1. Home
  2. EC-COUNCIL
  3. EC0-349

EC-COUNCIL EC0-349 Online Practice Questions and Exam Preparation

EC0-349 Exam Details

  • Exam Code
    :EC0-349
  • Exam Name
    :Computer Hacking Forensic Investigator
  • Certification
    :EC-COUNCIL Certifications
  • Vendor
    :EC-COUNCIL
  • Total Questions
    :325 Q&As
  • Last Updated
    :May 24, 2026

EC-COUNCIL EC0-349 Online Questions & Answers

  • Question 81:

    What will the following Linux command accomplish? dd if=/dev/mem of=/home/sam/mem.bin bs=1024

    A. Copy the master boot record to a file
    B. Copy the contents of the system folder to a file
    C. Copy the running memory to a file
    D. Copy the memory dump file to an image file

  • Question 82:

    The following excerpt is taken from a honeypot log. The log captures activities across three days.

    There are several intrusion attempts; however, a few are successful.

    (Note: The objective of this question is to test whether the student can read basic information from log entries and interpret the nature of attack.)

    Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194. 222. 156. 169

    Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194. 222. 156. 169:56693 -> 172. 16. 1.107:482

    Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212. 244. 97. 121:3485 -> 172. 16. 1.107:53

    Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194. 222. 156. 169:1425 -> 172. 16. 1.107:21

    Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24. 9.255. 53

    Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63. 226. 81.13:4499 -> 172. 16. 1.107:53

    Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63. 226. 81.13:4630 -> 172. 16. 1.101:53

    Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212. 251.1.94:642 -> 172. 16. 1.107:111

    Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173. 35. 164:4221 -> 172. 16. 1.107:80

    Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107. 87:2291 -> 172. 16. 1.101:53

    Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63. 226. 81.13:1351 -> 172. 16. 1.107:53

    Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0)

    Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506)

    Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24. 112. 167. 35:20 -> 172. 16. 1.107:1080

    Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172. 16. 1.107:23 -> 213. 28.22. 189:4558

    From the options given below choose the one which best interprets the following entry:

    Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63. 226. 81.13:1351 -> 172. 16. 1.107:53

    A. An IDS evasion technique
    B. A buffer overflow attempt
    C. A DNS zone transfer
    D. Data being retrieved from 63. 226. 81.13

  • Question 83:

    When monitoring for both intrusion and security events between multiple computers, it is essential that the computers' clocks are synchronized. Synchronized time allows an administrator to reconstruct what took place during an attack against multiple computers. Without synchronized time, it is very difficult to determine exactly when specific events took place, and how events interlace. What is the name of the service used to synchronize time among multiple computers?

    A. Universal Time Set
    B. Network Time Protocol
    C. SyncTime Service
    D. Time-Sync Protocol

  • Question 84:

    What layer of the OSI model do TCP and UDP utilize?

    A. Data Link
    B. Network
    C. Transport
    D. Session

  • Question 85:

    At what layer of the OSI model do routers function on?

    A. 4
    B. 3
    C. 1
    D. 5

  • Question 86:

    A(n) _____________________ is one that's performed by a computer program rather than the attacker manually performing the steps in the attack sequence.

    A. blackout attack
    B. automated attack
    C. distributed attack
    D. central processing attack

  • Question 87:

    You are the security analyst working for a private company out of France. Your current assignment is to obtain credit card information from a Swiss bank owned by that company. After initial reconnaissance, you discover that the bank security defenses are very strong and would take too long to penetrate. You decide to get the information by monitoring the traffic between the bank and one of its subsidiaries in London. After monitoring some of the traffic, you see a lot of FTP packets traveling back and forth. You want to sniff the traffic and extract usernames and passwords. What tool could you use to get this information?

    A. Airsnort
    B. Snort
    C. Ettercap
    D. RaidSniff

  • Question 88:

    Which part of the Windows Registry contains the user's password file?

    A. HKEY_LOCAL_MACHINE
    B. HKEY_CURRENT_CONFIGURATION
    C. HKEY_USER
    D. HKEY_CURRENT_USER

  • Question 89:

    While presenting his case to the court, Simon calls many witnesses to the stand to testify. Simon decides to call Hillary Taft, a lay witness, to the stand. Since Hillary is a lay witness, what field would she be considered an expert in?

    A. Technical material related to forensics
    B. No particular field
    C. Judging the character of defendants/victims
    D. Legal issues

  • Question 90:

    How many bits is Source Port Number in TCP Header packet?

    A. 16
    B. 32
    C. 48
    D. 64

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only EC-COUNCIL exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your EC0-349 exam preparations and EC-COUNCIL certification application, do not hesitate to visit our Vcedump.com to find your solutions here.