EC Council Certified Incident Handler (ECIH v2)
Last Update May 8, 2024
Total Questions : 168
We are offering FREE 212-89 ECCouncil exam questions. All you do is to just go and sign up. Give your details, prepare 212-89 free exam questions and then go for complete pool of EC Council Certified Incident Handler (ECIH v2) test questions that will help you more.
John is performing memory dump analysis in order to find out the traces of malware.
He has employed volatility tool in order to achieve his objective.
Which of the following volatility framework commands he will use in order to analyze running process from the memory dump?
Smith employs various malware detection techniques to thoroughly examine the
network and its systems for suspicious and malicious malware files. Among all
techniques, which one involves analyzing the memory dumps or binary codes for the
traces of malware?
Auser downloaded what appears to be genuine software. Unknown to her, when she installed the application, it executed code that provided an unauthorized remote attacker access to her computer. What type of malicious threat displays this characteristic?
In which of the following types of insider threats an insider who is uneducated on
potential security threats or simply bypasses general security procedures to meet
workplace efficiency?
XYZ Inc. was affected by a malware attack and James, being the incident handling and
response (IH&R) team personnel handling the incident, found out that the root cause of
the incident is a backdoor that has bypassed the security perimeter due to an existing
vulnerability in the deployed firewall. James had contained the spread of the infection
and removed the malware completely. Now the organization asked him to perform
incident impact assessment to identify the impact of the incident over the organization
and he was also asked to prepare a detailed report of the incident.
Which of the following stages in IH&R process is James working on?
ZYX company experienced a DoS/DDoS attack on their network. Upon investigating the incident, they concluded that the attack is an application-layer attack. Which of the following attacks did the attacker use?
You are talking to a colleague who Is deciding what information they should include in their organization’s logs to help with security auditing. Which of the following items should you tell them to NOT log?
Which of the following best describes an email issued as an attack medium, in which several messages are sent to a mailbox to cause overflow?
Which of the following is not a countermeasure to eradicate inappropriate usage
incidents?
Adam is an incident handler who intends to use DBCC LOG command to analyze a database and retrieve the active transaction log files for the specified database. The syntax of DBCC LOG command is DBCC LOG(, ), where the output parameter specifies the level of information an incident handler wants to retrieve. If Adam wants to retrieve the full information on each operation along with the hex dump of a current transaction row, which of the following output parameters should Adam use?
A malicious, security-breaking program is disguised as a useful program. Such executable programs, which are installed when a file is opened, allow others to control a user's system. What is this type of program called?
Khai was tasked with examining the logs from a Linux email server. The server uses Sendmail to execute the command to send emailsand Syslog to maintain logs. To validate the data within email headers, which of the following directories should Khai check for information such as source and destination IP addresses, dates, and timestamps?
Bran is an incident handler who is assessing the network of the organization. In the
process, he wants to detect ping sweep attempts on the network using Wireshark tool.
Which of the following Wireshark filter he must use to accomplish this task?
Identify the network security incident where intended or authorized users are prevented from using system, network, or applications by flooding the network with a
high volume of traffic that consumes all existing network resources.
Which of the following techniques prevent or mislead incident-handling process and may also affect the collection, preservation, and identification phases of the forensic
investigation process?
Which of the following email security tools can be used by an incident handler to
prevent the organization against evolving email threats?
In which of the following types of fuzz testing strategies the new data will be generated
from scratch and the amount of data to be generated are predefined based on the
testing model?
For analyzing the system, the browser data can be used to access various credentials.
Which of the following tools is used to analyze the history data files in Microsoft Edge browser?
An incident handler is analyzing email headers to find out suspicious emails.
Which of the following tools he/she must use in order to accomplish the task?
Nervous Nat often sends emails with screenshots of what he thinks are serious incidents, but they always turn out to be false positives. Today, he sends another screenshot, suspecting a nation-state attack. As usual, you go through your list of questions, check your resources for information to determine whether the screenshot shows a real attack, and determine the condition of your network. Which step of IR did you just perform?
Bob, an incident responder at CyberTech Solutions, is investigating a cybercrime attack occurred in the client company. He acquired the evidence data, preserved it, and started
performing analysis on acquired evidentiary data to identify the source of the crime and the culprit behind the incident.
Identify the forensic investigation phase in which Bob is currently in.
Ikeo Corp, hired an incident response team to assess the enterprise security. As part of the incident handling and response process, the IR team is reviewing the current security policies implemented by the enterprise. The IR team finds that employees of the organization do not have any restrictions on Internet access: they are allowed to visit any site, download any application, and access a computer or network from a remote location. Considering this as the main security threat, the IR team plans to change this policy as it can be easily exploited by attackers. Which of the following security policies is the IR team planning to modify?
Michael is a part of the computer incident response team of a company. One of his responsibilities is to handle email incidents. The company receives an email from an unknown source, and one of the steps that he needs to take is to check the validity of the email. Which of the following tools should he use?
Which of the following is a type of malicious code or software that appears legitimate but can take control of your computer?
If the browser does not expire the session when the user fails to logout properly, which of the following OWASP Top 10 web vulnerabilities is caused?
Stanley works as an incident responder at a top MNC based out of Singapore. He was asked to investigate a cybersecurity incident that recently occurred in the company.
While investigating the crime, he collected the evidence from the victim systems. He must present this evidence in a clear and comprehensible manner to the members of
jury so that the evidence explains the facts clearly and further helps in obtaining an expert opinion on the same to confirm the investigation process.
In the above scenario, what is the characteristic of the digital evidence Stanley tried to preserve?
Mike is an incident handler for PNP Infosystems Inc. One day, there was a ticket submitted regarding a critical incident and Mike was assigned to handle the incident. During the process of incident handling, at one stage, he performed incident analysis and validation to check whether the incident is a genuine incident or a false positive.
Identify the stage he is currently in.
Alice is a disgruntled employee. She decided to acquire critical information from her organization for financial benefit. To acccomplish this, Alice started running a virtual machine on the same physical host as her victim's virtual machine and took advantage of shared physical resources (processor cache) to steal data (cryptographic key/plain text secrets) from the victim machine. Identify the type of attack Alice is performing in the above scenario.
Otis is an incident handler working in Delmont organization. Recently, the organization is facing several setbacks in the business and thereby its revenues are going down. Otis
was asked to take the charge and look into the matter. While auditing the enterprise security, he found the traces of an attack, where the proprietary information was stolen
from the enterprise network and was passed onto the competitors.
Which of the following information security incidents Delmont organization faced?
Dash wants to perform a DoS attack over 256 target URLs simultaneously.
Which of the following tools can Dash employ to achieve his objective?
Otis is an incident handler working in an organization called Delmont. Recently, the organization faced several setbacks in business, whereby its revenues are decreasing. Otis was asked to take charge and look into the matter. While auditing the enterprise security, he found traces of an attack through which proprietary information was stolen from the enterprise network and passed onto their competitors. Which of the following information security incidents did Delmont face?
Andrew, an incident responder, is performing risk assessment of the client organization.
As a part of risk assessment process, he identified the boundaries of the IT systems,
along with the resources and the information that constitute the systems.
Identify the risk assessment step Andrew is performing.
Rica works as an incident handler for an international company. As part of her role, she must review the present security policy implemented. Upon inspection, Rica finds that the policy is wide open, and only known dangerous services/attacks or behaviors are blocked. Which of the following is the current policy that Rica identified?
Ren is assigned to handle a security incident of an organization. He is tasked with forensics investigation to find the evidence needed by the management. Which of the following steps falls under the investigation phase of the computer forensics investigation process?
Patrick is doing a cyber forensic investigation. He is in the process of collecting physical
evidence at the crime scene.
Which of the following elements he must consider while collecting physical evidence?
Which of the following types of digital evidence is temporarily stored in a digital device that requires constant power supply and is deleted if the power supply is interrupted?
Finn is working in the eradication phase, wherein he is eliminating the root cause of an incident that occurred in the Windows operating system installed in a system. He ran a tool that can detect missing security patches and install the latest patches on the system and networks. Which of the following tools did he use to detect the missing security patches?
Which of the following is defined as the identification of the boundaries of an IT system along with the resources and information that constitute the system?
During the process of detecting and containing malicious emails, incident responders
should examine the originating IP address of the emails.
The steps to examine the originating IP address are as follow:
1. Search for the IP in the WHOIS database
2. Open the email to trace and find its header
3. Collect the IP address of the sender from the header of the received mail
4. Look for the geographic address of the sender in the WHOIS database
Identify the correct sequence of steps to be performed by the incident responders to
examine originating IP address of the emails.
Michael is an incident handler at CyberTech Solutions. He is performing detection and analysis of a cloud security incident. He is analyzing the file systems, slack spaces, and
metadata of the storage units to find hidden malware and evidence of malice.
Identify the cloud security incident handled by Michael.
Jason is setting up a computer forensics lab and must perform the following steps: 1. physical location and structural design considerations; 2. planning and budgeting; 3. work area considerations; 4. physical security recommendations; 5. forensic lab licensing; 6. human resource considerations. Arrange these steps in the order of execution.
James has been appointed as an incident handling and response (IH&R) team lead and
he was assigned to build an IH&R plan along with his own team in the company.
Identify the IH&R process step James is currently working on.
Alexis is working as an incident responder in XYZ organization. She was asked to identify and attribute the actors behind an attack that took place recently. In order to do so, she is performing threat attribution that deals with the identification of the specific person, society, or a country sponsoring a well-planned and executed intrusion or attack over its target. Which of the following types of threat attributions Alexis performed?
Rose is an incident-handling person and she is responsible for detecting and eliminating
any kind of scanning attempts over the network by any malicious threat actors. Rose
uses Wireshark tool to sniff the network and detect any malicious activities going on.
Which of the following Wireshark filters can be used by her to detect TCP Xmas scan
attempt by the attacker?
Eric works as a system administrator in ABC organization. He granted privileged users with unlimited permissions to access the systems. These privileged users can misuse
their rights unintentionally or maliciously or attackers can trick them to perform malicious activities.
Which of the following guidelines helps incident handlers to eradicate insider attacks by privileged users?
Employee monitoring tools are mostly used by employers to find which of the following?