Latest Certified Success Dumps Download

EC1-349 Latest Exam (Sep 2017)

[Free] 2017(Sep) EnsurePass Dumpsleader ECCouncil EC1-349 Dumps with VCE and PDF 111-120

September 23, 2017

2017 Sep ECCouncil Official New Released EC1-349
100% Free Download! 100% Pass Guaranteed!

ECCouncil Computer Hacking Forensic Investigator

Question No: 111 – (Topic 2)

Harold is a security analyst who has just run the rdisk /s command to grab the backup SAM file on a computer. Where should Harold navigate on the computer to find the file?

  1. %systemroot%\LSA

  2. %systemroot%\system32\drivers\etc

  3. %systemroot%\repair

  4. %systemroot%\system32\LSA

Answer: C

Question No: 112 – (Topic 2)

Why is it still possible to recover files that have been emptied from the Recycle Bin on a Windows computer?

  1. The data is still present until the original location of the file is used

  2. The data is moved to the Restore directory and is kept there indefinitely

  3. The data will reside in the L2 cache on a Windows computer until it is manually deleted

  4. It is not possible to recover data that has been emptied from the Recycle Bin

Answer: A

Question No: 113 – (Topic 2)

What stage of the incident handling process involves reporting events?

  1. Containment

  2. Follow-up

  3. Identification

  4. Recovery

Answer: C

Question No: 114 – (Topic 2)

The following excerpt is taken from a honeypot log. The log captures activities across three days. There are several intrusion attempts; however, a few are successful.

(Note: The objective of this question is to test whether the student can read basic information from log entries and interpret the nature of attack.)

Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from

Apr 24 14:46:46 [4663]: IDS27/FIN Scan: -gt;

Apr 24 18:01:05 [4663]: IDS/DNS-version-query: -gt;

Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: -gt;

Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from

Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: -gt;

Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: -gt;

Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: -gt;

Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: -gt;

Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: -gt;

Apr 26 06:43:05 [6283]: IDS181/nops-x86: -gt;

Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0)

Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506)

Apr 26 06:45:34 [6283]: IDS175/socks-probe: -gt;

Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: -gt;

From the options given below choose the one which best interprets the following entry: Apr 26 06:43:05 [6283]: IDS181/nops-x86: -gt;

  1. An IDS evasion technique

  2. A buffer overflow attempt

  3. A DNS zone transfer

  4. Data being retrieved from

Answer: A

Question No: 115 – (Topic 2)

What feature of Windows is the following command trying to utilize?

Ensurepass 2017 PDF and VCE

  1. White space

  2. AFS

  3. ADS

  4. Slack file

Answer: C

Question No: 116 – (Topic 2)

An employee is suspected of stealing proprietary information belonging to your company that he had no rights to possess. The information was stored on the employee computer that was protected with the NTFS Encrypted File System (EFS) and you had observed him

copy the files to astored on the employee? computer that was protected with the NTFS Encrypted File System (EFS) and you had observed him copy the files to a floppy disk just before leaving work for the weekend. You detain the employee before he leaves the building and recover the floppy disk and secure his computer. Will you be able to break the encryption so that you can verify that the employee was in possession of the proprietary information?

  1. EFS uses a 128-bit key that cannot be cracked, so you will not be able to recover the information

  2. The EFS Revoked Key Agent can be used on the computer to recover the information

  3. When the encrypted file was copied to the floppy disk, it was automatically unencrypted, so you can recover the information

  4. When the encrypted file was copied to the floppy disk, the EFS private key was also copied to the floppy disk, so you can recover the


Answer: C

Question No: 117 – (Topic 2)

One technique for hiding information is to change the file extension from the correct one to one that might not be noticed by an investigator. For example, changing a

.jpg extension to a .doc extension so that a picture file appears to be a document. What can an investigator examine to verify that a file has the correct extension?

  1. the File Allocation Table

  2. the file header

  3. the file footer

  4. the sector map

Answer: B

Question No: 118 – (Topic 2)

What method of computer forensics will allow you to trace all ever-established user accounts on a Windows 2000 server the course of its lifetime?

  1. forensic duplication of hard drive

  2. analysis of volatile data

  3. comparison of MD5 checksums

  4. review of SIDs in the Registry

Answer: D Explanation:

Not MD5: MD5 checksums are used as integrity checks

User accounts are assigned a unique SID, and the SID are not reused.

Question No: 119 – (Topic 2)

Before you are called to testify as an expert, what must an attorney do first?

  1. engage in damage control

  2. prove that the tools you used to conduct your examination are perfect

  3. read your curriculum vitae to the jury

  4. qualify you as an expert witness

Answer: D

Question No: 120 – (Topic 2)

Meyer Electronics Systems just recently had a number of laptops stolen out of their office. On these laptops contained sensitive corporate information regarding patents and company strategies. A month after the laptops were stolen, a competing company was found to have just developed products that almost exactly duplicated products that Meyer produces. What could have prevented this information from being stolen from the laptops?

  1. DFS Encryption

  2. EFS Encryption

  3. SDW Encryption

  4. IPS Encryption

Answer: B

100% Free Download!
Download Free Demo:EC1-349 Demo PDF
100% Pass Guaranteed!
Download 2017 EnsurePass EC1-349 Full Exam PDF and VCE

EnsurePass ExamCollection Testking
Lowest Price Guarantee Yes No No
Up-to-Dated Yes No No
Real Questions Yes No No
Explanation Yes No No
Free VCE Simulator Yes No No
Instant Download Yes No No

2017 EnsurePass IT Certification PDF and VCE