212-89 Exam Dumps - EC Council Certified Incident Handler (ECIH v3)

This scenario requires decisive action across containment, analysis, and recovery, as defined in the ECIH incident handling lifecycle.

Option C is correct because isolating affected systems prevents further manipulation, forensic examination identifies scope and method, and restoring from a verified clean backup ensures data integrity. ECIH emphasizes verified restoration only after investigation begins.

Options A, B, and D are premature or speculative and risk misinformation.

This scenario directly reflects crime scene documentation and physical reconstruction, a core principle in the Forensic Readiness and First Response module of the ECIH curriculum. First responders must assume that every physical detail may later become relevant in court proceedings or advanced forensic reconstruction.

Option A is correct because Tara’s actions—photographing cable connections, labeling ports, documenting power states, and noting spatial orientation—are explicitly designed to allow investigators to recreate the original physical environment. ECIH emphasizes that improper documentation of physical layout can invalidate conclusions about device usage, peripheral connections, or data paths.

Option B is incorrect because uptime continuity is not her objective. Option C refers to live system analysis, which she is not performing. Option D applies to digital evidence integrity after acquisition, not scene documentation.

ECIH stresses that physical reconstruction references are especially important in insider threat investigations, where proving who had access, which devices were connected, and how data could have been transferred is critical. Tara’s approach ensures forensic soundness, minimizes contamination risk, and preserves contextual evidence.

This scenario demonstrates a preventive containment action during an email security incident. The ECIH Email Security Incident Handling module emphasizes that once phishing is identified, responders should immediately prevent further delivery to reduce organizational exposure.

Option A is correct because Lena removes malicious emails from the mail server’s delivery queue before users receive them. This action directly reduces risk by preventing additional users from clicking malicious links or submitting credentials. ECIH identifies email purging as a critical containment technique during active phishing campaigns.

Option B is an investigative action, not containment. Option C applies after delivery and compromise. Option D addresses already compromised accounts rather than preventing exposure.

By stopping malicious emails before delivery, Lena aligns with ECIH best practices for rapid containment of email-based threats.

The EC-Council Incident Handler (ECIH) curriculum explains that email account compromise often involves attackers creating persistent mechanisms such as auto-forwarding rules, mailbox delegation changes, or hidden inbox rules to exfiltrate data even after password resets.

In this scenario, unauthorized message redirection continued despite credential resets and session termination. This strongly indicates the presence of malicious mailbox configuration changes, specifically auto-forwarding rules sending copies of emails to external attacker-controlled addresses.

ECIH emphasizes that eradication requires removal of persistence mechanisms—not just resetting credentials. During email security incident eradication, responders must review mailbox rules, forwarding settings, API tokens, and delegated access permissions. Attackers frequently create hidden rules to maintain access to sensitive communications.

Option A (auditing logs) supports investigation but does not eliminate persistence. Option B (credential resets) is a containment measure already performed but insufficient alone. Option C (client advisory messages) is part of communication management, not technical eradication.

Deleting malicious auto-forwarding rules directly neutralizes the attacker’s ongoing access channel and aligns with ECIH’s guidance on removing unauthorized configurations, validating account integrity, enforcing MFA, and auditing cloud email security settings.

Therefore, deleting malicious auto-forwarding rules is the most appropriate eradication step in this scenario.

This incident involves malware actively impacting medical devices, posing patient safety risks. According to ECIH malware incident handling principles, the first priority is containment and eradication at the endpoint level.

Option D is correct because deploying endpoint protection directly detects and halts malware execution on the MRI machines, stopping both manipulation of results and further malicious activity. Endpoint containment is essential before network-level or recovery actions.

Option B addresses communication but does not stop local manipulation. Option C alters system state without containment. Option A is a regulatory step that follows validation.

ECIH emphasizes that in critical infrastructure and healthcare environments, immediate endpoint containment is essential to protect safety and data integrity.

Email Dossier is a tool designed to assist in the investigation of email incidents by analyzing and validating email headers and providing detailed information about the origin, routing, and authenticity of an email. When Michael is tasked with handling an email incident and needs to check the validity of an email received from an unknown source, Email Dossier can be utilized to trace the email's path, assess its credibility, and identify potential red flags associated with phishing or other malicious email-based attacks.

Incident triage is the stage in the incident response process where the incident handler, like Mike, performs an initial assessment of the reported incident to determine its validity, severity, and potential impact. This includes analyzing the incident to verify if it is a genuine threat or a false positive. The purpose of incident triage is to prioritize incidents based on their criticality and ensure that resources are allocated effectively to address the most serious threats first. This stage is crucial for efficient incident management, as it helps in filtering out false alarms and focusing on real security incidents that require immediate attention.

This scenario describes an evil twin attack, a well-documented wireless network threat covered in the ECIH Network Security Incidents module. An evil twin attack occurs when an attacker sets up a rogue wireless access point that mimics the SSID of a legitimate network. Unsuspecting users connect to the stronger or more accessible signal, allowing attackers to intercept credentials, inject malware, or perform man-in-the-middle attacks.

Option A is correct because the presence of an unauthorized access point broadcasting the same SSID and causing authentication failures is a defining indicator of an evil twin attack. Users may unknowingly connect to the malicious access point, leading to repeated disconnections from the legitimate network.

Option B would not involve a rogue access point. Option C focuses on identity spoofing at the MAC layer but does not explain SSID duplication. Option D involves IP address assignment issues, not SSID impersonation.

ECIH emphasizes that identifying rogue wireless infrastructure quickly is critical to containment. Detecting evil twin attacks allows responders to isolate the rogue device, protect credentials, and restore secure wireless operations.