312-49 Exam Details

  • Exam Code
    :312-49
  • Exam Name
    :ECCouncil Computer Hacking Forensic Investigator (V9)
  • Certification
    :EC-COUNCIL Certifications
  • Vendor
    :EC-COUNCIL
  • Total Questions
    :531 Q&As
  • Last Updated
    :Jul 09, 2026

EC-COUNCIL 312-49 Online Questions & Answers

  • Question 1:

    Using Internet logging software to investigate a case of malicious use of computers, the investigator comes across some entries that appear odd.

    From the log, the investigator can see where the person in question went on the Internet. From the log, it appears that the user was manually typing in different user ID numbers. What technique this user was trying?

    A. Parameter tampering
    B. Cross site scripting
    C. SQL injection
    D. Cookie Poisoning

  • Question 2:

    Office documents (Word, Excel, PowerPoint) contain a code that allows tracking the MAC, or unique identifier, of the machine that created the document. What is that code called?

    A. the Microsoft Virtual Machine Identifier
    B. the Personal Application Protocol
    C. the Globally Unique ID
    D. the Individual ASCII String

  • Question 3:

    Brian needs to acquire data from RAID storage. Which of the following acquisition methods is recommended to retrieve only the data relevant to the investigation?

    A. Static Acquisition
    B. Sparse or Logical Acquisition
    C. Bit-stream disk-to-disk Acquisition
    D. Bit-by-bit Acquisition

  • Question 4:

    One way to identify the presence of hidden partitions on a suspect's hard drive is to:

    A. Add up the total size of all known partitions and compare it to the total size of the hard drive
    B. Examine the FAT and identify hidden partitions by noting an H in the partition Type field
    C. Examine the LILO and note an H in the partition Type field
    D. It is not possible to have hidden partitions on a hard drive

  • Question 5:

    The Recycle Bin exists as a metaphor for throwing files away, but it also allows a user to retrieve and restore files. Once the file is moved to the recycle bin, a record is added to the log file that exists in the Recycle Bin. Which of the following files contains records that correspond to each deleted file in the Recycle Bin?

    A. INFO2
    B. INFO1
    C. LOGINFO1
    D. LOGINFO2

  • Question 6:

    Investigators can use the Type Allocation Code (TAC) to find the model and origin of a mobile device. Where is TAC located in mobile devices?

    A. International Mobile Equipment Identifier (IMEI)
    B. Integrated circuit card identifier (ICCID)
    C. International mobile subscriber identity (IMSI)
    D. Equipment Identity Register (EIR)

  • Question 7:

    You should make at least how many bit-stream copies of a suspect drive?

    A. 1
    B. 2
    C. 3
    D. 4

  • Question 8:

    Pagefile.sys is a virtual memory file used to expand the physical memory of a computer. Select the registry path for the page file:

    A. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
    B. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\System Management
    C. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Device Management
    D. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters

  • Question 9:

    What is the slave device connected to the secondary IDE controller on a Linux OS referred to?

    A. hda
    B. hdd
    C. hdb
    D. hdc

  • Question 10:

    You are working as Computer Forensics investigator and are called by the owner of an accounting firm to investigate possible computer abuse by one of the firm's employees. You meet with the owner of the firm and discover that the company has never published a policy stating that they reserve the right to inspect their computing assets at will. What do you do?

    A. Inform the owner that conducting an investigation without a policy is not a problem because the company is privately owned
    B. Inform the owner that conducting an investigation without a policy is a violation of the 4th amendment
    C. Inform the owner that conducting an investigation without a policy is a violation of the employee's expectation of privacy
    D. Inform the owner that conducting an investigation without a policy is not a problem because a policy is only necessary for government agencies

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only EC-COUNCIL exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your 312-49 exam preparations and EC-COUNCIL certification application, do not hesitate to visit our Vcedump.com to find your solutions here.