EC-COUNCIL EC0-349 Online Practice Questions and Exam Preparation

EC-COUNCIL EC0-349 Online Questions & Answers

• Question 211:

  Paraben Lockdown device uses which operating system to write hard drive data?

  A. Mac OS
  B. Red Hat
  C. Unix
  D. Windows
  D. Windows

• Question 212:

  Preparing an image drive to copy files to is the first step in Linux forensics. For this purpose, what would the following command accomplish? dcfldd if=/dev/zero of=/dev/hda bs=4096 conv=noerror, sync

  A. Fill the disk with zeros
  B. Low-level format
  C. Fill the disk with 4096 zeros
  D. Copy files from the master disk to the slave disk on the secondary IDE controller
  A. Fill the disk with zeros

• Question 213:

  In a forensic examination of hard drives for digital evidence, what type of user is most likely to have the most file slack to analyze?

  A. one who has NTFS 4 or 5 partitions
  B. one who uses dynamic swap file capability
  C. one who uses hard disk writes on IRQ 13 and 21
  D. one who has lots of allocation units per block or cluster
  D. one who has lots of allocation units per block or cluster

• Question 214:

  Which Windows Registry hive contains system-wide configuration and the SAM database pointers?

  A. HKEY_CURRENT_USER
  B. HKEY_LOCAL_MACHINE
  C. HKEY_USERS
  D. HKEY_CURRENT_CONFIG
  B. HKEY_LOCAL_MACHINE

• Question 215:

  Which of the following should a computer forensics lab used for investigations have?

  A. isolation
  B. restricted access
  C. open access
  D. an entry log
  B. restricted access

• Question 216:

  You are working as an investigator for a corporation and you have just received instructions from your manager to assist in the collection of 15 hard drives that are part of an ongoing investigation. Your job is to complete the required evidence custody forms to properly document each piece of evidence as it is collected by other members of your team. Your manager instructs you to complete one multi-evidence form for the entire case and a single-evidence form for each hard drive. How will these forms be stored to help preserve the chain of custody of the case?

  A. All forms should be placed in an approved secure container because they are now primary evidence in the case.
  B. The multi-evidence form should be placed in the report file and the single-evidence forms should be kept with each hard drive in an approved secure container.
  C. The multi-evidence form should be placed in an approved secure container with the hard drives and the single-evidence forms should be placed in the report file.
  D. All forms should be placed in the report file because they are now primary evidence in the case.
  B. The multi-evidence form should be placed in the report file and the single-evidence forms should be kept with each hard drive in an approved secure container.

• Question 217:

  What does ICMP Type 3/Code 13 mean?

  A. Host Unreachable
  B. Administratively Blocked
  C. Port Unreachable
  D. Protocol Unreachable
  B. Administratively Blocked

• Question 218:

  Harold is a security analyst who has just run the rdisk /s command to grab the backup SAM files on a computer. Where should Harold navigate on the computer to find the file?

  A. %systemroot%\system32\LSA
  B. %systemroot%\system32\drivers\etc
  C. %systemroot%\repair
  D. %systemroot%\LSA
  C. %systemroot%\repair

• Question 219:

  You are using DriveSpy, a forensic tool and want to copy 150 sectors where the starting sector is 1709 on the primary hard drive. Which of the following formats correctly specifies these sectors?

  A. 0:1000, 150
  B. 0:1709, 150
  C. 1:1709, 150
  D. 0:1709-1858
  B. 0:1709, 150

• Question 220:

  To check for POP3 traffic using Ethereal, what port should an investigator search by?

  A. 143
  B. 25
  C. 110
  D. 125
  C. 110