March Special Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: scxmas70

EC0-479 Exam Dumps - EC-Council Certified Security Analyst (ECSA)

Question # 4

This is original file structure database that Microsoft originally designed for floppy disks. It is written to the outermost track of a disk and contains information about each file stored on the drive.

A.

Master Boot Record (MBR)

B.

Master File Table (MFT)

C.

File Allocation Table (FAT)

D.

Disk Operating System (DOS)

Full Access
Question # 5

Melanie was newly assigned to an investigation and asked to make a copy of all the evidence from the compromised system. Melanie did a DOS copy of all the files on the system. What would be the primary reason for you to recommend a disk imaging tool?

A.

A disk imaging tool would check for CRC32s for internal self checking and validation and have MD5 checksum

B.

Evidence file format will contain case data entered by the examiner and encrypted at the beginning of the evidence file

C.

A simple DOS copy will not include deleted files, file slack and other information

D.

There is no case for an imaging tool as it will use a closed, proprietary format that if compared to the original will not match up sector for sector

Full Access
Question # 6

In Linux, what is the smallest possible shellcode?

A.

800 bytes

B.

8 bytes

C.

80 bytes

D.

24 bytes

Full Access
Question # 7

What header field in the TCP/IP protocol stack involves the hacker exploit known as the Ping of Death?

A.

ICMP header field

B.

TCP header field

C.

IP header field

D.

UDP header field

Full Access
Question # 8

The efforts to obtain information before a trail by demanding documents, depositions, questioned and answers written under oath, written requests for admissions of fact and examination of the scene is a description of what legal term?

A.

Detection

B.

Hearsay

C.

Spoliation

D.

Discovery

Full Access
Question # 9

From the following spam mail header, identify the host IP that sent this spam? From jie02@netvigator.com jie02@netvigator.com Tue Nov 27 17:27:11 2001 Received: from viruswall.ie.cuhk.edu.hk (viruswall [137.189.96.52]) by eng.ie.cuhk.edu.hk (8.11.6/8.11.6) with ESMTP id fAR9RAP23061 for ; Tue, 27 Nov 2001 17:27:10 +0800 (HKT) Received: from mydomain.com (pcd249020.netvigator.com [203.218.39.20]) by viruswall.ie.cuhk.edu.hk (8.12.1/8.12.1) with SMTP id fAR9QXwZ018431 for ; Tue, 27 Nov 2001 17:26:36 +0800 (HKT) Message-Id: >200111270926.fAR9QXwZ018431@viruswall.ie.cuhk.edu.hk

From: “china hotel web”

To: “Shlam”

Subject: SHANGHAI (HILTON HOTEL) PACKAGE Date: Tue, 27 Nov 2001 17:25:58 +0800 MIME-Version: 1.0 X-Priority: 3 X-MSMail- Priority: Normal Reply-

To: “china hotel web”

A.

137.189.96.52

B.

8.12.1.0

C.

203.218.39.20

D.

203.218.39.50

Full Access
Question # 10

With Regard to using an Antivirus scanner during a computer forensics investigation, You should:

A.

Scan the suspect hard drive before beginning an investigation

B.

Never run a scan on your forensics workstation because it could change your systems configuration

C.

Scan your forensics workstation at intervals of no more than once every five minutes during an investigation

D.

Scan your Forensics workstation before beginning an investigation

Full Access
Question # 11

What method of computer forensics will allow you to trace all ever-established user accounts on a Windows 2000 sever the course of its lifetime?

A.

forensic duplication of hard drive

B.

analysis of volatile data

C.

comparison of MD5 checksums

D.

review of SIDs in the Registry

Full Access
Question # 12

Windows identifies which application to open a file with by examining which of the following?

A.

The File extension

B.

The file attributes

C.

The file Signature at the end of the file

D.

The file signature at the beginning of the file

Full Access
Question # 13

Jonathan is a network administrator who is currently testing the internal security of his network. He is attempting to hijack a session, using Ettercap, of a user connected to his Web server. Why will Jonathan not succeed?

A.

Only an HTTPS session can be hijacked

B.

Only DNS traffic can be hijacked

C.

Only FTP traffic can be hijacked

D.

HTTP protocol does not maintain session

Full Access
Question # 14

An "idle" system is also referred to as what?

A.

Zombie

B.

PC not being used

C.

Bot

D.

PC not connected to the Internet

Full Access
Question # 15

In a virtual test environment, Michael is testing the strength and security of BGP using multiple routers to mimic the backbone of the Internet. This project will help him write his doctoral thesis on "bringing down the Internet". Without sniffing the traffic between the routers, Michael sends millions of RESET packets to the routers in an attempt to shut one or all of them down. After a few hours, one of the routers finally shuts itself down. What will the other routers communicate between themselves?

A.

More RESET packets to the affected router to get it to power back up

B.

RESTART packets to the affected router to get it to power back up

C.

The change in the routing fabric to bypass the affected router

D.

STOP packets to all other routers warning of where the attack originated

Full Access
Question # 16

At what layer of the OSI model do routers function on?

A.

3

B.

4

C.

5

D.

1

Full Access
Question # 17

You are carrying out the last round of testing for your new website before it goes live. The website has many dynamic pages and connects to a SQL backend that accesses your product inventory in a database. You come across a web security site that recommends inputting the following code into a search field on web pages to check for vulnerabilities:

When you type this and click on search, you receive a pop-up window that says:

"This is a test."

What is the result of this test?

A.

Your website is vulnerable to web bugs

B.

Your website is vulnerable to CSS

C.

Your website is not vulnerable

D.

Your website is vulnerable to SQL injection

Full Access
Question # 18

What are the security risks of running a "repair" installation for Windows XP?

A.

There are no security risks when running the "repair" installation for Windows XP

B.

Pressing Shift+F1 gives the user administrative rights

C.

Pressing Ctrl+F10 gives the user administrative rights

D.

Pressing Shift+F10 gives the user administrative rights

Full Access
Question # 19

Simon is a former employee of Trinitron XML Inc. He feels he was wrongly terminated and wants to hack into his former company's network. Since Simon remembers some of the server names, he attempts to run the axfr and ixfr commands using DIG. What is Simon trying to accomplish here?

A.

Enumerate all the users in the domain

B.

Perform DNS poisoning

C.

Send DOS commands to crash the DNS servers

D.

Perform a zone transfer

Full Access
Question # 20

You have completed a forensic investigation case. You would like to destroy the data contained in various disks at the forensics lab due to sensitivity of the case. How would you permanently erase the data on the hard disk?

A.

Throw the hard disk into the fire

B.

Run the powerful magnets over the hard disk

C.

Format the hard disk multiple times using a low level disk utility

D.

Overwrite the contents of the hard disk with Junk data

Full Access
Question # 21

Volatile Memory is one of the leading problems for forensics. Worms such as code Red are memory resident and do write themselves to the hard drive, if you turn the system off they disappear. In a lab environment, which of the following options would you suggest as the most appropriate to overcome the problem of capturing volatile memory?

A.

Use Vmware to be able to capture the data in memory and examine it

B.

Give the Operating System a minimal amount of memory, forcing it to use a swap file

C.

Create a Separate partition of several hundred megabytes and place the swap file there

D.

Use intrusion forensic techniques to study memory resident infections

Full Access
Question # 22

You are the network administrator for a small bank in Dallas, Texas. To ensure network security, you enact a security policy that requires all users to have 14 character passwords. After giving your users 2 weeks notice, you change the Group Policy to force 14 character passwords. A week later you dump the SAM database from the standalone server and run a password-cracking tool against it. Over 99% of the passwords are broken within an hour. Why were these passwords cracked so quickly?

A.

Networks using Active Directory never use SAM databases so the SAM database pulled was empty

B.

Passwords of 14 characters or less are broken up into two 7-character hashes

C.

The passwords that were cracked are local accounts on the Domain Controller

D.

A password Group Policy change takes at least 3 weeks to completely replicate throughout a network

Full Access
Question # 23

You are trying to locate Microsoft Outlook Web Access Default Portal using Google search on the Internet. What search string will you use to locate them?

A.

outlook:"search"

B.

allinurl:"exchange/logon.asp"

C.

locate:"logon page"

D.

intitle:"exchange server"

Full Access
Question # 24

Bill is the accounting manager for Grummon and Sons LLC in Chicago. On a regular basis, he needs to send PDF documents containing sensitive information through E-mail to his customers. Bill protects the PDF documents with a password and sends them to their intended recipients. Why PDF passwords do not offer maximum protection?

A.

PDF passwords can easily be cracked by software brute force tools

B.

PDF passwords are not considered safe by Sarbanes-Oxley

C.

PDF passwords are converted to clear text when sent through E-mail

D.

When sent through E-mail, PDF passwords are stripped from the document completely

Full Access
Question # 25

When you are running a vulnerability scan on a network and the IDS cuts off your connection, what type of IDS is being used?

A.

NIPS

B.

Passive IDS

C.

Progressive IDS

D.

Active IDS

Full Access
Question # 26

What will the following command produce on a website login page?What will the following command produce on a website? login page?

SELECT email, passwd, login_id, full_name

FROM members

WHERE email = 'someone@somehwere.com'; DROP TABLE members; --'

A.

This command will not produce anything since the syntax is incorrect

B.

Inserts the Error! Reference source not found. email address into the members table

C.

Retrieves the password for the first user in the members table

D.

Deletes the entire members table

Full Access
Question # 27

What are the security risks of running a "repair" installation for Windows XP?

A.

Pressing Shift+F10 gives the user administrative rights

B.

Pressing Ctrl+F10 gives the user administrative rights

C.

There are no security risks when running the "repair" installation for Windows XP

D.

Pressing Shift+F1 gives the user administrative rights

Full Access
Question # 28

In Microsoft file structures, sectors are grouped together to form:

A.

Clusters

B.

Drives

C.

Bitstreams

D.

Partitions

Full Access
Question # 29

Which is a standard procedure to perform during all computer forensics investigations?

A.

with the hard drive removed from the suspect PC, check the date and time in the system‟s CMOS

B.

with the hard drive in the suspect PC, check the date and time in the File Allocation Table

C.

with the hard drive removed from the suspect PC, check the date an d time in the system‟s RAM

D.

with the hard drive in the suspect PC, check the date and time in the system‟s CMOS

Full Access
Question # 30

Lance wants to place a honeypot on his network. Which of the following would be your recommendations?

A.

Use a system that has a dynamic addressing on the network

B.

Use a system that is not directlyinteracing with the router

C.

Use it on a system in an external DMZ in front of the firewall

D.

It doesn‟t matter as all replies are faked

Full Access
Question # 31

When examining a hard disk without a write-blocker, you should not start windows because Windows will write data to the:

A.

Recycle Bin

B.

MSDOS.sys

C.

BIOS D.

Case files

Full Access
Question # 32

You are using DriveSpy, a forensic tool and want to copy 150 sectors where the starting sector is 1709 on the primary hard drive. Which of the following formats correctly specifies these sectors?

A.

0:1000, 150

B.

0:1709, 150

C.

1:1709, 150

D.

0:1709-1858

Full Access
Question # 33

Which part of the Windows Registry contains the user‟s password file?

A.

HKEY_LOCAL_MACHINE

B.

HKEY_CURRENT_CONFIGURATION

C.

HKEY_USER

D.

HKEY_CURRENT_USER

Full Access
Question # 34

A honey pot deployed with the IP 172.16.1.108 was compromised by an attacker . Given below is an excerpt from a Snort binary capture of the attack. Decipher the activity carried out by the attacker by studying the log. Please note that you are required to infer only what is explicit in the excerpt. (Note: The student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.) 03/15-20:21:24.107053 211.185.125.124:3500 -> 172.16.1.108:111 TCP TTL:43 TOS:0×0 ID:29726 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x9B6338C5 Ack: 0x5820ADD0 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 23678634 2878772 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

03/15-20:21:24.452051 211.185.125.124:789 -> 172.16.1.103:111 UDP TTL:43 TOS:0×0 ID:29733 IpLen:20 DgmLen:84 Len: 64

01 0A 8A 0A 00 00 00 00 00 00 00 02 00 01 86 A0 ……………. 00 00 00 02 00 00 00 03 00 00 00 00 00 00 00 00 ……………. 00 00 00 00 00 00 00 00 00 01 86 B8 00 00 00 01 …………….

00 00 00 11 00 00 00 00 ……..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

03/15-20:21:24.730436 211.185.125.124:790 -> 172.16.1.103:32773 UDP TTL:43 TOS:0×0 ID:29781 IpLen:20 DgmLen:1104 Len: 1084 47 F7 9F 63 00 00 00 00 00 00 00 02 00 01 86 B8

A.

The attacker has conducted a network sweep on port 111

B.

The attacker has scanned and exploited the system using Buffer Overflow

C.

The attacker has used a Trojan on port 32773

D.

The attacker has installed a backdoor

Full Access