EC-COUNCIL 212-89 Online Practice Questions and Exam Preparation

EC-COUNCIL 212-89 Online Questions & Answers

• Question 131:

  Which of the following is NOT part of the static data collection process?

  A. Evidence oxa mi nation
  B. System preservation
  C. Password protection
  D. Evidence acquisition
  C. Password protection

  ---

  In the static data collection process, which is part of digital forensics and incident handling, the focus is on acquiring and examining digital evidence without altering the system or the data itself. This process includes evidence examination, where the data is analyzed; system preservation, where the current state of a system or data is maintained to ensure no alteration occurs; and evidence acquisition, which involves creating an exact binary copy of the digital evidence. Password protection, however, is not a part of the static data collection process. Instead, it relates to securing access to data or systems but does not directly involve the collection or preservation of static data for forensic purposes.

  References: Incident Handler (ECIH v3) courses and study guides, which cover topics related to digital evidence collection and handling, clearly distinguish between the processes involved in securing data (like password protection) and those involved in the forensic collection and analysis of data.

• Question 132:

  Mr. Smith is a lead incident responder of a small financial enterprise having few branches in Australia. Recently, the company suffered a massive attack losing USD 5 million through an inter-banking system. After in-depth investigation on the case, it was found out that the incident occurred because 6 months ago the attackers penetrated the network through a minor vulnerability and maintained the access without any user being aware of it. Then, he tried to delete users' fingerprints and performed a lateral movement to the computer of a person with privileges in the inter-banking system.

  Finally, the attacker gained access and did fraudulent transactions. Based on the above scenario, identify the most accurate kind of attack.

  A. Ransomware attack
  B. Denial-of-service attack
  C. APT attack
  D. Phishing
  C. APT attack

  ---

  The scenario described fits the characteristics of an Advanced Persistent Threat (APT) attack. APTs are sophisticated, stealthy, and continuous computer hacking processes often orchestrated by groups targeting a specific entity. These attackers penetrate the network through vulnerabilities, maintain access without detection, and achieve their objectives, such as data exfiltration or financial theft, over an extended period. The fact that attackers exploited a minor vulnerability, maintained access for six months, and performed lateral movements to access critical systems for fraudulent transactions highlights the strategic planning and persistence typical of APT attacks.

  References: Incident Handler (ECIH v3) certification materials discuss APTs in detail, including their methodologies, objectives, and the importance of comprehensive security strategies to detect and mitigate such threats.

• Question 133:

  Which of the following is not a countermeasure to eradicate inappropriate usage incidents?

  A. Avoid VPN and other secure network channels
  B. Register the user activity logs and keep monitoring them regularly
  C. Install firewall and IDS/IPS to block services that violate the organization's policy
  D. Always store the sensitive data in far located servers and restrict its access
  A. Avoid VPN and other secure network channels

  ---

  Avoiding VPN (Virtual Private Network) and other secure network channels is not a countermeasure to eradicate inappropriate usage incidents. On the contrary, using VPNs and secure network channels is a best practice for enhancing security, as these technologies help protect data in transit, ensuring that it is encrypted and less susceptible to interception or eavesdropping. Countermeasures for inappropriate usage typically involve enhancing security and monitoring, not reducing the security of communications.

• Question 134:

  Adam is an attacker who along with his team launched multiple attacks on target organization for financial benefits. Worried about getting caught, he decided to forge his identity. To do so, he created a new identity by obtaining information from different victims. Identify the type of identity theft Adam has performed.

  A. Medical identity theft
  B. Tax identity theft
  C. Synthetic identity theft
  D. Social identity theft
  C. Synthetic identity theft

  ---

  Synthetic identity theft is a type of fraud where the perpetrator combines real (often stolen) and fake information to create a new identity. This can include combining a real social security number with a fictitious name, or other variations that result in an identity that is not entirely real but has elements that can pass through verification processes. In the scenario described, Adam is creating a new identity using information from different victims, which is characteristic of synthetic identity theft. This type of fraud is particularly challenging to detect and counter because it does not directly impersonate a single real individual but creates a plausible new identity that can be used to open accounts, obtain credit, and conduct transactions that can be financially beneficial to the attacker.

  References: The concept and techniques of synthetic identity theft are covered in detail in the Incident Handler (ECIH v3) curriculum, where the focus is on identifying, understanding, and mitigating various forms of identity theft, including synthetic identity theft, as part of incident response activities.

• Question 135:

  Clark is investigating a cybercrime at TechSoft Solutions. While investigating the case, he needs to collect volatile information such as running services, their process IDs, startmode, state, and status. Which of the following commands will help Clark to collect such information from running services?

  A. Openfiles
  B. netstat b
  C. wmic
  D. net file
  A. Openfiles

  ---

  WMIC (Windows Management Instrumentation Command-line) is a command-line tool that provides a unified interface for Windows management tasks, including the collection of system information. It allows administrators and forensic investigators to query the live system for information about running services, their process IDs, start modes, states, and statuses, among other data. The use of WMIC is particularly valuable in incident response scenarios for gathering volatile information from a system without having to install additional software, which might alter the state of the system being investigated. By executing specific WMIC commands, Clark can extract detailed information about the services running on a system at the time of the investigation, making it an essential tool for collecting volatile data in a forensically sound manner.

  References: The ECIH v3 courses and study guides emphasize the importance of collecting volatile data during incident response and digital forensics investigations. They specifically highlight the use of built-in Windows tools like WMIC for gathering essential system information without compromising the integrity of the evidence.

• Question 136:

  Which of the following is an attack that attempts to prevent the use of systems, networks, or applications by the intended users?

  A. Denial of service (DoS) attack
  B. Fraud and theft
  C. Unauthorized access
  D. Malicious code or insider threat attack
  A. Denial of service (DoS) attack

  ---

  A Denial of Service (DoS) attack aims to make a computer resource, network, or application unavailable to its intended users, thereby preventing legitimate users from using the service. This is achieved by overwhelming the target with a flood of internet traffic or sending information that triggers a crash. In contrast, fraud and theft involve the unauthorized acquisition of data or assets, unauthorized access refers to gaining entry into systems without permission, and malicious code or insider threat attacks relate to software designed to cause harm or unauthorized actions by trusted users within the organization. The specific intent of a DoS attack is to disrupt service, making it a distinct category focused on denial of availability.

  References: The Incident Handler (ECIH v3) certification materials discuss various types of cybersecurity threats, including DoS attacks, outlining their methods, objectives, and impacts on targeted systems or networks.

• Question 137:

  An attack on a network is BEST blocked using which of the following?

  A. IPS device inline
  B. HIPS
  C. Web proxy
  D. Load balancer
  A. IPS device inline

  ---

  An Intrusion Prevention System (IPS) device placed inline is best suited to block attacks on a network actively. Being inline allows the IPS to analyze and take action on the traffic as it passes through the device, effectively preventing malicious traffic from reaching its target. The IPS can detect and block a wide range of attacks in real-time by using various detection methods, such as signature-based detection, anomaly detection, and policy-based detection. Unlike Host-based Intrusion Prevention Systems (HIPS), web proxies, or load balancers, an inline IPS is specifically designed to inspect and act on incoming and outgoing network traffic to prevent attacks before they reach network devices or applications.

  References: The Incident Handler (ECIH v3) certification materials discuss network security controls and emphasize the role of intrusion prevention systems in protecting networks against threats.

• Question 138:

  The very well-known free open source port, OS and service scanner and network discovery utility is called:

  A. Wireshark
  B. Nmap (Network Mapper)
  C. Snort
  D. SAINT
  B. Nmap (Network Mapper)

  ---

  Explanation

• Question 139:

  During the vulnerability assessment phase, the incident responders perform various steps as below:

  1.

  Run vulnerability scans using tools

  2.

  Identify and prioritize vulnerabilities

  3.

  Examine and evaluate physical security

  4.

  Perform OSINT information gathering to validate the vulnerabilities

  5.

  Apply business and technology context to scanner results

  6.

  Check for misconfigurations and human errors

  7.

  Create a vulnerability scan report

  Identify the correct sequence of vulnerability assessment steps performed by the incident responders.

  A. 3-->6-->1-->2-->5-->4-->7
  B. 1-->3-->2-->4-->5-->6-->7
  C. 4-->1-->2-->3-->6-->5-->7
  D. 2-->1-->4-->7-->5-->6-->3
  C. 4-->1-->2-->3-->6-->5-->7

  ---

  The correct sequence of steps performed by incident responders during the vulnerability assessment phase is as follows:

  Perform OSINT information gathering to validate the vulnerabilities (4):Initially, Open Source Intelligence (OSINT) is used to gather information about the organization's digital footprint and potential vulnerabilities.

  Run vulnerability scans using tools (1):Next, specialized tools are employed to scan the organization's networks and systems for vulnerabilities.

  Identify and prioritize vulnerabilities (2):The identified vulnerabilities are then analyzed and prioritized based on their severity and potential impact on the organization.

  Examine and evaluate physical security (3):Physical security assessments are also crucial as they can impact the overall security posture and protection of digital assets.

  Check for misconfigurations and human errors (6):This step involves looking for misconfigurations in systems and networks, as well as potential human errors that could lead to vulnerabilities.

  Apply business and technology context to scanner results (5):The results from the scans are evaluated within the context of the business and its technology environment to accurately assess risks.

  Create a vulnerability scan report (7):Finally, a comprehensive report is created, detailing the vulnerabilities, their severity, and recommended mitigation strategies.

  This sequence ensures a thorough assessment, prioritizing vulnerabilities that pose the greatest risk and providing actionable insights for mitigation.

  References: ECIH v3 courses and study guides elaborate on the vulnerability assessment process, detailing the steps involved in identifying, evaluating, and addressing security vulnerabilities within an organization's IT infrastructure.

• Question 140:

  Investigator Ian gives you a drive image to investigate. What type of analysis are you performing?

  A. Real-time
  B. Static
  C. Dynamic
  D. Live
  B. Static

  ---

  When Investigator Ian gives you a drive image to investigate, the type of analysis you are performing is static analysis. Static analysis involves examining the contents of a drive, file, or binary without executing the system or the application. It's about analyzing the data at rest. This type of analysis is crucial for forensics investigations because it allows for the examination of files, directories, and system information without altering any state or data, thereby preserving the integrity of the evidence. Static analysis is contrasted with dynamic analysis, which involves analyzing a system in operation (real-time or live) or executing the application to observe its behavior.

  References: Incident Handler (ECIH v3) courses and study guides highlight the importance of static analysis in digital forensics, detailing methods for examining disk images, files, and other digital artifacts to gather evidence without compromising its integrity.