EC-COUNCIL 212-89 Online Practice
Questions and Exam Preparation
212-89 Exam Details
Exam Code
:212-89
Exam Name
:EC Council Certified Incident Handler (ECIH v3)
Certification
:EC-COUNCIL Certifications
Vendor
:EC-COUNCIL
Total Questions
:232 Q&As
Last Updated
:Jul 15, 2026
EC-COUNCIL 212-89 Online Questions &
Answers
Question 71:
The left over risk after implementing a control is called:
A. Residual risk B. Unaccepted risk C. Low risk D. Critical risk
A. Residual risk
Explanation
Question 72:
Drake is an incident handler in Dark CLoud Inc. He is intended to perform log analysis in order to detect traces of malicious activities within the network infrastructure. Which of the following tools Drake must employ in order to view logs in real time and identify malware propagation within the network?
A. Splunk B. HULK C. Hydra D. LOIC
A. Splunk
Splunk is a powerful tool for log analysis, capable of collecting, analyzing, and visualizing data from various sources in real time. For an incident handler like Drake, intending to detect traces of malicious activities within the network infrastructure, Splunk can efficiently parse large volumes of log data, enabling the identification of patterns and anomalies that may indicate malware propagation or other security incidents. Its real-time analysis capabilities make it an ideal tool for monitoring network activities and responding to incidents promptly.
Question 73:
A forensic analyst creates cryptographic hash values before and after acquiring disk images. What is the primary purpose of this action?
A. Encrypt the evidence B. Compress the evidence C. Verify evidence integrity D. Improve evidence availability
C. Verify evidence integrity
Hash values are used to verify the integrity of digital evidence. Matching hash values before and after acquisition confirm that the evidence has not been altered during the forensic process.
Question 74:
Adam is an incident handler who intends to use DBCC LOG command to analyze a database and retrieve the active transaction log files for the specified database. The syntax of DBCC LOG command is DBCC LOG(, ), where the output parameter specifies the level of information an incident handler wants to retrieve. If Adam wants to retrieve the full information on each operation along with the hex dump of a current transaction row, which of the following output parameters should Adam use?
A. 2 B. 3 C. 4 D. 1
C. 4
The DBCC LOG command is used in SQL Server environments to analyze the transaction log files of a database. It provides insights into the transactions that have occurred, which is crucial for forensic analysis in the event of an incident. The syntax DBCC LOG(, ) allows an incident handler to specify the level of detail they wish to retrieve from the log files. When an incident handler like Adam requires the full information on each operation along with the hex dump of the current transaction row, the output parameter should be set to 4. This level of output is the most verbose, providing comprehensive details about each transaction, including a hex dump which is essential for a deep forensic analysis. It helps in understanding the exact changes made by transactions, which can be pivotal in investigating incidents involving data manipulation or other unauthorized database activities.
References: EC-Council's Certified Incident Handler (ECIH v3) program emphasizes the importance of understanding and utilizing various tools and commands for forensic analysis, including how to use the DBCC LOG command for transaction log analysis in SQL Server environments.
Question 75:
Your manager hands you several items of digital evidence and asks you to investigate them in the order of volatility. Which of the following is the MOST volatile?
A. Cache B. Disk C. Emails D. Temp files
A. Cache
In the context of digital evidence investigation, volatility refers to how quickly data can change or be lost when power is removed or systems are altered. Among the options provided, cache is the most volatile because it is temporary storage that is designed to speed up access to data and is frequently overwritten. Cache data resides in RAM and includes things like memory buffers, system and network information, and process execution data, which are lost upon reboot or power loss. This contrasts with disks, emails, and temp files, which are considered less volatile because they are stored on permanent or semi-permanent media and are less likely to be immediately lost or overwritten.
References: The Incident Handler (ECIH v3) curriculum includes principles of digital evidence handling, which emphasizes the importance of collecting evidence in descending order of volatility to ensure that the most ephemeral data is preserved before it's lost.
Question 76:
Stenley is an incident handler working for Texa Corp. located in the United States. With the growing concern of increasing emails from outside the organization, Stenley was asked to take appropriate actions to keep the security of the organization intact. In the process of detecting and containing malicious emails, Stenley was asked to check the validity of the emails received by employees. Identify the tools he can use to accomplish the given task.
A. PointofMail B. Email Dossier C. PoliteMail D. EventLog Analyzer
B. Email Dossier
Email Dossier is a tool designed to perform detailed investigations on email messages to verify their authenticity and trace their origin. It can analyze email headers and provide information about the route an email has taken, the servers it passed through, and potentially malicious links or origins. For an incident handler like Stenley, tasked with verifying the validity of emails and containing malicious email threats, Email Dossier serves as a practical tool for analyzing and validating emails received by employees. By using this tool, Stenley can identify fraudulent or suspicious emails, thereby helping to protect the organization from phishing attacks, malware distribution, and other email-based threats.
References: In the context of managing and mitigating the risks associated with email communications, ECIH v3 study materials outline various tools and techniques for email analysis and validation. These resources recommend the use of tools like Email Dossier for incident handlers to effectively scrutinize incoming emails for security threats.
Question 77:
Alex is an incident handler for Tech-o-Tech Inc. and is tasked to identify any possible insider threats within his organization. Which of the following insider threat detection techniques can be used by Alex to detect insider threats based on the behavior of a suspicious employee, both individually and in a group?
A. behaviorial analysis B. Physical detection C. Profiling D. Mole detection
C. Profiling
Behavioral analysis is a technique used to detect insider threats by analyzing the behavior of employees, both individually and in group settings, to identify any actions that deviate from the norm. This method relies on monitoring and analyzing data related to user activities, access patterns, and other behaviors that could indicate malicious intent or a potential security risk from within the organization. Behavioral analysis can detect unusual access to sensitive data, abnormal data transfer activities, and other indicators of insider threats. This approach is proactive and can help in identifying potential insider threats before they result in significant harm to the organization.
References: The Incident Handler (ECIH v3) certification materials cover various insider threat detection techniques, including the importance of behavioral analysis as a key method for identifying potential security risks posed by insiders.
Question 78:
Stanley works as an incident responder at a top MNC based out of Singapore. He was asked to investigate a cybersecurity incident that recently occurred in the company.
While investigating the crime, he collected the evidence from the victim systems. He must present this evidence in a clear and comprehensible manner to the members of jury so that the evidence explains the facts clearly and further helps in obtaining an expert opinion on the same to confirm the investigation process.
In the above scenario, what is the characteristic of the digital evidence Stanley tried to preserve?
A. Believable B. Complete C. Authentic D. Admissible
D. Admissible
In the scenario described, Stanley aims to ensure that the digital evidence he collected is admissible in court. This means the evidence must be gathered, handled, and presented in a manner that complies with legal standards, ensuring it can be legally used in a trial. Admissibility is a crucial characteristic of digital evidence, as it must be relevant, authentic, and obtained without violating any laws or rights to privacy. The evidence must also be presented in a clear and comprehensible manner to be understood by the members of the jury, which further supports its admissibility in court.
References: The Incident Handler (ECIH v3) certification materials cover the legal aspects of handling digital evidence, including the principles ensuring evidence is admissible in court.
Question 79:
When an employee is terminated from his or her job, what should be the next immediate step taken by an organization?
A. All access rights of the employee to physical locations, networks, systems, applications and data should be disabled B. The organization should enforce separation of duties C. The access requests granted to an employee should be documented and vetted by the supervisor D. The organization should monitor the activities of the system administrators and privileged users who have permissions to access the sensitive information
A. All access rights of the employee to physical locations, networks, systems, applications and data should be disabled
Explanation
Question 80:
SWA Cloud Services added PKI as one of their cloud security controls. What does PKI stand for?
A. Private key infrastructure B. Private key in for ma lion C. Public key information D. Public key infrastructure
D. Public key infrastructure
Public Key Infrastructure (PKI) is a framework used to manage digital certificates and public-key encryption. It enables secure electronic transfer of information for a range of network activities such as e-commerce, internet banking, and confidential email. PKI is fundamental to the management of encryption keys and digital certificates, ensuring the secure exchange of data over networks and verification of identity.
References: The ECIH v3 program covers the importance of PKI in cloud security controls, emphasizing its role in establishing and maintaining a secure cloud computing environment.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only EC-COUNCIL exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your 212-89 exam preparations
and EC-COUNCIL certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.