312-49 Exam Details

  • Exam Code
    :312-49
  • Exam Name
    :ECCouncil Computer Hacking Forensic Investigator (V9)
  • Certification
    :EC-COUNCIL Certifications
  • Vendor
    :EC-COUNCIL
  • Total Questions
    :531 Q&As
  • Last Updated
    :Jul 09, 2026

EC-COUNCIL 312-49 Online Questions & Answers

  • Question 481:

    If a suspect computer is located in an area that may have toxic chemicals, you must:

    A. coordinate with the HAZMAT team
    B. determine a way to obtain the suspect computer
    C. assume the suspect machine is contaminated
    D. do not enter alone

  • Question 482:

    Tasklist command displays a list of applications and services with their Process ID (PID) for all tasks running on either a local or a remote computer. Which of the following tasklist commands provides information about the listed processes, including the image name, PID, name, and number of the session for the process?

    A. tasklist /p
    B. tasklist /v
    C. tasklist /u
    D. tasklist /s

  • Question 483:

    What is the default IIS log location?

    A. SystemDrive\inetpub\LogFiles
    B. %SystemDrive%\inetpub\logs\LogFiles
    C. %SystemDrive\logs\LogFiles
    D. SystemDrive\logs\LogFiles

  • Question 484:

    You setup SNMP in multiple offices of your company. Your SNMP software manager is not receiving data from other offices like it is for your main office. You suspect that firewall changes are to blame. What ports should you open for SNMP to work through Firewalls? (Choose two.)

    A. 162
    B. 161
    C. 163
    D. 160

  • Question 485:

    Event correlation is the process of finding relevance between the events that produce a final result. What type of correlation will help an organization to correlate events across a set of servers, systems, routers and network?

    A. Same-platform correlation
    B. Network-platform correlation
    C. Cross-platform correlation
    D. Multiple-platform correlation

  • Question 486:

    A honey pot deployed with the IP 172.16.1.108 was compromised by an attacker. Given below is an excerpt from a Snort binary capture of the attack. Decipher the activity carried out by the attacker by studying the log. Please note that you

    are required to infer only what is explicit in the excerpt.

    (Note: The student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.) 03/15-20:21:24.107053 211.185.125.124:3500 ->

    172.16.1.108:111 TCP TTL:43 TOS:0x0 ID:29726 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x9B6338C5 Ack: 0x5820ADD0 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 23678634 2878772 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

    03/15-20:21:24.452051 211.185.125.124:789 -> 172.16.1.103:111 UDP TTL:43 TOS:0x0 ID:29733 IpLen:20 DgmLen:84 Len: 64 01 0A 8A 0A 00 00 00 00 00 00 00 02 00 01 86 A0 ................ 00 00 00 02 00 00 00 03 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 01 86 B8 00 00 00 01 ................ 00 00 00 11 00 00 00 00 ........ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= 03/15-20:21:24.730436 211.185.125.124:790 -> 172.16.1.103:32773 UDP TTL:43 TOS:0x0 ID:29781 IpLen:20 DgmLen:1104 Len: 1084 47 F7 9F 63 00 00 00 00 00 00 00 02 00 01 86 B8

    A. The attacker has conducted a network sweep on port 111
    B. The attacker has scanned and exploited the system using Buffer Overflow
    C. The attacker has used a Trojan on port 32773
    D. The attacker has installed a backdoor

  • Question 487:

    Which command can provide the investigators with details of all the loaded modules on a Linux-based system?

    A. list modules -a
    B. lsmod
    C. plist mod -a
    D. lsof -m

  • Question 488:

    You are contracted to work as a computer forensics investigator for a regional bank that has four 30 TB storage area networks that store customer data. What method would be most efficient for you to acquire digital evidence from this network?

    A. create a compressed copy of the file with DoubleSpace
    B. create a sparse data copy of a folder or file
    C. make a bit-stream disk-to-image file
    D. make a bit-stream disk-to-disk file

  • Question 489:

    Under confession, an accused criminal admitted to encrypting child pornography pictures and then hiding them within other pictures. What technique did the accused criminal employ?

    A. Typography
    B. Steganalysis
    C. Picture encoding
    D. Steganography

  • Question 490:

    Which one of the following is not a first response procedure?

    A. Preserve volatile data
    B. Fill forms
    C. Crack passwords
    D. Take photos

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only EC-COUNCIL exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your 312-49 exam preparations and EC-COUNCIL certification application, do not hesitate to visit our Vcedump.com to find your solutions here.