ExamGecko
Login
Home / ECCouncil / 312-49v10 / List of questions
Ask Question

ECCouncil 312-49v10 Practice Test - Questions Answers, Page 4

List of questions

Question 31

Report Export Collapse

E-mail logs contain which of the following information to help you in your investigation? (Choose four.)

user account that was used to send the account
user account that was used to send the account
attachments sent with the e-mail message
attachments sent with the e-mail message
unique message identifier
unique message identifier
contents of the e-mail message
contents of the e-mail message
date and time the message was sent
date and time the message was sent
Suggested answer: A, C, D, E
asked 18/09/2024
Dave Breath
55 questions

Question 32

Report Export Collapse

In a forensic examination of hard drives for digital evidence, what type of user is most likely to have the most file slack to analyze?

one who has NTFS 4 or 5 partitions
one who has NTFS 4 or 5 partitions
one who uses dynamic swap file capability
one who uses dynamic swap file capability
one who uses hard disk writes on IRQ 13 and 21
one who uses hard disk writes on IRQ 13 and 21
one who has lots of allocation units per block or cluster
one who has lots of allocation units per block or cluster
Suggested answer: D
asked 18/09/2024
Stefan Finke
44 questions

Question 33

Report Export Collapse

In what way do the procedures for dealing with evidence in a criminal case differ from the procedures for dealing with evidence in a civil case?

evidence must be handled in the same way regardless of the type of case
evidence must be handled in the same way regardless of the type of case
evidence procedures are not important unless you work for a law enforcement agency
evidence procedures are not important unless you work for a law enforcement agency
evidence in a criminal case must be secured more tightly than in a civil case
evidence in a criminal case must be secured more tightly than in a civil case
evidence in a civil case must be secured more tightly than in a criminal case
evidence in a civil case must be secured more tightly than in a criminal case
Suggested answer: C
asked 18/09/2024
Lucas Bila
39 questions

Question 34

Report Export Collapse

You are assigned to work in the computer forensics lab of a state police agency. While working on a high profile criminal case, you have followed every applicable procedure, however your boss is still concerned that the defense attorney might question whether evidence has been changed while at the lab. What can you do to prove that the evidence is the same as it was when it first entered the lab?

make an MD5 hash of the evidence and compare it with the original MD5 hash that was taken when the evidence first entered the lab
make an MD5 hash of the evidence and compare it with the original MD5 hash that was taken when the evidence first entered the lab
make an MD5 hash of the evidence and compare it to the standard database developed by NIST
make an MD5 hash of the evidence and compare it to the standard database developed by NIST
there is no reason to worry about this possible claim because state labs are certified
there is no reason to worry about this possible claim because state labs are certified
sign a statement attesting that the evidence is the same as it was when it entered the lab
sign a statement attesting that the evidence is the same as it was when it entered the lab
Suggested answer: A
asked 18/09/2024
Brooke Galiata
34 questions

Question 35

Report Export Collapse

Study the log given below and answer the following question:

Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169

Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482

Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53

Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21

Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53

Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53

Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53

Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111

Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80

Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53

Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53

Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0)

Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506)

Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080

Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558

Precautionary measures to prevent this attack would include writing firewall rules. Of these firewall rules, which among the following would be appropriate?

Disallow UDP53 in from outside to DNS server
Disallow UDP53 in from outside to DNS server
Allow UDP53 in from DNS server to outside
Allow UDP53 in from DNS server to outside
Disallow TCP53 in from secondaries or ISP server to DNS server
Disallow TCP53 in from secondaries or ISP server to DNS server
Block all UDP traffic
Block all UDP traffic
Suggested answer: A
asked 18/09/2024
Sanaa CHOKIRI
50 questions

Question 36

Report Export Collapse

When monitoring for both intrusion and security events between multiple computers, it is essential that the computers' clocks are synchronized. Synchronized time allows an administrator to reconstruct what took place during an attack against multiple computers. Without synchronized time, it is very difficult to determine exactly when specific events took place, and how events interlace. What is the name of the service used to synchronize time among multiple computers?

Universal Time Set
Universal Time Set
Network Time Protocol
Network Time Protocol
SyncTime Service
SyncTime Service
Time-Sync Protocol
Time-Sync Protocol
Suggested answer: B
asked 18/09/2024
sujan bolla
42 questions

Question 37

Report Export Collapse

When investigating a potential e-mail crime, what is your first step in the investigation?

Trace the IP address to its origin
Trace the IP address to its origin
Write a report
Write a report
Determine whether a crime was actually committed
Determine whether a crime was actually committed
Recover the evidence
Recover the evidence
Suggested answer: A
asked 18/09/2024
Naing Thet
46 questions

Question 38

Report Export Collapse

If a suspect computer is located in an area that may have toxic chemicals, you must:

coordinate with the HAZMAT team
coordinate with the HAZMAT team
determine a way to obtain the suspect computer
determine a way to obtain the suspect computer
assume the suspect machine is contaminated
assume the suspect machine is contaminated
do not enter alone
do not enter alone
Suggested answer: A
asked 18/09/2024
Chien-Chung Chen
39 questions

Question 39

Report Export Collapse

The following excerpt is taken from a honeypot log. The log captures activities across three days.

There are several intrusion attempts; however, a few are successful.

(Note: The objective of this question is to test whether the student can read basic information from log entries and interpret the nature of attack.)

Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169

Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482

Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53

Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21

Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53

Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53

Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53

Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111

Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80

Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53

Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53

Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0)

Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506)

Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080

Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558

From the options given below choose the one which best interprets the following entry:

Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53

An IDS evasion technique
An IDS evasion technique
A buffer overflow attempt
A buffer overflow attempt
A DNS zone transfer
A DNS zone transfer
Data being retrieved from 63.226.81.13
Data being retrieved from 63.226.81.13
Suggested answer: A
asked 18/09/2024
ERIC MERRILL
46 questions

Question 40

Report Export Collapse

What happens when a file is deleted by a Microsoft operating system using the FAT file system?

only the reference to the file is removed from the FAT
only the reference to the file is removed from the FAT
the file is erased and cannot be recovered
the file is erased and cannot be recovered
a copy of the file is stored and the original file is erased
a copy of the file is stored and the original file is erased
the file is erased but can be recovered
the file is erased but can be recovered
Suggested answer: A
asked 18/09/2024
Jhonatan Abril
35 questions
Total 704 questions
Go to page: of 71
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

In Windows, prefetching is done to improve system performance. There are two types of prefetching: boot prefetching and application prefetching. During boot prefetching, what does the Cache Manager do?
Malware analysis can be conducted in various manners. An investigator gathers a suspicious executable file and uploads It to VirusTotal in order to confirm whether the file Is malicious, provide information about Its functionality, and provide Information that will allow to produce simple network signatures. What type of malware analysis was performed here?
This law sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations.
Report writing is a crucial stage in the outcome of an investigation. Which information should not be included in the report section?
During the course of a corporate investigation, you find that an Employee is committing a crime. Can the Employer file a criminal complaint with Police?
An Investigator Is checking a Cisco firewall log that reads as follows: Aug 21 2019 09:16:44: %ASA-1-106021: Deny ICMP reverse path check from 10.0.0.44 to 10.0.0.33 on Interface outside What does %ASA-1-106021 denote?
Which of the following refers to the data that might still exist in a cluster even though the original file has been overwritten by another file?
Volatile Memory is one of the leading problems for forensics. Worms such as code Red are memory resident and do write themselves to the hard drive, if you turn the system off they disappear. In a lab environment, which of the following options would you suggest as the most appropriate to overcome the problem of capturing volatile memory?
Which of the following tools is used to dump the memory of a running process, either immediately or when an error condition occurs?
You are working as Computer Forensics investigator and are called by the owner of an accounting firm to investigate possible computer abuse by one of the firm's employees. You meet with the owner of the firm and discover that the company has never published a policy stating that they reserve the right to inspect their computing assets at will. What do you do?