Eccouncil 212-89 EC-Council Certified Incident Handler v3 Exam Practice Test

Page: 1 / 14
Total 168 questions
Question 1

Shally, an incident handler, is working for a company named Texas Pvt. Ltd. based in

Florid

a. She was asked to work on an incident response plan. As part of the plan, she

decided to enhance and improve the security infrastructure of the enterprise. She has

incorporated a security strategy that allows security professionals to use several

protection layers throughout their information system. Due to multiple layer protection,

this security strategy assists in preventing direct attacks against the organization's

information system as a break in one layer only leads the attacker to the next layer.

Identify the security strategy Shally has incorporated in the incident response plan.



Answer : A

Shally has incorporated the Defense-in-depth strategy into the incident response plan for Texas Pvt. Ltd. Defense-in-depth is a layered security approach that involves implementing multiple security measures and controls throughout an information system. This strategy is designed to provide several defensive barriers to protect against threats and attacks, ensuring that if one layer is compromised, others still provide protection. The goal is to create a multi-faceted defense that addresses potential vulnerabilities in various areas, including physical security, network security, application security, and user education. Reference: The Incident Handler (ECIH v3) courses and study guides often emphasize the importance of a Defense-in-depth strategy in creating robust security infrastructures to protect against a wide range of cyber threats.


Question 2

Farheen is an incident responder at reputed IT Firm based in Florid

a. Farheen was asked to investigate a recent cybercrime faced by the organization. As part of this process, she collected static data from a victim system. She used DD tool command to perform forensic duplication to obtain an NTFS image of the original disk. She created a sector-by-sector mirror imaging of the disk and saved the output image file as image.dd.

Identify the static data collection process step performed by Farheen while collecting static data.



Answer : C

Farheen's activity of using the DD tool to create a sector-by-sector mirror image of the original disk is an example of system preservation. This process is crucial in digital forensics for creating an exact copy of a storage device to ensure that the original data remains unchanged during the investigation. By making a forensic duplication, or image, of the disk, Farheen ensures that the static data on the disk is preserved in its current state for thorough analysis, without altering the original evidence. This step allows investigators to work with a precise replica of the data, protecting the integrity of the original evidence. Reference: The Incident Handler (ECIH v3) certification materials discuss various methods and tools for data acquisition and preservation, highlighting the importance of system preservation in the initial stages of forensic analysis.


Question 3

Andrew, an incident responder, is performing risk assessment of the client organization.

As a part of risk assessment process, he identified the boundaries of the IT systems,

along with the resources and the information that constitute the systems.

Identify the risk assessment step Andrew is performing.



Answer : B

In the risk assessment process, 'System characterization' is the initial step where the scope of the assessment is defined. This involves identifying and documenting the boundaries of the IT systems under review, the resources (hardware, software, data, and personnel) that constitute these systems, and any relevant information about their operation and environment. This foundational step is essential for understanding what needs to be protected and forms the basis for subsequent analysis, including identifying vulnerabilities, assessing potential threats, and determining the impact of risks to the organization.


Question 4

In which of the following stages of incident handling and response (IH&R) process do

the incident handlers try to find out the root cause of the incident along with the threat

actors behind the incidents, threat vectors, etc.?



Answer : C

During the incident handling and response (IH&R) process, the stage of 'Evidence gathering and forensics analysis' involves the collection of evidence, forensic analysis, and detailed investigation to uncover the root cause of the incident. This stage is crucial for understanding how the incident occurred, identifying the threat actors involved, the methods they used (threat vectors), and the extent of the impact. By analyzing evidence, incident responders can reconstruct the sequence of events, identify the vulnerabilities exploited, and determine the scope of the incident. This information is vital for resolving the incident effectively and taking steps to prevent future occurrences.


Question 5

Eve's is an incident handler in ABC organization. One day, she got a complaint about email hacking incident from one of the employees of the organization. As a part of

incident handling and response process, she must follow many recovery steps in order to recover from incident impact to maintain business continuity.

What is the first step that she must do to secure employee account?



Answer : A

The first step in securing an employee's account following an email hacking incident involves restoring access to the email services if necessary and immediately changing the password to prevent unauthorized access. This action ensures that the attacker is locked out of the account as quickly as possible. While enabling two-factor authentication, scanning links and attachments, and disabling automatic file sharing are important security measures, they come into play after ensuring that the compromised account is first secured by changing its password to halt any ongoing unauthorized access. Reference: The ECIH v3 certification materials cover the initial steps to be taken when responding to incidents involving compromised accounts, emphasizing the importance of quickly changing passwords to secure the accounts against further unauthorized access.


Question 6

Bonney's system has been compromised by a gruesome malware.

What is the primary step that is advisable to Bonney in order to contain the malware

incident from spreading?



Answer : A

Turning off the infected machine is a common immediate response to contain a malware incident and prevent it from spreading to other systems on the network. This action halts any ongoing malicious activities by the malware, thereby limiting the potential for further damage or data exfiltration. However, it is essential to note that this step can lead to the loss of volatile data that might be useful for forensic analysis. Therefore, it is advisable only when it's critical to stop the malware immediately, and there's a strategy in place for forensic investigation that includes handling non-volatile data or when the preservation of volatile data is not possible.


Question 7

Marley was asked by his incident handling and response (IH&R) team lead to collect volatile data such as system information and network information present in the

registries, cache, and RAM of victim's system.

Identify the data acquisition method Marley must employ to collect volatile data.



Answer : C

Live data acquisition is the process of collecting volatile data from a system that is still running. Volatile data includes information stored in system memory (RAM), cache, and system and network configuration settings that are lost when the system is powered off. This method is essential for capturing data that can provide insights into the state of the system at the time of an incident, including active network connections, running processes, and the contents of memory. Marley must employ live data acquisition to ensure that this crucial and ephemeral data is not lost, which can be pivotal in understanding and responding to the incident effectively.


Page:    1 / 14   
Total 168 questions