Eccouncil 212-89 EC-Council Certified Incident Handler v3 Exam Practice Test

Page: 1 / 14
Total 168 questions
Question 1

Clark is investigating a cybercrime at TechSoft Solutions. While investigating the case,

he needs to collect volatile information such as running services, their process IDs,

startmode, state, and status.

Which of the following commands will help Clark to collect such information from

running services?



Answer : C

WMIC (Windows Management Instrumentation Command-line) is a command-line tool that provides a unified interface for Windows management tasks, including the collection of system information. It allows administrators and forensic investigators to query the live system for information about running services, their process IDs, start modes, states, and statuses, among other data. The use of WMIC is particularly valuable in incident response scenarios for gathering volatile information from a system without having to install additional software, which might alter the state of the system being investigated. By executing specific WMIC commands, Clark can extract detailed information about the services running on a system at the time of the investigation, making it an essential tool for collecting volatile data in a forensically sound manner.


Question 2

James has been appointed as an incident handling and response (IH&R) team lead and

he was assigned to build an IH&R plan along with his own team in the company.

Identify the IH&R process step James is currently working on.



Answer : C

In the context of incident handling and response (IH&R), the preparation phase is the initial step where teams and resources are organized to effectively respond to potential security incidents. This phase involves building the IH&R team, developing incident response plans and policies, setting up communication channels, and ensuring that the team has the necessary tools and authority to act. James, being assigned to build an IH&R plan and organize his team, is engaging in the preparation step of the incident response process. This foundational step is crucial for ensuring a coordinated and efficient response to incidents when they occur.


Question 3

Rose is an incident-handling person and she is responsible for detecting and eliminating

any kind of scanning attempts over the network by any malicious threat actors. Rose

uses Wireshark tool to sniff the network and detect any malicious activities going on.

Which of the following Wireshark filters can be used by her to detect TCP Xmas scan

attempt by the attacker?



Answer : D

A TCP Xmas scan is a type of network scanning technique used by attackers to identify open ports on a target machine. The name 'Xmas' comes from the set of flags that are turned on within the packet, making it 'lit up like a Christmas tree'. Specifically, the FIN, PSH, and URG flags are set, which corresponds to the hexadecimal value 0X029 in the TCP header's flags field. Wireshark, a popular network protocol analyzer, allows users to create custom filters to detect specific types of network traffic, including malicious scanning attempts. By using the filter tcp.flags==0X029, Rose can detect packets that have these specific flags set, indicating a potential TCP Xmas scan attempt.


Question 4

An attacker after performing an attack decided to wipe evidences using artifact wiping techniques to evade forensic investigation. He applied magnetic field to the digital

media device, resulting in an entirely clean device of any previously stored data.

Identify the artifact wiping technique used by the attacker.



Answer : B

The technique described, where an attacker applies a magnetic field to a digital media device to clean it of any previously stored data, is known as disk degaussing. Degaussing is a method used to erase a disk or tape by exposing it to a strong magnetic field, destroying the magnetic data storage mechanism and leaving the device clean of any data. This process is effectively used for wiping digital evidence in a way that makes recovery impossible, serving as a method of anti-forensics. Unlike file wiping utilities or disk cleaning utilities, which overwrite or delete data (potentially leaving traces that can be recovered), degaussing physically alters the storage medium itself, making data recovery unfeasible. Reference: The ECIH v3 certification program discusses various artifact wiping techniques, including degaussing, as part of understanding anti-forensic methods that attackers use to evade detection and investigation.


Question 5

Chandler is a professional hacker who is targeting Technote organization. He wants to obtain important organizational information that is being transmitted between

different hierarchies. In the process, he is sniffing the data packets transmitted through the network and then analyzing them to gather packet details such as network, ports,

protocols, devices, issues in network transmission, and other network specifications. Which of the following tools Chandler must employ to perform packet analysis?



Answer : C

Omnipeek is a network analyzer tool that allows for the capture and analysis of data packets transmitted across a network. It is designed to provide deep insights into network traffic, enabling users to examine various aspects of the data packets, including network protocols, ports, devices, and potential issues in network transmission. This tool would be ideal for Chandler, who is targeting the Technote organization with the intent of intercepting and analyzing network traffic to obtain sensitive organizational information. Omnipeek's capabilities in packet analysis make it suitable for such activities, offering detailed visibility into the network's operation and data flows. Reference: The ECIH v3 certification program includes discussions on network monitoring and analysis tools, including packet sniffers like Omnipeek, and their role in both cybersecurity defense and offensive activities like hacking.


Question 6

Bob, an incident responder at CyberTech Solutions, is investigating a cybercrime attack occurred in the client company. He acquired the evidence data, preserved it, and started

performing analysis on acquired evidentiary data to identify the source of the crime and the culprit behind the incident.

Identify the forensic investigation phase in which Bob is currently in.



Answer : D

Bob is in the Investigation phase of the forensic investigation process. This phase involves the detailed examination and analysis of the collected evidence to identify the source of the crime and the perpetrator behind the incident. It is a crucial step that follows the acquisition and preservation of evidence, where the incident responder applies various techniques and methodologies to analyze the evidentiary data. This analysis aims to uncover how the cybercrime was committed, trace the activities of the culprit, and gather actionable intelligence to support legal actions and prevent future incidents. Reference: The ECIH v3 certification materials discuss the stages of a forensic investigation, emphasizing the investigation phase as the point at which the incident responder analyzes evidence to draw conclusions about the incident's specifics.


Question 7

Which of the following is not the responsibility of first responders?



Answer : D

The responsibility of first responders does not include shutting down or rebooting the victim's computer as a measure to preserve temporary and fragile evidence. In fact, such actions can potentially alter or destroy volatile data that could be crucial for the investigation. The primary responsibilities of first responders include protecting and identifying the crime scene, and ensuring the preservation of evidence in its original state as much as possible, which may involve isolating affected systems from the network but not necessarily shutting them down or rebooting them without proper forensic readiness and consideration.


Page:    1 / 14   
Total 168 questions