312-49v9 Exam - ECCouncil Computer Hacking Forensic Investigator (V9)

NEW QUESTION 1
Why would you need to find out the gateway of a device when investigating a wireless attack?

• A. The gateway will be the IP of the proxy server used by the attacker to launch the attack
• B. The gateway will be the IP of the attacker computerThe gateway will be the IP of the attacker? computer
• C. The gateway will be the IP used to manage the RADIUS server
• D. The gateway will be the IP used to manage the access point

Answer: D

NEW QUESTION 2
What is a chain of custody?

• A. A legal document that demonstrates the progression of evidence as it travels from the original evidence location to the forensic laboratory
• B. It is a search warrant that is required for seizing evidence at a crime scene
• C. It Is a document that lists chain of windows process events
• D. Chain of custody refers to obtaining preemptive court order to restrict further damage of evidence in electronic seizures

Answer: A

NEW QUESTION 3
What is the slave device connected to the secondary IDE controller on a Linux OS referred to?

• A. hda
• B. hdd
• C. hdb
• D. hdc

Answer: B

NEW QUESTION 4
When a file or folder is deleted, the complete path, including the original file name, is stored in a special hidden file called "INF02" in the Recycled folder. If the INF02 file is deleted, it is re-created when you ___ .

• A. Restart Windows
• B. Kill the running processes in Windows task manager
• C. Run the antivirus tool on the system
• D. Run the anti-spyware tool on the system

Answer: A

NEW QUESTION 5
In what way do the procedures for dealing with evidence in a criminal case differ from the procedures for dealing with evidence in a civil case?

• A. evidence must be handled in the same way regardless of the type of case
• B. evidence procedures are not important unless you work for a law enforcement agency
• C. evidence in a criminal case must be secured more tightly than in a civil case
• D. evidence in a civil case must be secured more tightly than in a criminal case

Answer: C

NEW QUESTION 6
Network forensics can be defined as the sniffing, recording, acquisition and analysis of the network traffic and event logs in order to investigate a network security incident.

• A. True
• B. False

Answer: A

NEW QUESTION 7
A(n) ____ is one that’s performed by a computer program rather than the attacker manually performing the steps in the attack sequence.

• A. blackout attack
• B. automated attack
• C. distributed attack
• D. central processing attack

Answer: B

NEW QUESTION 8
When examining a hard disk without a write-blocker, you should not start windows because Windows will write data to the:

• A. Recycle Bin
• B. MSDOS.sys
• C. BIOS
• D. Case files

Answer: A

NEW QUESTION 9
When cataloging digital evidence, the primary goal is to

• A. Make bit-stream images of all hard drives
• B. Preserve evidence integrity
• C. Not remove the evidence from the scene
• D. Not allow the computer to be turned off

Answer: B

NEW QUESTION 10
What will the following Linux command accomplish? dd if=/dev/mem of=/home/sam/mem.bin bs=1024

• A. Copy the master boot record to a file
• B. Copy the contents of the system folder em?to a fileCopy the contents of the system folder ?em?to a file
• C. Copy the running memory to a file
• D. Copy the memory dump file to an image file

Answer: C

NEW QUESTION 11
Simon is a former employee of Trinitron XML Inc. He feels he was wrongly terminated and wants to hack into his former company's network. Since Simon remembers some of the server names, he attempts to run the axfr and ixfr commands using DIG. What is Simon trying to accomplish here?

• A. Send DOS commands to crash the DNS servers
• B. Perform DNS poisoning
• C. Enumerate all the users in the domain
• D. Perform a zone transfer

Answer: D

NEW QUESTION 12
Jonathan is a network administrator who is currently testing the internal security of his network. He is attempting to hijack a session, using Ettercap, of a user connected to his Web server. Why will Jonathan not succeed?

• A. Only FTP traffic can be hijacked
• B. Only an HTTPS session can be hijacked
• C. HTTP protocol does not maintain session
• D. Only DNS traffic can be hijacked

Answer: C

NEW QUESTION 13
A computer forensics investigator is inspecting the firewall logs for a large financial institution that has employees working 24 hours a day, 7 days a week.

What can the investigator infer from the screenshot seen below?

• A. A smurf attack has been attempted
• B. A denial of service has been attempted
• C. Network intrusion has occurred
• D. Buffer overflow attempt on the firewal

Answer: C

NEW QUESTION 14
What method of copying should always be performed first before carrying out an investigation?

• A. Parity-bit copy
• B. Bit-stream copy
• C. MS-DOS disc copy
• D. System level copy

Answer: B

NEW QUESTION 15
You are running known exploits against your network to test for possible vulnerabilities. To test the strength of your virus software, you load a test network to mimic your production
network. Your software successfully blocks some simple macro and encrypted viruses. You decide to really test the software by using virus code where the code rewrites itself entirely and the signatures change from child to child, but the functionality stays the same. What type of virus is this that you are testing?

• A. Oligomorhic
• B. Transmorphic
• C. Polymorphic
• D. Metamorphic

Answer: D

NEW QUESTION 16
Which of the following is the certifying body of forensics labs that investigate criminal cases by analyzing evidence?

• A. The American Society of Crime Laboratory Directors (ASCLD)
• B. International Society of Forensics Laboratory (ISFL)
• C. The American Forensics Laboratory Society (AFLS)
• D. The American Forensics Laboratory for Computer Forensics (AFLCF)

Answer: A