Summer Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: ecus65

ECCouncil 312-49 - Computer Hacking Forensic Investigator

Page: 3 / 11
Total 531 questions

Gill is a computer forensics investigator who has been called upon to examine a seized computer. This computer, according to the police, was used by a hacker who gained access to numerous banking institutions to steal customer information. After preliminary investigations, Gill finds in the computer’s log files that the hacker was able to gain access to these banks through the use of Trojan horses. The hacker then used these Trojan horses to obtain remote access to the companies’ domain controllers. From this point, Gill found that the hacker pulled off the SAM files from the domain controllers to then attempt and crack network passwords. What is the most likely password cracking technique used by this hacker to break the user passwords from the SAM files?

A.

Syllable attack

B.

Hybrid attack

C.

Brute force attack

D.

Dictionary attack

In what way do the procedures for dealing with evidence in a criminal case differ from the procedures for dealing with evidence in a civil case?

A.

evidence must be handled in the same way regardless of the type of case

B.

evidence procedures are not important unless you work for a law enforcement agency

C.

evidence in a criminal case must be secured more tightly than in a civil case

D.

evidence in a civil case must be secured more tightly than in a criminal case

Pagefile.sys is a virtual memory file used to expand the physical memory of a computer. Select the registry path for the page file:

A.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

B.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\System Management

C.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Device Management

D.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters

When performing a forensics analysis, what device is used to prevent the system from recording data on an evidence disk?

A.

a write-blocker

B.

a protocol analyzer

C.

a firewall

D.

a disk editor

You are called in to assist the police in an investigation involving a suspected drug dealer. The suspects house was searched by the police after a warrant was obtained and they located a floppy disk in the suspects bedroom. The disk contains several files, but they appear to be password protected. What are two common methods used by password cracking software that you can use to obtain the password?

A.

Limited force and library attack

B.

Brute Force and dictionary Attack

C.

Maximum force and thesaurus Attack

D.

Minimum force and appendix Attack

What does mactime, an essential part of the coroner's toolkit do?

A.

It traverses the file system and produces a listing of all files based on the modification, access and change timestamps

B.

It can recover deleted file space and search it for data. However, it does not allow the investigator to preview them

C.

The tools scans for i-node information, which is used by other tools in the tool kit

D.

It is too specific to the MAC OS and forms a core component of the toolkit

What do you call the process in which an attacker uses magnetic field over the digital media device to delete any previously stored data?

A.

Disk deletion

B.

Disk cleaning

C.

Disk degaussing

D.

Disk magnetization

Jack Smith is a forensics investigator who works for Mason Computer Investigation Services. He is investigating a computer that was infected by Ramen Virus.

He runs the netstat command on the machine to see its current connections. In the following screenshot, what do the 0.0.0.0 IP addresses signify?

 

A.

Those connections are established

B.

Those connections are in listening mode

C.

Those connections are in closed/waiting mode

D.

Those connections are in timed out/waiting mode

Which of the following data structures stores attributes of a process, as well as pointers to other attributes and data structures?

A.

Lsproc

B.

DumpChk

C.

RegEdit

D.

EProcess

Which of the following options will help users to enable or disable the last access time on a system running Windows 10 OS?

A.

wmic service

B.

Reg.exe

C.

fsutil

D.

Devcon

What technique is used by JPEGs for compression?

A.

TIFF-8

B.

ZIP

C.

DCT

D.

TCD

Email archiving is a systematic approach to save and protect the data contained in emails so that it can be accessed fast at a later date. There are two main archive types, namely Local Archive and Server Storage Archive. Which of the following statements is correct while dealing with local archives?

A.

Server storage archives are the server information and settings stored on a local system, whereas the local archives are the local email client information stored on the mail server

B.

It is difficult to deal with the webmail as there is no offline archive in most cases. So consult your counsel on the case as to the best way to approach and gain access to the required data on servers

C.

Local archives should be stored together with the server storage archives in order to be admissible in a court of law

D.

Local archives do not have evidentiary value as the email client may alter the message data

Which response organization tracks hoaxes as well as viruses?

A.

NIPC

B.

FEDCIRC

C.

CERT

D.

CIAC

Which of the following commands shows you the username and IP address used to access the system via a remote login session and the type of client from which they are accessing the system?

A.

Net config

B.

Net sessions

C.

Net share

D.

Net stat

Which of the following processes is part of the dynamic malware analysis?

A.

Process Monitoring

B.

Malware disassembly

C.

Searching for the strings

D.

File fingerprinting