312-49v9 Exam - ECCouncil Computer Hacking Forensic Investigator (V9)

NEW QUESTION 1
Melanie was newly assigned to an investigation and asked to make a copy of all the evidence from the compromised system. Melanie did a DOS copy of all the files on the system. What would be the primary reason for you to recommend a disk imaging tool?

• A. A disk imaging tool would check for CRC32s for internal self checking and validation and have MD5 checksum
• B. Evidence file format will contain case data entered by the examiner and encrypted at the beginning of the evidence file
• C. A simple DOS copy will not include deleted files, file slack and other information
• D. There is no case for an imaging tool as it will use a closed, proprietary format that if compared to the original will not match up sector for sector

Answer: C

NEW QUESTION 2
What technique used by Encase makes it virtually impossible to tamper with evidence once it has been acquired?

• A. Every byte of the file(s) is given an MD5 hash to match against a master file
• B. Every byte of the file(s) is verified using 32-bit CRC
• C. Every byte of the file(s) is copied to three different hard drives
• D. Every byte of the file(s) is encrypted using three different methods

Answer: B

NEW QUESTION 3
This is the original file structure database that Microsoft originally designed for floppy disks. It is written to the outermost track of a disk and contains information about each file stored on the drive.

• A. Master Boot Record (MBR)
• B. Master File Table (MFT)
• C. File Allocation Table (FAT)
• D. Disk Operating System (DOS)

Answer: C

Explanation: A MBR is usually found on fixed disks, not floppy. A MFT is part of NTFS, and NTFS is not used on floppy DOS is an operating system, not a file structure database

NEW QUESTION 4
Which Is a Linux journaling file system?

• A. Ext3
• B. HFS
• C. FAT
• D. BFS

Answer: A

NEW QUESTION 5
Jacob is a computer forensics investigator with over 10 years experience in investigations and has written over 50 articles on computer forensics. He has been called upon as a qualified witness to testify the accuracy and integrity of the technical log files gathered in an investigation into computer fraud. What is the term used for Jacob testimony in this case?computer fraud. What is the term used for Jacob? testimony in this case?

• A. Justification
• B. Authentication
• C. Reiteration
• D. Certification

Answer: B

NEW QUESTION 6
A steganographic file system is a method to store the files in a way that encrypts and hides the data without the knowledge of others

• A. True
• B. False

Answer: A

NEW QUESTION 7
The evolution of web services and their increasing use in business offers new attack vectors in an application framework. Web services are based on XML protocols such as web Services Definition Language (WSDL) for describing the connection points, Universal Description, Discovery, and Integration (UDDI) for the description and discovery of Web services and Simple Object Access Protocol (SOAP) for communication between Web services that are vulnerable to various web application threats. Which of the following layer in web services stack is vulnerable to fault code leaks?

• A. Presentation Layer
• B. Security Layer
• C. Discovery Layer
• D. Access Layer

Answer: C

NEW QUESTION 8
Study the log given below and answer the following question:
Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169
Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482 Apr 24 18:01:05 [4663]:
IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53
Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21
Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53
Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111
Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80
Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53 Apr 26 06:43:05 [6283]:
IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53
Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0)
Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506) Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080
Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558
Precautionary measures to prevent this attack would include writing firewall rules. Of these firewall rules, which among the following would be appropriate?

• A. Disallow UDP 53 in from outside to DNS server
• B. Allow UDP 53 in from DNS server to outside
• C. Disallow TCP 53 in from secondaries or ISP server to DNS server
• D. Block all UDP traffic

Answer: A

NEW QUESTION 9
Windows identifies which application to open a file with by examining which of the following?

• A. The File extension
• B. The file attributes
• C. The file Signature at the end of the file
• D. The file signature at the beginning of the file

Answer: A

NEW QUESTION 10
A packet is sent to a router that does not have the packet destination address in its route table, how will the packet get to its properA packet is sent to a router that does not have the packet? destination address in its route table, how will the packet get to its proper destination?

• A. Border Gateway Protocol
• B. Root Internet servers
• C. Gateway of last resort
• D. Reverse DNS

Answer: C

NEW QUESTION 11
Which Intrusion Detection System (IDS) usually produces the most false alarms due to the unpredictable behaviors of users and networks?

• A. network-based IDS systems (NIDS)
• B. host-based IDS systems (HIDS)
• C. anomaly detection
• D. signature recognition

Answer: BC

Explanation: NIDS and HIDS are types of IDS systems, Host or Network, and addresses placement of the probe. Anomaly detection is based on behavior analysis, and if you read the question, the question says “behavior” and if the behavior is unporedictable, then the IDS won’t know what is normal and what is bad.

NEW QUESTION 12
Under which Federal Statutes does FBI investigate for computer crimes involving e-mail scams and mail fraud?

• A. 18 U.S.
• B. 1029 Possession of Access Devices
• C. 18 U.S.
• D. 1030 Fraud and related activity in connection with computers
• E. 18 U.S.
• F. 1343 Fraud by wire, radio or television
• G. 18 U.S.
• H. 1361 Injury to Government Property
• I. 18 U.S.
• J. 1362 Government communication systems
• K. 18 U.S.
• L. 1831 Economic Espionage Act
• M. 18 U.S.
• N. 1832 Trade Secrets Act

Answer: B

NEW QUESTION 13
Jones had been trying to penetrate a remote production system for the past two weeks. This time however, he is able to get into the system. He was able to use the system for a period of three weeks. However law enforcement agencies were recording his every activity and this was later presented as evidence. The organization had used a virtual environment to trap Jones. What is a virtual environment?

• A. A system using Trojaned commands
• B. A honeypot that traps hackers
• C. An environment set up after the user logs in
• D. An environment set up before an user logs in

Answer: B

NEW QUESTION 14
Which of the following should a computer forensics lab used for investigations have?

• A. isolation
• B. restricted access
• C. open access
• D. an entry log

Answer: B

NEW QUESTION 15
When a file is deleted by Windows Explorer or through the MS-DOS delete command, the operating system inserts ____ in the first letter position of the filename in the FAT database.

• A. A Capital X
• B. A Blank Space
• C. The Underscore Symbol
• D. The lowercase Greek Letter Sigma (s)

Answer: D

Explanation: When a file is deleted, the first byte is replaced with 0xE5 to marked the file as deleted or erased, and is the same for FAT12/16/32. An 0xE5 translates also to a ASCII 229, a “O” with a tilde.
However, using the greek alphabet (see: http://www.ascii.ca/iso8859.7.htm) the ASCII code 229 is “the lowercase Greek Letter Epsilon, and Ascii code 243 is Lower case Greek Letter Sigma.
http://chexed.com/ComputerTips/asciicodes.php says that Ascii 229 is Lowercase Greek Letter Sigma
So, although D looks like the correct answer here, it may require more understanding of the underlying intent of the question.

NEW QUESTION 16
Which of the following attacks allows attacker to acquire access to the communication channels between the victim and server to extract the information?

• A. Man-in-the-middle (MITM) attack
• B. Replay attack
• C. Rainbow attack
• D. Distributed network attack

Answer: A