Eccouncil ECSS Exam Practice Test Instant Access

Question 1

Williams, a forensic specialist, was tasked with performing a static malware analysis on a suspect system in an organization. For this purpose, Williams used an automated tool to perform a string search and saved all the identified strings in a text file. After analyzing the strings, he determined all the harmful actions that were performed by malware.

Identify the tool employed by Williams in the above scenario.

AResourcesExlract

BSnagit

CEzvid

DR-Drive Image

Answer : A

The scenario's focus on extracting strings from a suspect system for malware analysis aligns with the functionality of tools like ResourcesExtract:

ResourcesExtract's Purpose:It's designed to extract specific resources, including strings, from executables and other file types. This is crucial for static malware analysis.

String Search and Analysis:Finding and analyzing embedded strings can reveal malicious code behavior, function calls, and other clues about the malware's intent.

Question 2

Stephen, an attacker, decided to gain access to an organization's server. He identified a user with access to the remote server. He used sniffing programs to gain the user's credentials and captured the authentication tokens transmitted by the user. Then, he transmitted the captured tokens back to the server to gain unauthorized access.

Identify the technique used by Stephen to gain unauthorized access to the target server.

ABrute-force attack

BInternal monologue

CSQL injection

DReplay attack

Answer : D

Stephen used areplay attacktechnique to gain unauthorized access to the target server. In this scenario, he captured authentication tokens transmitted by the user and then replayed those tokens back to the server to impersonate the user and gain access.

https://www.cynet.com/network-attacks/unauthorized-access-5-best-practices-to-avoid-the-next-data-breach/

Question 3

Peter, an attacker aiming to disrupt organizational services, targeted a configuration protocol that issues IP addresses to host systems. To disrupt the issuance of IP addresses. Peter flooded the target server with spoofed MAC addresses so that valid users cannot receive IP addresses to access the network.

Identify the type of attack Peter has performed in the above scenario.

ASession hijacking

BPing-of-death attack

CARP spoofing

DDHCP starvation attack

Answer : D

Peter has performed aDHCP starvation attackin the given scenario. In this attack, the attacker floods the target DHCP server withspoofed MAC addresses, depleting the pool of available IP addresses.As a result, legitimate users cannot obtain IP addresses via DHCP, causing aDenial of Service (DoS)attack12.Additionally, the attacker could set up a rogue DHCP server to assign IP addresses to legitimate users, potentially leading to aMan-in-the-Middle (MITM)attack1. The correct answer isD.5 -> 1 -> 6 -> 2 -> 3 -> 41.

Question 4

Below are the elements included in the order of volatility for a typical computing system as per the RFC 3227 guidelines for evidence collection and archiving.

l.Archival media

2.Remote logging and monitoring data related to the target system

3.Routing table, process table, kernel statistics, and memory

4.Registers and processor cache

5-Physical configuration and network topology

6.Disk or other storage media

7.Temporary system files

Identify the correct sequence of order of volatility from the most to least volatile for a typical system.

A7->5- >4->3 ->2 >6 >1

B4 >3 >7->l >2 ->5--->6

C2--->1--->4-->3-->6-->5--->7

D4.>3 >7>6.>2-.>5- >l

Answer : D

This order correctly reflects the volatility of data from most volatile (disappears quickly) to least volatile (most persistent):

Registers and processor cache:These contain the CPU's most immediate working data, changing rapidly.

Routing table, process table, kernel statistics, and memory (RAM):These hold system state information, but can be modified by running processes or events.

Temporary system files:Designed to be transient, but may persist for some time depending on usage patterns.

Disk or other storage media:Holds data intended to persist, but is subject to modification.

Remote logging and monitoring data related to the target system:Often stored off-site, less volatile than local data.

Physical configuration and network topology:Relatively static information about the system's setup.

Archival media:Designed for long-term storage, changes to this data are intentional and infrequent.

Question 5

Carol is a new employee at ApTech Sol Inc., and she has been allocated a laptop to fulfill his job activities. Carol tried to install certain applications on the company's laptop but could not complete the installation as she requires administrator privileges to initiate the installation process. The administrator imposed an access policy on the company's laptop that only users with administrator privileges have installation rights.

Identify the access control model demonstrated in the above scenario.

AMandatory access control {MAC)

BRule based access control (RB-RBAC)

CDiscretionary access control (DAC)

DRole based access control (RBAC)

Answer : D

The scenario described is an example ofRole Based Access Control (RBAC).In RBAC, access decisions are based on the roles that individual users have within an organization and the permissions that accompany those roles1.

In this case, Carol, as a new employee, has been assigned a user role that does not include administrator privileges. The access control policy in place requires administrator privileges for installing applications, which means that only users with an 'administrator' role have the rights to install software. This is a typical RBAC policy, where permissions to perform certain actions within the system are not assigned to individual users directly but are based on the roles assigned to them within the company.

The other options do not fit the scenario as well as RBAC:

A . Mandatory Access Control (MAC): In MAC, access rights are regulated by a central authority based on multiple levels of security. Users cannot change access permissions.

B . Rule Based Access Control (RB-RAC): This is similar to RBAC but is driven by rules that trigger under certain conditions, not explicitly mentioned in the scenario.

C . Discretionary Access Control (DAC): In DAC, the owner of the resource determines who is allowed to access it, which is not indicated in the scenario provided.

Therefore, the correct answer is D, Role Based Access Control (RBAC), as it aligns with the policy of assigning installation rights based on the user's role within the company.

Question 6

Bob, a forensic investigator, was instructed to review a Windows machine and identify any anonymous activities performed using it. In this process. Bob used the command ''netstat -ano" to view all the active connections in the system and determined that the connections established by the Tor browser were closed. Which of the following states of the connections established by Tor indicates that the Tor browser is closed?

AESTABLISHED

BCLOSE WAIT

CTIMEWAIT

DLISTENING

Answer : C

Thenetstat -anocommand is used to display all active connections and their respective states on a system. When the Tor browser is closed, the connections it established would no longer be active.The state that indicates a connection is no longer active and is in the process of closing isTIMEWAIT1.

In the context of TCP/IP networking,TIMEWAITis a state that occurs after a connection has been terminated by the application, and the system is waiting to ensure that all packets have been received to prevent any delayed packets from appearing in subsequent connections2. This state helps to ensure that a new connection does not receive packets from an old connection, which is particularly important in ensuring the security and integrity of data transmission.

The other states listed have different meanings:

A . ESTABLISHED: This state means that the connection is currently active and data can be transferred.

B . CLOSE WAIT: This state indicates that the remote end has shut down, and the local end is waiting for the application to close the connection.

D . LISTENING: This state signifies that the server is waiting for incoming connections on a specific port.

Therefore, the correct answer is C, TIMEWAIT, as it represents the state where the connection has been closed by the application, which in this case would be the Tor browser.

Question 7

Kevin logged into a banking application with his registered credentials and tried to transfer some amount from his account to Flora's account. Before transferring the amount to Flora's account, the application sent an OTP to Kevin's mobile for confirmation.

Which of the following authentication mechanisms is employed by the banking application in the above scenario?

ASingle sign on (SSO) authentication

BSmart card authentication

CBiometric authentication

DTwo factor authentication

Answer : D

In the given scenario, the banking application employstwo-factor authentication (2FA). Here's why:

Registered Credentials: Kevin logs in with hisregistered credentials(username and password).

OTP (One-Time Password): The application sends anOTP to Kevin's mobilefor confirmation. This OTP serves as thesecond factorof authentication.

EC-Council Certified Security Specialist (E|CSS) documents and study guide.

EC-Council Certified Security Specialist (E|CSS) course materials12

Two-factor authentication enhances security by requiring users to provide two different authentication factors (usually something they know, like a password, and something they have, like an OTP) before granting access. It helps protect against unauthorized access even if one factor is compromised.

Eccouncil EC-Council Certified Security Specialist (ECSSv10) Exam Practice Test