412-79 Exam Details

  • Exam Code
    :412-79
  • Exam Name
    :EC-Council Certified Security Analyst (ECSA)
  • Certification
    :EC-COUNCIL Certifications
  • Vendor
    :EC-COUNCIL
  • Total Questions
    :232 Q&As
  • Last Updated
    :Jul 10, 2026

EC-COUNCIL 412-79 Online Questions & Answers

  • Question 11:

    Harold is a security analyst who has just run the rdisk /s command to grab the backup SAM file on a computer. Where should Harold navigate on the computer to find the file?

    A. %systemroot%\LSA
    B. %systemroot%\repair
    C. %systemroot%\system32\drivers\etc
    D. %systemroot%\system32\LSA

  • Question 12:

    This is original file structure database that Microsoft originally designed for floppy disks. It is written to the outermost track of a disk and contains information about each file stored on the drive.

    A. Master Boot Record (MBR)
    B. Master File Table (MFT)
    C. File Allocation Table (FAT)
    D. Disk Operating System (DOS)

  • Question 13:

    Office documents (Word, Excel, PowerPoint) contain a code that allows tracking the MAC, or unique identifier, of the machine that created the document. What is that code called?

    A. the Microsoft Virtual Machine Identifier
    B. the Personal Application Protocol
    C. the Globally Unique ID
    D. the Individual ASCII String

  • Question 14:

    Which legal document allows law enforcement to search an office, place of business, or other locale for evidence relating to an alleged crime?

    A. bench warrant
    B. wire tap
    C. subpoena
    D. search warrant

  • Question 15:

    If you come across a sheepdip machine at your client site, what would you infer?

    A. Asheepdip coordinates several honeypots
    B. Asheepdip computer is another name for a honeypot
    C. Asheepdip computer is used only for virus-checking.
    D. Asheepdip computer defers a denial of service attack

  • Question 16:

    Microsoft Outlook maintains email messages in a proprietary format in what type of file?

    A. .email
    B. .mail
    C. .pst
    D. .doc

  • Question 17:

    Law enforcement officers are conducting a legal search for which a valid warrant was obtaineD. While conducting the search, officers observe an item of evidence for an unrelated crime that was not included in the warrant. The item was clearly visible to the officers and immediately identified as evidence. What is the term used to describe how this evidence is admissible?

    A. Plain view doctrine
    B. Corpus delicti
    C. Locard Exchange Principle
    D. Ex Parte Order

  • Question 18:

    In a FAT32 system, a 123 KB file will use how many sectors?

    A. 34
    B. 246
    C. 11
    D. 56

  • Question 19:

    The efforts to obtain information before a trail by demanding documents, depositions, questioned and answers written under oath, written requests for admissions of fact and examination of the scene is a description of what legal term?

    A. Detection
    B. Hearsay
    C. Spoliation
    D. Discovery

  • Question 20:

    The following excerpt is taken from a honeypot log. The log captures activities across three days. There are several intrusion attempts; however, a few are successful. (Note: The objective of this question is to test whether the student can

    read basic information from log entries and interpret the nature of attack.) Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169 Apr 24 14:46:46 [4663]:

    IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482 Apr 24 18:01:05 [4663]: IDS/DNS-version- query: 212.244.97.121:3485 -> 172.16.1.107:53 Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval:

    194.222.156.169:1425 -> 172.16.1.107:21 Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53 Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53 Apr 25 02:08:07

    [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53 Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111 Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard:

    198.173.35.164:4221 -> 172.16.1.107:80 Apr 26

    05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53 Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53 Apr 26 06:44:25 victim7 PAM_pwdb [12509]: (login) session opened for

    user simple by (uid=0) Apr 26 06:44:36 victim7 PAM_pwdb[12521]:

    (su) session opened for user simon by simple(uid=506) Apr 26 06:45:34 [6283]: IDS175/socks-probe:

    24.112.167.35:20 -> 172.16.1.107:1080 Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect:

    172.16.1.107:23

    -> 213.28.22.189:4558 From the options given below choose the one which best interprets the following entry: Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53

    A. An IDS evasion technique
    B. A buffer overflow attempt
    C. A DNS zone transfer
    D. Data being retrieved from 63.226.81.13

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only EC-COUNCIL exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your 412-79 exam preparations and EC-COUNCIL certification application, do not hesitate to visit our Vcedump.com to find your solutions here.