EC-COUNCIL 212-89 Online Practice Questions and Exam Preparation

EC-COUNCIL 212-89 Online Questions & Answers

• Question 151:

  Which of the following terms refers to an organization's ability to make optimal use of digital evidence in a limited period of time and with minimal investigation costs?

  A. Threat assessment
  B. Data analysis
  C. Risk assessment
  D. Forensic readiness
  D. Forensic readiness

  ---

  Forensic readiness refers to an organization's ability to maximize its capability to use digital evidence effectively in an investigation, while minimizing the cost of an investigation and disruption to its operations. It involves having policies, procedures, and technologies in place to collect, preserve, and analyze digital evidence efficiently, so when an incident occurs, the organization is prepared to handle it quickly and with minimal costs. Forensic readiness not only helps in reducing the time and resources spent on investigations but also ensures that the evidence is reliable and can be used in legal proceedings if necessary.

  References: The concept of forensic readiness is part of the Incident Handler (ECIH v3) curriculum, emphasizing the strategic importance of preparing for incidents in advance, including the preservation of evidence and the ability to conduct effective and efficient investigations.

• Question 152:

  Alexis is working as an incident responder in XYZ organization. She was asked to identify and attribute the actors behind an attack that took place recently. In order to do so, she is performing threat attribution that deals with the identification of the specific person, society, or a country sponsoring a well-planned and executed intrusion or attack over its target. Which of the following types of threat attributions Alexis performed?

  A. Nation-state attribution
  B. Intrusion-set attribution
  C. True attribution
  D. Campaign attributio
  C. True attribution

  ---

  True attribution in the context of cyber incidents involves the identification of the actual individuals, groups, or entities behind an attack. This can include pinpointing specific persons, organizations, societies, or even countries that sponsor or carry out cyber intrusions or attacks. Alexis's efforts to identify and attribute the actors behind a recent attack by distinguishing the specific origins of the threat align with the concept of true attribution, which goes beyond mere speculation to provide concrete evidence about the perpetrators.

  References: Threat attribution, especially true attribution, is a complex and nuanced area within cyber incident response, dealing with the identification of attackers. This concept is covered in cybersecurity courses and certifications, such as the ECIH v3 by EC-Council, focusing on the methodologies and challenges associated with attributing cyber attacks to their true sources.

• Question 153:

  Bit stream image copy of the digital evidence must be performed in order to:

  A. Prevent alteration to the original disk
  B. Copy the FAT table
  C. Copy all disk sectors including slack space
  D. All the above
  C. Copy all disk sectors including slack space

  ---

  Explanation

• Question 154:

  Spyware tool used to record malicious user's computer activities and keyboard stokes is called:

  A. adware
  B. Keylogger
  C. Rootkit
  D. Firewall
  B. Keylogger

  ---

  Explanation

• Question 155:

  Sam. an employee of a multinational company, sends emails to third-party organizations with a spoofed email address of his organization. How can you categorize this type of incident?

  A. Network intrusion incident
  B. Inappropriate usage incident
  C. Unauthorized access incident.
  D. Denial-of-service incicent
  B. Inappropriate usage incident

  ---

  An inappropriate usage incident involves misuse of the organization's resources or violations of its acceptable use policies. Sam's actions, where he sends emails to third-party organizations with a spoofed email address of his employer, constitute misuse of the organization's email system and misrepresentation of the organization. This behavior can harm the organization's reputation, violate policy, and potentially lead to legal consequences. Inappropriate usage incidents can range from unauthorized use of systems for personal gain to the dissemination of unapproved content.

  References: The Incident Handler (ECIH v3) by EC-Council includes discussions on various types of security incidents, emphasizing the importance of addressing and mitigating not just external threats but also internal misuse and policy violations.

• Question 156:

  Zaimasoft, a prominent IT organization, was attacked by perpetrators who directly targeted the hardware and caused irreversible damage to the hardware. In result, replacing or reinstalling the hardware was the only solution. Identify the type of denial-of-service attack performed on Zaimasoft.

  A. ddos
  B. DoS
  C. PDoS
  D. DRDoS
  C. PDoS

  ---

  A Permanent Denial-of-Service (PDoS) attack, also known as "phlashing," is a form of attack that targets hardware, causing irreversible damage to the hardware components, thereby making the device unusable without a replacement or significant hardware intervention. In the scenario described with Zaimasoft, the attackers' actions leading to the damage of hardware components align with the characteristics of a PDoS attack. Unlike Distributed Denial-of-Service (DDoS) or Denial-of-Service (DoS) attacks, which generally aim to overwhelm a system's resources temporarily, or DRDoS (Distributed Reflection Denial of Service), which involves amplification techniques using third-party servers, a PDoS attack directly damages the physical hardware, necessitating its replacement or reinstallation. This makes PDoS particularly severe due to its permanent impact on the targeted organization's hardware infrastructure.

  References: Incident Handler (ECIH v3) educational resources detail various types of denial-of-service attacks, including PDoS, highlighting the distinct nature of each attack and its implications on the affected systems, with PDoS being noted for its physical, irreparable impact on hardware components.

• Question 157:

  For analyzing the system, the browser data can be used to access various credentials.

  Which of the following tools is used to analyze the history data files in Microsoft Edge browser?

  A. ChromeHistoryView
  B. BrowsingHistoryView
  C. MZCacheView
  D. MZHistoryView
  B. BrowsingHistoryView

  ---

  BrowsingHistoryView is a tool designed to collect and analyze history data from various web browsers, including Microsoft Edge. It allows users to view the browsing history stored by their browsers in one unified interface. This includes URLs visited, page titles, visit times, and the number of visits to each page. While ChromeHistoryView is specific to Google Chrome, BrowsingHistoryView supports multiple browsers, making it versatile for analyzing history data across different platforms. MZCacheView and MZHistoryView do not exist as tools recognized for this purpose in the context of Microsoft Edge or other browser history analysis.

  References: Incident Handler (ECIH v3) courses and study guides emphasize the importance of using digital forensic tools, such as BrowsingHistoryView, for analyzing web browser data during investigations.

• Question 158:

  Otis is an incident handler working in Delmont organization. Recently, the organization is facing several setbacks in the business and thereby its revenues are going down. Otis was asked to take the charge and look into the matter. While auditing the enterprise security, he found the traces of an attack, where the proprietary information was stolen from the enterprise network and was passed onto the competitors. Which of the following information security incidents Delmont organization faced?

  A. Network and resource abuses
  B. Unauthorized access
  C. Espionage
  D. Email-based abuse
  C. Espionage

  ---

  The Delmont organization faced an espionage incident, which involves the unauthorized access and theft of proprietary or confidential information for passing it onto competitors or other external entities. Espionage is targeted at obtaining secrets or intellectual property to gain a competitive advantage or for other strategic purposes. Unlike network and resource abuses or email-based abuse, which might not specifically target sensitive information, espionage directly aims at stealing valuable data. Unauthorized access is a method that could be used in an espionage attempt but does not fully capture the motive of passing stolen information to competitors.

  References: Incident Handler (ECIH v3) courses and study materials discuss various types of information security incidents, including espionage, highlighting its impact on businesses and strategies for detection and prevention.

• Question 159:

  Raven is a part of an IHandR team and was informed by her manager to handle and lead the removal of the root cause for an incident and to close all attack vectors to prevent similar incidents in the future. Raven notifies the service providers and developers of affected resources. Which of the following steps of the incident handling and response process does Raven need to implement to remove the root cause of the incident?

  A. Evidence gathering and forensic analysis
  B. Eracicotion
  C. Containment
  D. Incident triage
  B. Eracicotion

  ---

  Eradication is the step in the incident handling and response process where the root cause of an incident is removed, and measures are taken to close all attack vectors to prevent similar incidents in the future. After an incident has been properly contained to stop it from spreading or causing further damage, the eradication phase focuses on eliminating the source of the incident. This could involve removing malware, closing vulnerabilities, or implementing stronger security measures to address the

  exploitation paths used by the attacker.

  In the scenario with Raven, notifying service providers and developers of affected resources is part of the actions taken to address the root cause of the incident. This ensures that any vulnerabilities or issues that contributed to the incident are fixed. By working to remove the root cause and secure the system against similar attacks, Raven is effectively implementing the eradication step of the incident handling process.

  References: The EC-Council's Certified Incident Handler (ECIH v3) curriculum outlines the steps involved in handling and responding to security incidents, with a clear emphasis on the importance of eradication in resolving incidents and securing systems for the future. This step is crucial for ensuring that incidents are not only resolved in the short term but also that the underlying issues are addressed to prevent recurrence.

• Question 160:

  Which characteristic of digital evidence ensures that the evidence is complete and includes all relevant data related to the incident?

  A. Authenticity
  B. Reliability
  C. Completeness
  D. Admissibility
  C. Completeness

  ---

  Completeness ensures that digital evidence contains all relevant information needed to reconstruct events and support investigation findings, without missing critical data.