EC-COUNCIL 212-89 Online Practice Questions and Exam Preparation

EC-COUNCIL 212-89 Online Questions & Answers

• Question 1:

  Which one of the following is the correct flow of the stages in an incident handling and response (IHandR) process?

  A. Preparation -* Incident recording -> Incident triage -* Containment -*# Eradication -?Recovery -* Post-incident activities
  B. Containment -* Incident recording -* Incident triage -> Preparation -* Recovery -> Eradication -* Post-incident activities
  C. Incident recording -> Preparation -> Containment * Incident triage -> Recovery > Eradication -?Post- incident activities
  D. Incident triage -?Eradication -# Containment -* Incident recording -* Preparation -* Recovery -* Post-incident activities
  A. Preparation -* Incident recording -> Incident triage -* Containment -*# Eradication -?Recovery -* Post-incident activities

  ---

  explanation:

  The correct flow of stages in an Incident Handling and Response (IHandR) process as outlined in the Incident Handler (ECIH v3) by EC-Council begins with Preparation. This phase involves getting ready for potential incidents by developing plans, policies, and procedures, and ensuring that tools and team training are up to date. Incident Recording is the next stage, where incidents are documented and reported. Incident Triage follows, prioritizing incidents based on their impact and urgency. Containment is next, aiming to limit the damage of the incident and prevent further spread. Eradication comes after containment, where the root cause of the incident is removed. Recovery is the stage where affected systems are restored to their operational status. Post-Incident Activities conclude the process, reviewing and learning from the incident to improve future response efforts.

  References: This structured approach is foundational in the ECIH v3 program, ensuring that incident handlers are prepared to systematically address and manage cybersecurity incidents efficiently.

• Question 2:

  Clark is investigating a cybercrime at TechSoft Solutions. While investigating the case, he needs to collect volatile information such as running services, their process IDs, startmode, state, and status. Which of the following commands will help Clark to collect such information from running services?

  A. Openfiles
  B. netstat b
  C. wmic
  D. net file
  A. Openfiles

  ---

  explanation:

  WMIC (Windows Management Instrumentation Command-line) is a command-line tool that provides a unified interface for Windows management tasks, including the collection of system information. It allows administrators and forensic investigators to query the live system for information about running services, their process IDs, start modes, states, and statuses, among other data. The use of WMIC is particularly valuable in incident response scenarios for gathering volatile information from a system without having to install additional software, which might alter the state of the system being investigated. By executing specific WMIC commands, Clark can extract detailed information about the services running on a system at the time of the investigation, making it an essential tool for collecting volatile data in a forensically sound manner.

  References: The ECIH v3 courses and study guides emphasize the importance of collecting volatile data during incident response and digital forensics investigations. They specifically highlight the use of built-in Windows tools like WMIC for gathering essential system information without compromising the integrity of the evidence.

• Question 3:

  In which of the following stages of incident handling and response (IHandR) process do the incident handlers try to find out the root cause of the incident along with the threat actors behind the incidents, threat vectors, etc.?

  A. Post-incident activities
  B. Incident triage
  C. Evidence gathering and forensics analysis
  D. Incident recording and assignment
  C. Evidence gathering and forensics analysis

  ---

  explanation:

  During the incident handling and response (IHandR) process, the stage of "Evidence gathering and forensics analysis" involves the collection of evidence, forensic analysis, and detailed investigation to uncover the root cause of the incident. This stage is crucial for understanding how the incident occurred, identifying the threat actors involved, the methods they used (threat vectors), and the extent of the impact. By analyzing evidence, incident responders can reconstruct the sequence of events, identify the vulnerabilities exploited, and determine the scope of the incident. This information is vital for resolving the incident effectively and taking steps to prevent future occurrences.

  References: The importance of evidence gathering and forensic analysis in the incident handling and response process is emphasized in ECIH v3 courses and study materials. These resources provide guidance on how to conduct thorough investigations to understand the nature of security incidents fully and develop effective mitigation strategies.

• Question 4:

  An attacker after performing an attack decided to wipe evidences using artifact wiping techniques to evade forensic investigation. He applied magnetic field to the digital media device, resulting in an entirely clean device of any previously stored data.

  Identify the artifact wiping technique used by the attacker.

  A. File wiping utilities
  B. Disk degaussing/destruction
  C. Disk cleaning utilities
  D. Syscall proxying
  B. Disk degaussing/destruction

  ---

  explanation:

  The technique described, where an attacker applies a magnetic field to a digital media device to clean it of any previously stored data, is known as disk degaussing. Degaussing is a method used to erase a disk or tape by exposing it to a strong magnetic field, destroying the magnetic data storage mechanism and leaving the device clean of any data. This process is effectively used for wiping digital evidence in a way that makes recovery impossible, serving as a method of anti-forensics. Unlike file wiping utilities or disk cleaning utilities, which overwrite or delete data (potentially leaving traces that can be recovered), degaussing physically alters the storage medium itself, making data recovery unfeasible.

  References: The ECIH v3 certification program discusses various artifact wiping techniques, including degaussing, as part of understanding anti-forensic methods that attackers use to evade detection and investigation.

• Question 5:

  According to NITS, what are the 5 main actors in cloud computing?

  A. Provider, carrier, auditor, broker, and seller
  B. Consumer, provider, carrier, auditor, ano broker
  C. Buyer, consumer, carrier, auditor, and broker
  D. None of these
  B. Consumer, provider, carrier, auditor, ano broker

  ---

  explanation:

  According to the National Institute of Standards and Technology (NIST), which is a primary source for cloud computing standards and guidelines, the five main actors in cloud computing are Consumer, Provider, Carrier, Auditor, and Broker. These roles are defined as follows:

  Consumer: The person or organization that uses cloud computing services.

  Provider: The entity that provides the cloud services to consumers.

  Carrier: The organization that offers connectivity and transport services to cloud providers and consumers.

  Auditor: An independent party that assesses and verifies the cloud services, security controls, and operations.

  Broker: An entity that manages the use, performance, and delivery of cloud services, and negotiates relationships between cloud providers and consumers.

  These actors play critical roles in the ecosystem of cloud computing, ensuring the services are delivered and used securely, efficiently, and effectively.

  References: NIST's documentation on cloud computing, including the NIST Cloud Computing Standards Roadmap and the NIST Cloud Computing Reference Architecture, detail these roles and their importance in cloud computing frameworks.

• Question 6:

  During the process of detecting and containing malicious emails, incident responders should examine the originating IP address of the emails. The steps to examine the originating IP address are as follow:

  1.

  Search for the IP in the WHOIS database

  2.

  Open the email to trace and find its header

  3.

  Collect the IP address of the sender from the header of the received mail

  4.

  Look for the geographic address of the sender in the WHOIS database

  Identify the correct sequence of steps to be performed by the incident responders to examine originating IP address of the emails.

  A. 4-->1-->2-->3
  B. 2-->1-->4-->3
  C. 1-->3-->2-->4
  D. 2-->3-->1-->4
  D. 2-->3-->1-->4

  ---

  explanation:

  The correct sequence to examine the originating IP address of emails involves first accessing the email's header to locate the IP address, then using external resources to investigate that address further. The steps are as follows:

  Step 2:Open the email to trace and find its header. This is the initial step because the header contains valuable information about the email's journey across the internet, including the originating IP address.

  Step 3:Collect the IP address of the sender from the header of the received mail. This detail is crucial for the next steps in the investigation.

  Step 1:Search for the IP in the WHOIS database. This database can provide information about the owner of the IP address, including the ISP and sometimes the geographic location.

  Step 4:Look for the geographic address of the sender in the WHOIS database. With the IP address information obtained from the WHOIS search, the geographic location or the originating country of the email can often be deduced, contributing to the analysis of the email's legitimacy.

  References: The process of analyzing email headers to trace originating IP addresses and further investigating those addresses is a common practice in incident response, covered under the digital forensics and email analysis topics within the ECIH v3 curriculum by EC-Council.

• Question 7:

  Stanley works as an incident responder at a top MNC based out of Singapore. He was asked to investigate a cybersecurity incident that recently occurred in the company.

  While investigating the crime, he collected the evidence from the victim systems. He must present this evidence in a clear and comprehensible manner to the members of jury so that the evidence explains the facts clearly and further helps in obtaining an expert opinion on the same to confirm the investigation process.

  In the above scenario, what is the characteristic of the digital evidence Stanley tried to preserve?

  A. Believable
  B. Complete
  C. Authentic
  D. Admissible
  D. Admissible

  ---

  explanation:

  In the scenario described, Stanley aims to ensure that the digital evidence he collected is admissible in court. This means the evidence must be gathered, handled, and presented in a manner that complies with legal standards, ensuring it can be legally used in a trial. Admissibility is a crucial characteristic of digital evidence, as it must be relevant, authentic, and obtained without violating any laws or rights to privacy. The evidence must also be presented in a clear and comprehensible manner to be understood by the members of the jury, which further supports its admissibility in court.

  References: The Incident Handler (ECIH v3) certification materials cover the legal aspects of handling digital evidence, including the principles ensuring evidence is admissible in court.

• Question 8:

  Johnson an incident handler is working on a recent web application attack faced by the organization. As part of this process, he performed data preprocessing in order to analyzing and detecting the watering hole attack. He preprocessed the outbound network traffic data collected from firewalls and proxy servers and started analyzing the user activities within a certain time period to create time-ordered domain sequences to perform further analysis on sequential patterns. Identify the data-preprocessing step performed by Johnson.

  A. Filtering invalid host names
  B. Identifying unpopular domains
  C. Host name normalization
  D. User-specific sessionization
  D. User-specific sessionization

  ---

  explanation:

  The data preprocessing step performed by Johnson, where he analyzes user activities within a certain time period to create time-ordered domain sequences for further analysis on sequential patterns, is known as user- specific sessionization. This process involves aggregating all user activities and requests into discrete sessions based on the individual user, allowing for a coherent analysis of user behavior over time. This is critical for identifying patterns that may indicate a watering hole attack, where attackers compromise a site frequently visited by the target group to distribute malware. User-specific sessionization helps in isolating and examining sequences of actions taken by users, making it easier to detect anomalies or patterns indicative of such an attack.

  References: The ECIH v3 certification materials discuss various data preprocessing techniques used in the analysis of cyber attacks, including the concept of sessionization to better understand user behavior and detect threats.

• Question 9:

  Shiela is working at night as an incident handler. During a shift, servers were affected by a massive cyberattack. After she classified and prioritized the incident, she must report the incident, obtain necessary permissions, and perform other incident response functions. What list should she check to notify other responsible personnel?

  A. HR log book
  B. Point of contact
  C. Email list
  D. Phone number list
  B. Point of contact

  ---

  explanation:

  In the context of incident handling, the "point of contact" list is essential for ensuring that Sheila, the incident handler working at night, can quickly notify the responsible personnel within the organization about the cyberattack. This list typically includes the contact information of key stakeholders and decision-makers who need to be informed about security incidents, allowing for timely communication, decision-making, and response coordination.

  References: Incident Handler (ECIH v3) courses and study guides stress the importance of having a well- maintained point of contact list as part of an organization's incident response plan to facilitate efficient and effective communication during and after cybersecurity incidents.

• Question 10:

  If a hacker cannot find any other way to attack an organization, they can influence an employee or a disgruntled staff member. What type of threat is this?

  A. Phishing attack
  B. Insider attack
  C. Footprinting
  D. Identity theft
  B. Insider attack

  ---

  explanation:

  If a hacker influences an employee or a disgruntled staff member to gain access to an organization's resources or sensitive information, this is classified as an insider attack. Insider attacks are perpetrated by individuals within the organization, such as employees, contractors, or business associates, who have inside information concerning the organization's security practices, data, and computer systems. The threat from insiders can be intentional, as in the case of a disgruntled employee seeking to harm the organization, or unintentional, where an employee is manipulated or coerced by external parties without realizing the implications of their actions. Phishing attacks, footprinting, and identity theft represent different types of cybersecurity threats where the attacker's method or objective differs from that of insider attacks.

  References: The ECIH v3 certification program addresses various types of threats, including insider threats, emphasizing the importance of recognizing and mitigating risks posed by individuals within the organization.