ECCouncil Computer Hacking Forensic Investigator
Question No: 111 – (Topic 2)
Harold is a security analyst who has just run the rdisk /s command to grab the backup SAM file on a computer. Where should Harold navigate on the computer to find the file?
Question No: 112 – (Topic 2)
Why is it still possible to recover files that have been emptied from the Recycle Bin on a Windows computer?
The data is still present until the original location of the file is used
The data is moved to the Restore directory and is kept there indefinitely
The data will reside in the L2 cache on a Windows computer until it is manually deleted
It is not possible to recover data that has been emptied from the Recycle Bin
Question No: 113 – (Topic 2)
What stage of the incident handling process involves reporting events?
Question No: 114 – (Topic 2)
The following excerpt is taken from a honeypot log. The log captures activities across three days. There are several intrusion attempts; however, a few are successful.
(Note: The objective of this question is to test whether the student can read basic information from log entries and interpret the nature of attack.)
Apr 24 14:46:46 : spp_portscan: portscan detected from 220.127.116.11
Apr 24 14:46:46 : IDS27/FIN Scan: 18.104.22.168:56693 -gt; 172.16.1.107:482
Apr 24 18:01:05 : IDS/DNS-version-query: 22.214.171.124:3485 -gt; 172.16.1.107:53
Apr 24 19:04:01 : IDS213/ftp-passwd-retrieval: 126.96.36.199:1425 -gt;
Apr 25 08:02:41 : spp_portscan: PORTSCAN DETECTED from 188.8.131.52
Apr 25 02:08:07 : IDS277/DNS-version-query: 184.108.40.206:4499 -gt;
Apr 25 02:08:07 : IDS277/DNS-version-query: 220.127.116.11:4630 -gt;
Apr 25 02:38:17 : IDS/RPC-rpcinfo-query: 18.104.22.168:642 -gt; 172.16.1.107:111
Apr 25 19:37:32 : IDS230/web-cgi-space-wildcard: 22.214.171.124:4221 -gt;
Apr 26 05:45:12 : IDS212/dns-zone-transfer: 126.96.36.199:2291 -gt; 172.16.1.101:53
Apr 26 06:43:05 : IDS181/nops-x86: 188.8.131.52:1351 -gt; 172.16.1.107:53
Apr 26 06:44:25 victim7 PAM_pwdb: (login) session opened for user simple by (uid=0)
Apr 26 06:44:36 victim7 PAM_pwdb: (su) session opened for user simon by simple(uid=506)
Apr 26 06:45:34 : IDS175/socks-probe: 184.108.40.206:20 -gt; 172.16.1.107:1080
Apr 26 06:52:10 : IDS127/telnet-login-incorrect: 172.16.1.107:23 -gt;
From the options given below choose the one which best interprets the following entry: Apr 26 06:43:05 : IDS181/nops-x86: 220.127.116.11:1351 -gt; 172.16.1.107:53
An IDS evasion technique
A buffer overflow attempt
A DNS zone transfer
Data being retrieved from 18.104.22.168
Question No: 115 – (Topic 2)
What feature of Windows is the following command trying to utilize?
Question No: 116 – (Topic 2)
An employee is suspected of stealing proprietary information belonging to your company that he had no rights to possess. The information was stored on the employee computer that was protected with the NTFS Encrypted File System (EFS) and you had observed him
copy the files to astored on the employee? computer that was protected with the NTFS Encrypted File System (EFS) and you had observed him copy the files to a floppy disk just before leaving work for the weekend. You detain the employee before he leaves the building and recover the floppy disk and secure his computer. Will you be able to break the encryption so that you can verify that the employee was in possession of the proprietary information?
EFS uses a 128-bit key that cannot be cracked, so you will not be able to recover the information
The EFS Revoked Key Agent can be used on the computer to recover the information
When the encrypted file was copied to the floppy disk, it was automatically unencrypted, so you can recover the information
When the encrypted file was copied to the floppy disk, the EFS private key was also copied to the floppy disk, so you can recover the
Question No: 117 – (Topic 2)
One technique for hiding information is to change the file extension from the correct one to one that might not be noticed by an investigator. For example, changing a
.jpg extension to a .doc extension so that a picture file appears to be a document. What can an investigator examine to verify that a file has the correct extension?
the File Allocation Table
the file header
the file footer
the sector map
Question No: 118 – (Topic 2)
What method of computer forensics will allow you to trace all ever-established user accounts on a Windows 2000 server the course of its lifetime?
forensic duplication of hard drive
analysis of volatile data
comparison of MD5 checksums
review of SIDs in the Registry
Answer: D Explanation:
Not MD5: MD5 checksums are used as integrity checks
User accounts are assigned a unique SID, and the SID are not reused.
Question No: 119 – (Topic 2)
Before you are called to testify as an expert, what must an attorney do first?
engage in damage control
prove that the tools you used to conduct your examination are perfect
read your curriculum vitae to the jury
qualify you as an expert witness
Question No: 120 – (Topic 2)
Meyer Electronics Systems just recently had a number of laptops stolen out of their office. On these laptops contained sensitive corporate information regarding patents and company strategies. A month after the laptops were stolen, a competing company was found to have just developed products that almost exactly duplicated products that Meyer produces. What could have prevented this information from being stolen from the laptops?
100% Free Download!
–Download Free Demo:EC1-349 Demo PDF
100% Pass Guaranteed!
–Download 2017 EnsurePass EC1-349 Full Exam PDF and VCE
|Lowest Price Guarantee||Yes||No||No|
|Free VCE Simulator||Yes||No||No|