Eccouncil 212-89 EC-Council Certified Incident Handler v3 Exam Practice Test

Page: 1 / 14
Total 168 questions
Question 1

Stenley is an incident handler working for Texa Corp. located in the United States. With the growing concern of increasing emails from outside the organization, Stenley was

asked to take appropriate actions to keep the security of the organization intact. In the process of detecting and containing malicious emails, Stenley was asked to check the

validity of the emails received by employees.

Identify the tools he can use to accomplish the given task.



Answer : B

Email Dossier is a tool designed to perform detailed investigations on email messages to verify their authenticity and trace their origin. It can analyze email headers and provide information about the route an email has taken, the servers it passed through, and potentially malicious links or origins. For an incident handler like Stenley, tasked with verifying the validity of emails and containing malicious email threats, Email Dossier serves as a practical tool for analyzing and validating emails received by employees. By using this tool, Stenley can identify fraudulent or suspicious emails, thereby helping to protect the organization from phishing attacks, malware distribution, and other email-based threats.


Question 2

Chandler is a professional hacker who is targeting Technote organization. He wants to obtain important organizational information that is being transmitted between

different hierarchies. In the process, he is sniffing the data packets transmitted through the network and then analyzing them to gather packet details such as network, ports,

protocols, devices, issues in network transmission, and other network specifications. Which of the following tools Chandler must employ to perform packet analysis?



Answer : C

Omnipeek is a network analyzer tool that allows for the capture and analysis of data packets transmitted across a network. It is designed to provide deep insights into network traffic, enabling users to examine various aspects of the data packets, including network protocols, ports, devices, and potential issues in network transmission. This tool would be ideal for Chandler, who is targeting the Technote organization with the intent of intercepting and analyzing network traffic to obtain sensitive organizational information. Omnipeek's capabilities in packet analysis make it suitable for such activities, offering detailed visibility into the network's operation and data flows. Reference: The ECIH v3 certification program includes discussions on network monitoring and analysis tools, including packet sniffers like Omnipeek, and their role in both cybersecurity defense and offensive activities like hacking.


Question 3

Farheen is an incident responder at reputed IT Firm based in Florid

a. Farheen was asked to investigate a recent cybercrime faced by the organization. As part of this process, she collected static data from a victim system. She used DD tool command to perform forensic duplication to obtain an NTFS image of the original disk. She created a sector-by-sector mirror imaging of the disk and saved the output image file as image.dd.

Identify the static data collection process step performed by Farheen while collecting static data.



Answer : C

Farheen's activity of using the DD tool to create a sector-by-sector mirror image of the original disk is an example of system preservation. This process is crucial in digital forensics for creating an exact copy of a storage device to ensure that the original data remains unchanged during the investigation. By making a forensic duplication, or image, of the disk, Farheen ensures that the static data on the disk is preserved in its current state for thorough analysis, without altering the original evidence. This step allows investigators to work with a precise replica of the data, protecting the integrity of the original evidence. Reference: The Incident Handler (ECIH v3) certification materials discuss various methods and tools for data acquisition and preservation, highlighting the importance of system preservation in the initial stages of forensic analysis.


Question 4

Andrew, an incident responder, is performing risk assessment of the client organization.

As a part of risk assessment process, he identified the boundaries of the IT systems,

along with the resources and the information that constitute the systems.

Identify the risk assessment step Andrew is performing.



Answer : B

In the risk assessment process, 'System characterization' is the initial step where the scope of the assessment is defined. This involves identifying and documenting the boundaries of the IT systems under review, the resources (hardware, software, data, and personnel) that constitute these systems, and any relevant information about their operation and environment. This foundational step is essential for understanding what needs to be protected and forms the basis for subsequent analysis, including identifying vulnerabilities, assessing potential threats, and determining the impact of risks to the organization.


Question 5

In which of the following stages of incident handling and response (IH&R) process do

the incident handlers try to find out the root cause of the incident along with the threat

actors behind the incidents, threat vectors, etc.?



Answer : C

During the incident handling and response (IH&R) process, the stage of 'Evidence gathering and forensics analysis' involves the collection of evidence, forensic analysis, and detailed investigation to uncover the root cause of the incident. This stage is crucial for understanding how the incident occurred, identifying the threat actors involved, the methods they used (threat vectors), and the extent of the impact. By analyzing evidence, incident responders can reconstruct the sequence of events, identify the vulnerabilities exploited, and determine the scope of the incident. This information is vital for resolving the incident effectively and taking steps to prevent future occurrences.


Question 6

Patrick is doing a cyber forensic investigation. He is in the process of collecting physical

evidence at the crime scene.

Which of the following elements he must consider while collecting physical evidence?



Answer : D

In the context of collecting physical evidence during a cyber forensic investigation, Patrick must consider items like removable media, cables, and publications. These items can contain crucial information related to the crime, such as data storage devices (USB drives, external hard drives), cables connected to potentially relevant devices, and any printed materials that might have information or clues about the incident. Open ports, services, and OS vulnerabilities, DNS information, and published name servers and web application source code, while important in digital forensics, do not constitute physical evidence in the traditional sense. Reference: Incident Handler (ECIH v3) study guides and courses detail the process of evidence collection in cyber forensic investigations, emphasizing the importance of securing physical evidence that could support digital forensic analysis.


Question 7

In which of the following types of fuzz testing strategies the new data will be generated

from scratch and the amount of data to be generated are predefined based on the

testing model?



Answer : B

Generation-based fuzz testing is a strategy where new test data is generated from scratch based on a predefined model that specifies the structure, type, and format of the input data. This approach is systematic and relies on a deep understanding of the format and protocol of the input data to create test cases that are both valid and potentially revealing of vulnerabilities. This contrasts with mutation-based fuzz testing, where existing data samples are modified (mutated) to produce new test cases, and log-based and protocol-based fuzz testing, which use different approaches to test software robustness and security. Reference: ECIH v3 certification materials often cover software testing techniques, including fuzz testing, to identify vulnerabilities in applications by inputting unexpected or random data.


Page:    1 / 14   
Total 168 questions