1. Home
  2. EC-COUNCIL
  3. 412-79

EC-COUNCIL 412-79 Online Practice Questions and Exam Preparation

412-79 Exam Details

  • Exam Code
    :412-79
  • Exam Name
    :EC-Council Certified Security Analyst (ECSA)
  • Certification
    :EC-COUNCIL Certifications
  • Vendor
    :EC-COUNCIL
  • Total Questions
    :232 Q&As
  • Last Updated
    :May 29, 2026

EC-COUNCIL 412-79 Online Questions & Answers

  • Question 151:

    When investigating a potential e-mail crime, what is your first step in the investigation?

    A. Trace the IP address to its origin
    B. Write a report
    C. Determine whether a crime was actually committed
    D. Recover the evidence

  • Question 152:

    When investigating a network that uses DHCP to assign IP addresses, where would you look to determine which system (MAC address) had a specific IP address at a specific time?

    A. on the individual computer s ARP cache
    B. in the Web Server log files
    C. in the DHCP Server log files
    D. there is no way to determine the specific IP address

  • Question 153:

    A honey pot deployed with the IP 172.16.1.108 was compromised by an attacker . Given below is an excerpt from a Snort binary capture of the attack. Decipher the activity carried out by the attacker by studying the log. Please note that you

    are required to infer only what is explicit in the excerpt. (Note: The student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.)

    03/15-20:21:24.107053

    ***A**** Seq: 0x9B6338C5 Ack: 0x5820ADD0 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP

    TS: 23678634 2878772 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= +=+=+=+=+=

    IpLen:20 DgmLen:84 Len: 64

    01 0A 8A 0A 00 00 00 00 00 00 00 02 00 01 86 A0 ................ 00 00 00 02 00 00 00 03 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 01 86 B8 00 00 00 01 ................

    00 00 00 11 00 00 00 00 ........

    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

    IpLen:20 DgmLen:1104 Len: 1084 47 F7 9F 63 00 00 00 00 00 00 00 02 00 01 86 B8

    A. The attacker has conducted a network sweep on port 111
    B. The attacker has scanned and exploited the system using Buffer Overflow
    C. The attacker has used a Trojan on port 32773
    D. The attacker has installed a backdoor

  • Question 154:

    You are working for a large clothing manufacturer as a computer forensics investigator and are called in to investigate an unusual case of an employee possibly stealing clothing designs from the company and selling them under a different brand name for a different company. What you discover during the course of the investigation is that the clothing designs are actually original products of the employee and the company has no policy against an employee selling his own designs on his own time. The only thing that you can find that the employee is doing wrong is that his clothing design incorporates the same graphic symbol as that of the company with only the wording in the graphic being different. What area of the law is the employee violating?

    A. trademark law
    B. copyright law
    C. printright law
    D. brandmark law

  • Question 155:

    When you are running a vulnerability scan on a network and the IDS cuts off your connection, what type of IDS is being used?

    A. NIPS
    B. Passive IDS
    C. Progressive IDS
    D. Active IDS

  • Question 156:

    Which of the following refers to the data that might still exist in a cluster even though the original file has been overwritten by another file?

    A. Sector
    B. Metadata
    C. MFT
    D. Slack Space

  • Question 157:

    When obtaining a warrant it is important to:

    A. particularlydescribe the place to be searched and particularly describe the items to be seized
    B. generallydescribe the place to be searched and particularly describe the items to be seized
    C. generallydescribe the place to be searched and generally describe the items to be seized
    D. particularlydescribe the place to be searched and generally describe the items to be seized

  • Question 158:

    When investigating a Windows System, it is important to view the contents of the page or swap file because:

    A. Windows stores all of the systems configuration information in this file
    B. This is file that windows use to communicate directly with Registry
    C. A Large volume of data can exist within the swap file of which the computer user has no knowledge
    D. This is the file that windows use to store the history of the last 100 commands that were run from the command line

  • Question 159:

    One way to identify the presence of hidden partitions on a suspect s hard drive is to:

    A. Add up the total size of all known partitions and compare it to the total size of the hard drive
    B. Examine the FAT and identify hidden partitions by noting an H in the partition Type field
    C. Examine the LILO and note an H in the partition Type field
    D. It is not possible to have hidden partitions on a hard drive

  • Question 160:

    How many possible sequence number combinations are there in TCP/IP protocol?

    A. 320 billion
    B. 32 million
    C. 4 billion
    D. 1 billion

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only EC-COUNCIL exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your 412-79 exam preparations and EC-COUNCIL certification application, do not hesitate to visit our Vcedump.com to find your solutions here.