Download ECCouncil Computer Hacking Forensic Investigator.EC0-349.BrainDumps.2018-10-12.183q.vcex

Vendor: ECCouncil
Exam Code: EC0-349
Exam Name: ECCouncil Computer Hacking Forensic Investigator
Date: Oct 12, 2018
File Size: 870 KB

How to open VCEX files?

Files with VCEX extension can be opened by ProfExam Simulator.

Demo Questions

Question 1
What does the acronym POST mean as it relates to a PC? 
  1. Primary Operations Short Test
  2. PowerOn Self Test
  3. Pre Operational Situation Test
  4. Primary Operating System Test
Correct answer: B
Question 2
Which legal document allows law enforcement to search an office, place of business, or other locale for evidence relating to an alleged crime?
  1. bench warrant
  2. wire tap
  3. subpoena
  4. search warrant
Correct answer: D
Explanation:
Question 3
You are working as an investigator for a corporation and you have just received instructions from your manager to assist in the collection of 15 hard drives that are part of an ongoing investigation. 
Your job is to complete the required evidence custody forms to properly document each piece of evidence as it is collected by other members of your team. Your manager instructs you to complete one multi-evidence form for the entire case and a single-evidence form for each hard drive. How will these forms be stored to help preserve the chain of custody of the case?
  1. All forms should be placed in an approved secure container because they are now primary evidence in the case.
  2. The multi-evidence form should be placed in the report file and the single-evidence forms should be kept with each hard drive in an approved secure container.
  3. The multi-evidence form should be placed in an approved secure container with the hard drives and the single-evidence forms should be placed in the report file.
  4. All forms should be placed in the report file because they are now primary evidence in the case.
Correct answer: B
Question 4
The MD5 program is used to:
  1. wipe magnetic media before recycling it
  2. make directories on an evidence disk
  3. view graphics files on an evidence drive
  4. verify that a disk is not altered when you examine it
Correct answer: D
Question 5
Which is a standard procedure to perform during all computer forensics investigations?
  1. with the hard drive removed from the suspect PC, check the date and time in the system's CMOS 
  2. with the hard drive in the suspect PC, check the date and time in the File Allocation Table
  3. with the hard drive removed from the suspect PC, check the date and time in the system's RAM
  4. with the hard drive in the suspect PC, check the date and time in the system's CMOS
Correct answer: A
Question 6
E-mail logs contain which of the following information to help you in your investigation? (Choose four.)
  1. user account that was used to send the account
  2. attachments sent with the e-mail message
  3. unique message identifier
  4. contents of the e-mail message
  5. date and time the message was sent
Correct answer: ACDE
Question 7
In a forensic examination of hard drives for digital evidence, what type of user is most likely to have the most file slack to analyze?
  1. one who has NTFS 4 or 5 partitions
  2. one who uses dynamic swap file capability
  3. one who uses hard disk writes on IRQ 13 and 21
  4. one who has lots of allocation units per block or cluster
Correct answer: D
Explanation:
Question 8
In what way do the procedures for dealing with evidence in a criminal case differ from the procedures for dealing with evidence in a civil case?
  1. evidence must be handled in the same way regardless of the type of case
  2. evidence procedures are not important unless you work for a law enforcement agency
  3. evidence in a criminal case must be secured more tightly than in a civil case
  4. evidence in a civil case must be secured more tightly than in a criminal case
Correct answer: C
Question 9
You are assigned to work in the computer forensics lab of a state police agency. While working on a high profile criminal case, you have followed every applicable procedure, however your boss is still concerned that the defense attorney might question whether evidence has been changed while at the lab. 
What can you do to prove that the evidence is the same as it was when it first entered the lab?
  1. make an MD5 hash of the evidence and compare it with the original MD5 hash that was taken when the evidence first entered the lab
  2. make an MD5 hash of the evidence and compare it to the standard database developed by NIST
  3. there is no reason to worry about this possible claim because state labs are certified
  4. sign a statement attesting that the evidence is the same as it was when it entered the lab
Correct answer: A
Question 10
Study the log given below and answer the following question:
Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169
Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482
Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53
Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21
Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53
Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111
Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80
Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53
Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53
Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0)
Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506)
Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080
Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558
Precautionary measures to prevent this attack would include writing firewall rules. Of these firewall rules, which among the following would be appropriate?
  1. Disallow UDP53 in from outside to DNS server
  2. Allow UDP53 in from DNS server to outside
  3. Disallow TCP53 in from secondaries or ISP server to DNS server
  4. Block all UDP traffic
Correct answer: A
Question 11
What does the acronym POST mean as it relates to a PC? 
  1. Primary Operations Short Test
  2. PowerOn Self Test
  3. Pre Operational Situation Test
  4. Primary Operating System Test
Correct answer: B
Question 12
Which legal document allows law enforcement to search an office, place of business, or other locale for evidence relating to an alleged crime?
  1. bench warrant
  2. wire tap
  3. subpoena
  4. search warrant
Correct answer: D
Explanation:
Question 13
You are working as an investigator for a corporation and you have just received instructions from your manager to assist in the collection of 15 hard drives that are part of an ongoing investigation. 
Your job is to complete the required evidence custody forms to properly document each piece of evidence as it is collected by other members of your team. Your manager instructs you to complete one multi-evidence form for the entire case and a single-evidence form for each hard drive. How will these forms be stored to help preserve the chain of custody of the case?
  1. All forms should be placed in an approved secure container because they are now primary evidence in the case.
  2. The multi-evidence form should be placed in the report file and the single-evidence forms should be kept with each hard drive in an approved secure container.
  3. The multi-evidence form should be placed in an approved secure container with the hard drives and the single-evidence forms should be placed in the report file.
  4. All forms should be placed in the report file because they are now primary evidence in the case.
Correct answer: B
Question 14
The MD5 program is used to:
  1. wipe magnetic media before recycling it
  2. make directories on an evidence disk
  3. view graphics files on an evidence drive
  4. verify that a disk is not altered when you examine it
Correct answer: D
Question 15
Which is a standard procedure to perform during all computer forensics investigations?
  1. with the hard drive removed from the suspect PC, check the date and time in the system's CMOS 
  2. with the hard drive in the suspect PC, check the date and time in the File Allocation Table
  3. with the hard drive removed from the suspect PC, check the date and time in the system's RAM
  4. with the hard drive in the suspect PC, check the date and time in the system's CMOS
Correct answer: A
Question 16
E-mail logs contain which of the following information to help you in your investigation? (Choose four.)
  1. user account that was used to send the account
  2. attachments sent with the e-mail message
  3. unique message identifier
  4. contents of the e-mail message
  5. date and time the message was sent
Correct answer: ACDE
Question 17
In a forensic examination of hard drives for digital evidence, what type of user is most likely to have the most file slack to analyze?
  1. one who has NTFS 4 or 5 partitions
  2. one who uses dynamic swap file capability
  3. one who uses hard disk writes on IRQ 13 and 21
  4. one who has lots of allocation units per block or cluster
Correct answer: D
Explanation:
Question 18
In what way do the procedures for dealing with evidence in a criminal case differ from the procedures for dealing with evidence in a civil case?
  1. evidence must be handled in the same way regardless of the type of case
  2. evidence procedures are not important unless you work for a law enforcement agency
  3. evidence in a criminal case must be secured more tightly than in a civil case
  4. evidence in a civil case must be secured more tightly than in a criminal case
Correct answer: C
Question 19
You are assigned to work in the computer forensics lab of a state police agency. While working on a high profile criminal case, you have followed every applicable procedure, however your boss is still concerned that the defense attorney might question whether evidence has been changed while at the lab. 
What can you do to prove that the evidence is the same as it was when it first entered the lab?
  1. make an MD5 hash of the evidence and compare it with the original MD5 hash that was taken when the evidence first entered the lab
  2. make an MD5 hash of the evidence and compare it to the standard database developed by NIST
  3. there is no reason to worry about this possible claim because state labs are certified
  4. sign a statement attesting that the evidence is the same as it was when it entered the lab
Correct answer: A
Question 20
Study the log given below and answer the following question:
Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169
Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482
Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53
Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21
Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53
Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111
Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80
Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53
Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53
Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0)
Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506)
Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080
Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558
Precautionary measures to prevent this attack would include writing firewall rules. Of these firewall rules, which among the following would be appropriate?
  1. Disallow UDP53 in from outside to DNS server
  2. Allow UDP53 in from DNS server to outside
  3. Disallow TCP53 in from secondaries or ISP server to DNS server
  4. Block all UDP traffic
Correct answer: A
HOW TO OPEN VCE FILES

Use VCE Exam Simulator to open VCE files
Avanaset

HOW TO OPEN VCEX AND EXAM FILES

Use ProfExam Simulator to open VCEX and EXAM files
ProfExam Screen

ProfExam
ProfExam at a 20% markdown

You have the opportunity to purchase ProfExam at a 20% reduced price

Get Now!