March Sale Special 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: exams65

EC-Council Certified Security Analyst (ECSA) Question and Answers

EC-Council Certified Security Analyst (ECSA)

Last Update Mar 29, 2024
Total Questions : 232

We are offering FREE 412-79 ECCouncil exam questions. All you do is to just go and sign up. Give your details, prepare 412-79 free exam questions and then go for complete pool of EC-Council Certified Security Analyst (ECSA) test questions that will help you more.

412-79 pdf

412-79 PDF

$35  $99.99
412-79 Engine

412-79 Testing Engine

$42  $119.99
412-79 PDF + Engine

412-79 PDF + Testing Engine

$56  $159.99
Questions 1

You are conducting an investigation of fraudulent claims in an insurance company that involves complex text searches through large numbers of documents. Which of the following tools would allow you to quickly and efficiently search for a string within a file on the bitmap image of the target computer?

Options:

A.  

Stringsearch

B.  

grep

C.  

dir

D.  

vim

Discussion 0
Questions 2

What header field in the TCP/IP protocol stack involves the hacker exploit known as the Ping of Death?

Options:

A.  

ICMP header field

B.  

TCP header field

C.  

IP header field

D.  

UDP header field

Discussion 0
Questions 3

What term is used to describe a cryptographic technique for embedding information into something else for the sole purpose of hiding that information from the casual observer?

Options:

A.  

rootkit

B.  

key escrow

C.  

steganography

D.  

Offset

Discussion 0
Questions 4

How many sectors will a 125 KB file use in a FAT32 file system?

Options:

A.  

32

B.  

16

C.  

250

D.  

25

Discussion 0
Questions 5

Under which Federal Statutes does FBI investigate for computer crimes involving e-mail scams and mail fraud?

Options:

A.  

18 U.S.C. 1029 Possession of Access Devices

B.  

18 U.S.C. 1030 Fraud and related activity in connection with computers

C.  

18 U.S.

C.  

1343 Fraud by wire, radio or television

D.  

18 U.S.C. 1361 Injury to Government Property

E.  

18 U.S.C. 1362 Government communication systems

F.  

18 U.S.C. 1832 Trade Secrets Act

Discussion 0
Questions 6

What binary coding is used most often for e-mail purposes?

Options:

A.  

MIME

B.  

Uuencode

C.  

IMAP

D.  

SMTP

Discussion 0
Questions 7

When performing a forensics analysis, what device is used to prevent the system from recording data on an evidence disk?

Options:

A.  

a write-blocker

B.  

a protocol analyzer

C.  

a firewall

D.  

a disk editor

Discussion 0
Questions 8

You are employed directly by an attorney to help investigate an alleged sexual harassment case at a large pharmaceutical manufacture. While at the corporate office of the company, the CEO demands to know the status of the investigation. What prevents you from discussing the case with the CEO?

Options:

A.  

the attorney-work-product rule

B.  

Good manners

C.  

Trade secrets

D.  

ISO 17799

Discussion 0
Questions 9

You are working as a Computer forensics investigator for a corporation on a computer abuse case. You discover evidence that shows the subject of your investigation is also embezzling money from the company. The company CEO and the corporate legal counsel advise you to contact law enforcement and provide them with the evidence that you have founD. The law enforcement officer that responds requests that you put a network sniffer on your network and monitor all traffic to the subjects computer. You inform the officer that you will not be able to comply with that request because doing so would:

Options:

A.  

Violate your contract

B.  

Cause network congestion

C.  

Make you an agent of law enforcement

D.  

Write information to the subjects hard drive

Discussion 0
Questions 10

Printing under a Windows Computer normally requires which one of the following files types to be created?

Options:

A.  

EME

B.  

MEM

C.  

EMF

D.  

CME

Discussion 0
Questions 11

Profiling is a forensics technique for analyzing evidence with the goal of identifying the perpetrator from their various activity. After a computer has been compromised by a hacker, which of the following would be most important in forming a profile of the incident?

Options:

A.  

The manufacturer of the system compromised

B.  

The logic, formatting and elegance of the code used in the attack

C.  

The nature of the attack

D.  

The vulnerability exploited in the incident

Discussion 0
Questions 12

When investigating a Windows System, it is important to view the contents of the page or swap file because:

Options:

A.  

Windows stores all of the systems configuration information in this file

B.  

This is file that windows use to communicate directly with Registry

C.  

A Large volume of data can exist within the swap file of which the computer user has no knowledge

D.  

This is the file that windows use to store the history of the last 100 commands that were run from the command line

Discussion 0
Questions 13

A law enforcement officer may only search for and seize criminal evidence with _____________, which are facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed, evidence of the specific crime exists and the evidence of the specific crime exists at the place to be searcheD.

Options:

A.  

Mere Suspicion

B.  

A preponderance of the evidence

C.  

Probable cause

D.  

Beyond a reasonable doubt

Discussion 0
Questions 14

A state department site was recently attacked and all the servers had their disks eraseD. The incident response team sealed the area and commenced investigation. During evidence collection they came across a zip disks that did not have the standard labeling on it. The incident team ran the disk on an isolated system and found that the system disk was accidentally eraseD. They decided to call in the FBI for further investigation. Meanwhile, they short listed possible suspects including three summer interns. Where did the incident team go wrong?

Options:

A.  

They examined the actual evidence on an unrelated system

B.  

They attempted to implicate personnel without proof

C.  

They tampered with evidence by using it

D.  

They called in the FBI without correlating with the fingerprint data

Discussion 0
Questions 15

Click on the Exhibit Button

Paulette works for an IT security consulting company that is currently performing an audit for the firm ACE Unlimited. Paulette's duties include logging on to all the company's network equipment to ensure IOS versions are up-to-date and all the other security settings are as stringent as possible. Paulette presents the following screenshot to her boss so he can inform the client about necessary changes need to be made. From the screenshot, what changes should the client company make?

Exhibit:

Options:

A.  

The banner should not state "only authorized IT personnel may proceed"

B.  

Remove any identifying numbers, names, or version information

C.  

The banner should have more detail on the version numbers for the network equipment

D.  

The banner should include the Cisco tech support contact information as well

Discussion 0
Questions 16

What is the target host IP in the following command?

Options:

A.  

Firewalk does not scan target hosts

B.  

172.16.28.95

C.  

This command is using FIN packets, which cannot scan target hosts

D.  

10.10.150.1

Discussion 0
Questions 17

Julia is a senior security analyst for Berber Consulting group. She is currently working on a contract for a small accounting firm in Florida. They have given her permission to perform social engineering attacks on the company to see if their in-house training did any good. Julia calls the main number for the accounting firm and talks to the receptionist. Julia says that she is an IT technician from the company's main office in Iowa. She states that she needs the receptionist's network username and password to troubleshoot a problem they are having. Julia says that Bill Hammond, the CEO of the company, requested this information. After hearing the name of the CEO, the receptionist gave Julia all the information she asked for.

What principal of social engineering did Julia use?

Options:

A.  

Reciprocation

B.  

Friendship/Liking

C.  

Social Validation

D.  

Scarcity

Discussion 0
Questions 18

What will the following command produce on a website login page?

SELECT email, passwd, login_id, full_name

FROM members

WHERE email = 'someone@somehwere.com'; DROP TABLE members; --'

Options:

A.  

Inserts the Error! Reference source not found. email address into the members table

B.  

Retrieves the password for the first user in the members table

C.  

Deletes the entire members table

D.  

This command will not produce anything since the syntax is incorrect

Discussion 0
Questions 19

What will the following command produce on a website login page?What will the following command produce on a website? login page?

SELECT email, passwd, login_id, full_name

FROM members

WHERE email = 'someone@somehwere.com'; DROP TABLE members; --'

Options:

A.  

This command will not produce anything since the syntax is incorrect

B.  

Inserts the Error! Reference source not found. email address into the members table

C.  

Retrieves the password for the first user in the members table

D.  

Deletes the entire members table

Discussion 0
Questions 20

You are carrying out the last round of testing for your new website before it goes live. The website has many dynamic pages and connects to a SQL backend that accesses your product inventory in a database. You come across a web security site that recommends inputting the following code into a search field on web pages to check for vulnerabilities:

When you type this and click on search, you receive a pop-up window that says:

"This is a test."

What is the result of this test?

Options:

A.  

Your website is vulnerable to CSS

B.  

Your website is not vulnerable

C.  

Your website is vulnerable to SQL injection

D.  

Your website is vulnerable to web bugs

Discussion 0
Questions 21

After passing her CEH exam, Carol wants to ensure that her network is completely secure. She implements a DMZ, statefull firewall, NAT, IPSEC, and a packet filtering firewall. Since all security measures were taken, none of the hosts on her network can reach the Internet. Why is that?

Options:

A.  

Statefull firewalls do not work with packet filtering firewalls

B.  

NAT does not work with statefull firewalls

C.  

NAT does not work with IPSEC

D.  

IPSEC does not work with packet filtering firewalls

Discussion 0
Questions 22

When you carve an image, recovering the image depends on which of the following skills?

Options:

A.  

Recognizing the pattern of the header content

B.  

Recovering the image from a tape backup

C.  

Recognizing the pattern of a corrupt file

D.  

Recovering the image from the tape backup

Discussion 0
Questions 23

You are working as an investigator for a corporation and you have just received instructions from your manager to assist in the collection of 15 hard drives that are part of an ongoing investigation. Your job is to complete the required evidence custody forms to properly document each piece of evidence as it is collected by other members of your team. Your manager instructs you to complete one multi-evidence form for the entire case and a single-evidence form for each hard drive. How will these forms be stored to help preserve the chain of custody of the case?

Options:

A.  

All forms should be placed in an approved secure container because they are now primary evidence in the case.

B.  

The multi-evidence form should be placed in the report file and the single-evidence forms should be kept with each hard drive in an approved secure container.

C.  

The multi-evidence form should be placed in an approved secure container with the hard drives and the single-evidence forms should be placed in the report file.

D.  

All forms should be placed in the report file because they are now primary evidence in the case.

Discussion 0
Questions 24

What is the advantage in encrypting the communication between the agent and the monitor in an Intrusion Detection System?

Options:

A.  

Encryption of agent communications will conceal the presence of the agents

B.  

Alerts are sent to the monitor when a potential intrusion is detected

C.  

An intruder could intercept and delete data or alerts and the intrusion can go undetected

D.  

The monitor will know if counterfeit messages are being generated because they will not be encrypted

Discussion 0
Questions 25

How many characters long is the fixed-length MD5 algorithm checksum of a critical system file?

Options:

A.  

128

B.  

64

C.  

32

D.  

16

Discussion 0
Questions 26

When examining the log files from a Windows IIS Web Server, how often is a new log file created?

Options:

A.  

the same log is used at all times

B.  

a new log file is created everyday

C.  

a new log file is created each week

D.  

a new log is created each time the Web Server is started

Discussion 0
Questions 27

Lance wants to place a honeypot on his network. Which of the following would be your recommendations?

Options:

A.  

Use a system that has a dynamic addressing on the network

B.  

Use a system that is not directlyinteracing with the router

C.  

Use it on a system in an external DMZ in front of the firewall

D.  

It doesn‟t matter as all replies are faked

Discussion 0
Questions 28

When monitoring for both intrusion and security events between multiple computers, it is essential that the computers‟ clocks are synchronize D. Synchronized time allows an administrator to reconstruct what took place during an attack against multiple computers. Without synchronized time, it is very difficult to determine exactly when specific events took place, and how events interlace. What is the name of the service used to synchronize time among multiple computers?

Options:

A.  

Universal Time Set

B.  

Network Time Protocol

C.  

SyncTime Service

D.  

Time-Sync Protocol

Discussion 0
Questions 29

Jason has set up a honeypot environment by creating a DMZ that has no physical or logical access to his production network. In this honeypot, he has placed a server running Windows Active Directory. He has also placed a Web server in the DMZ that services a number of web pages that offer visitors a chance to download sensitive information by clicking on a button. A week later, Jason finds in his network logs how an intruder accessed the honeypot and downloaded sensitive information. Jason uses the logs to try and prosecute the intruder for stealing sensitive corporate information. Why will this not be viable?

Options:

A.  

Intruding into a honeypot is not illegal

B.  

Entrapment

C.  

Intruding into a DMZ is not illegal

D.  

Enticement

Discussion 0
Questions 30

Michael works for Kimball Construction Company as senior security analyst. As part of yearly security audit, Michael scans his network for vulnerabilities. Using Nmap, Michael conducts XMAS scan and most of the ports scanned do not give a response. In what state are these ports?

Options:

A.  

Filtered

B.  

Stealth

C.  

Closed

D.  

Open

Discussion 0
Questions 31

What operating system would respond to the following command?

Options:

A.  

Mac OS X

B.  

Windows XP

C.  

Windows 95

D.  

FreeBSD

Discussion 0
Questions 32

You are assisting a Department of Defense contract company to become compliant with the stringent security policies set by the DoD. One such strict rule is that firewalls must only allow incoming connections that were first initiated by internal computers. What type of firewall must you implement to abide by this policy?

Options:

A.  

Circuit-level proxy firewall

B.  

Packet filtering firewall

C.  

Application-level proxy firewall

D.  

Statefull firewall

Discussion 0
Questions 33

Jonathan is a network administrator who is currently testing the internal security of his network. He is attempting to hijack a session, using Ettercap, of a user connected to his Web server. Why will Jonathan not succeed?

Options:

A.  

Only an HTTPS session can be hijacked

B.  

Only DNS traffic can be hijacked

C.  

Only FTP traffic can be hijacked

D.  

HTTP protocol does not maintain session

Discussion 0
Questions 34

What are the security risks of running a "repair" installation for Windows XP?

Options:

A.  

There are no security risks when running the "repair" installation for Windows XP

B.  

Pressing Shift+F1 gives the user administrative rights

C.  

Pressing Ctrl+F10 gives the user administrative rights

D.  

Pressing Shift+F10 gives the user administrative rights

Discussion 0