
In a forensic examination of hard drives for digital evidence, what type of user is most likely to have the most file slack to analyze?
Correct Answer: A
QUESTION NO: 43
What is a good security method to prevent unauthorized users from "tailgating"?
Correct Answer: D
QUESTION NO: 44
Madison is on trial for allegedly breaking into her university internal network. The police raided her dorm room and seized all of her computer equipment. Madison lawyer is trying to convince the judge that the seizure was unfounded and baseless. Under which US Amendment is Madison lawyer trying to prove the police violated?
Correct Answer: C
QUESTION NO: 45
Sniffers that place NICs in promiscuous mode work at what layer of the OSI model?
Correct Answer: B