Excellent 312-49v9 PDF Dumps With 100% Exams-boost Exam Passing Guaranted [Apr-2022]
100% Pass Your 312-49v9 ECCouncil Computer Hacking Forensic Investigator (V9) at First Attempt with Exams-boost
EC-COUNCIL 312-49v9 Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
| Topic 6 |
|
| Topic 7 |
|
NEW QUESTION 11
Select the tool appropriate for examining the dynamically linked libraries of an application or malware.
- A. ResourcesExtract
- B. SysAnalyzer
- C. PEiD
- D. DependencyWalker
Answer: D
NEW QUESTION 12
Using Internet logging software to investigate a case of malicious use of computers, the investigator comes across some entries that appear odd.
From the log, the investigator can see where the person in question went on the Internet. From the log, it appears that the user was manually typing in different user ID numbers. What technique this user was trying?
- A. Cross site scripting
- B. Parameter tampering
- C. SQL injection
- D. Cookie Poisoning
Answer: B
NEW QUESTION 13
Which Event Correlation approach assumes and predicts what an attacker can do next after the attack by studying statistics and probability?
- A. Automated Field Correlation
- B. Time (Clock Time) or Role-Based Approach
- C. Profile/Fingerprint-Based Approach
- D. Bayesian Correlation
Answer: D
NEW QUESTION 14
John and Hillary works at the same department in the company. John wants to find out
Hillary's network password so he can take a look at her documents on the file server. He enables Lophtcrack program to sniffing mode. John sends Hillary an email with a link to
Error! Reference source not found. What information will he be able to gather from this?
- A. The SID of Hillary network account
- B. The SAM file from Hillary computer
- C. The network shares that Hillary has permissions
- D. Hillary network username and password hash
Answer: D
Explanation:
Note: From the question, we would have to assume that John is not the Administrator, since he needs to run L0phtcrack in sniffing mode. But what if the company is using switches instead of Hubs? John would either try to degarde the switch or perform a man in the middle attack.
NEW QUESTION 15
You have compromised a lower-level administrator account on an Active Directory network of a small company in Dallas, Texas. You discover Domain Controllers through enumeration. You connect to one of the Domain Controllers on port 389 using ldp.exe.
What are you trying to accomplish here?
- A. Enumerate domain user accounts and built-in groups
- B. Enumerate MX and A records from DNS
- C. Establish a remote connection to the Domain Controller
- D. Poison the DNS records with false records
Answer: A
NEW QUESTION 16
A master boot record (MBR) is the first sector ("sector zero") of a data storage device. What is the size of MBR?
- A. 512 Bytes
- B. 4092 Bytes
- C. Depends on the capacity of the storage device
- D. 1048 Bytes
Answer: A
NEW QUESTION 17
In a FAT32 system, a 123 KB file will use how many sectors?
- A. 0
- B. 1
- C. 2
- D. 3
Answer: C
NEW QUESTION 18
During an investigation of an XSS attack, the investigator comes across the term "[a-zA-Z0-
9\%]+" in analyzed evidence details. What is the expression used for?
- A. Checks for closing angle bracket, hex or double-encoded hex equivalent
- B. Checks for opening angle bracket, its hex or double-encoded hex equivalent
- C. Checks for upper and lower-case alphanumeric string inside the tag, or its hex representation
- D. Checks for forward slash used in HTML closing tags, its hex or double-encoded hex equivalent
Answer: D
NEW QUESTION 19
Why is it a good idea to perform a penetration test from the inside?
- A. To attack a network from a hacker's perspective
- B. Because 70% of attacks are from inside the organization
- C. It is never a good idea to perform a penetration test from the inside
- D. It is easier to hack from the inside
Answer: B
NEW QUESTION 20
You are carrying out the last round of testing for your new website before it goes live. The website has many dynamic pages and connects to a SQL backend that accesses your product inventory in a database. You come across a web security site that recommends inputting the following code into a search field on web pages to check for vulnerabilities: When you type this and click on search, you receive a pop-up window that says:
"This is a test."
What is the result of this test?
- A. Your website is not vulnerable
- B. Your website is vulnerable to CSS
- C. Your website is vulnerable to SQL injection
- D. Your website is vulnerable to web bugs
Answer: B
NEW QUESTION 21
Analyze the hex representation of mysql-bin.000013 file in the screenshot below. Which of the following will be an inference from this analysis?
- A. A WordPress user has been created with the username bad_guy
- B. A WordPress user has been created with the username anonymous_hacker
- C. A user with username bad_guy has logged into the WordPress web application
- D. An attacker with name anonymous_hacker has replaced a user bad_guy in the WordPress database
Answer: A
NEW QUESTION 22
Which of the following does Microsoft Exchange E-mail Server use for collaboration of various e-mail applications?
- A. Messaging Application Programming Interface (MAPI)
- B. Internet Message Access Protocol (IMAP)
- C. Post Office Protocol version 3 (POP3)
- D. Simple Mail Transfer Protocol (SMTP)
Answer: A
NEW QUESTION 23
An Employee is suspected of stealing proprietary information belonging to your company that he had no rights to possess. The information was stored on the Employees Computer that was protected with the NTFS Encrypted File System (EFS) and you had observed him copy the files to a floppy disk just before leaving work for the weekend. You detain the Employee before he leaves the building and recover the floppy disks and secure his computer. Will you be able to break the encryption so that you can verify that that the employee was in possession of the proprietary information?
- A. When the encrypted file was copied to the floppy disk, it was automatically unencrypted, so you can recover the information.
- B. When the Encrypted file was copied to the floppy disk, the EFS private key was also copied to the floppy disk, so you can recover the information.
- C. EFS uses a 128-bit key that can't be cracked, so you will not be able to recover the information
- D. The EFS Revoked Key Agent can be used on the Computer to recover the information
Answer: A
NEW QUESTION 24
What is the First Step required in preparing a computer for forensics investigation?
- A. Suspend automated document destruction and recycling policies that may pertain to any relevant media or users at Issue
- B. Do not turn the computer off or on, run any programs, or attempt to access data on a computer
- C. Identify the type of data you are seeking, the Information you are looking for, and the urgency level of the examination
- D. Secure any relevant media
Answer: B
NEW QUESTION 25
This is the original file structure database that Microsoft originally designed for floppy disks. It is written to the outermost track of a disk and contains information about each file stored on the drive.
- A. File Allocation Table (FAT)
- B. Master Boot Record (MBR)
- C. Master File Table (MFT)
- D. Disk Operating System (DOS)
Answer: A
Explanation:
A MBR is usually found on fixed disks, not floppy.
A MFT is part of NTFS, and NTFS is not used on floppy
DOS is an operating system, not a file structure database
NEW QUESTION 26
You are working for a large clothing manufacturer as a computer forensics investigator and are called in to investigate an unusual case of an employee possibly stealing clothing designs from the company and selling them under a different brand name for a different company. What you discover during the course of the investigation is that the clothing designs are actually original products of the employee and the company has no policy against an employee selling his own designs on his own time. The only thing that you can find that the employee is doing wrong is that his clothing design incorporates the same graphic symbol as that of the company with only the wording in the graphic being different. What area of the law is the employee violating?
- A. printright law
- B. brandmark law
- C. trademark law
- D. copyright law
Answer: C
NEW QUESTION 27
Which of the following is a record of the characteristics of a file system, including its size, the block size, the empty and the filled blocks and their respective counts, the size and location of the inode tables, the disk block map and usage information, and the size of the block groups?
- A. Inode bitmap block
- B. Data block
- C. Block bitmap block
- D. Superblock
Answer: D
NEW QUESTION 28
In handling computer-related incidents, which IT role should be responsible for recovery, containment, and prevention to constituents?
- A. Director of Information Technology
- B. Network Administrator
- C. Security Administrator
- D. Director of Administration
Answer: B
NEW QUESTION 29
Which of the following stand true for BIOS Parameter Block?
- A. The length of BIOS Partition Block remains the same across all the file systems
- B. The BIOS Partition Block describes the physical layout of a data storage volume
- C. The BIOS Partition Block always refers to the 512-byte boot sector
- D. The BIOS Partition Block is the first sector of a data storage device
Answer: B
NEW QUESTION 30
To check for POP3 traffic using Ethereal, what port should an investigator search by?
- A. 0
- B. 1
- C. 2
- D. 3
Answer: A
NEW QUESTION 31
Which of the following is NOT a part of pre-investigation phase?
- A. Building forensics workstation
- B. Gathering information about the incident
- C. Creating an investigation team
- D. Gathering evidence data
Answer: D
NEW QUESTION 32
You are working as an independent computer forensics investigator and received a call from a systems administrator for a local school system requesting your assistance. One of the students at the local high school is suspected of downloading inappropriate images from the Internet to a PC in the Computer lab. When you arrive at the school, the systems administrator hands you a hard drive and tells you that he made a "simple backup copy" of the hard drive in the PC and put it on this drive and requests that you examine that drive for evidence of the suspected images. You inform him that a "simple backup copy" will not provide deleted files or recover file fragments.
What type of copy do you need to make to ensure that the evidence found is complete and admissible in future proceeding?
- A. Full backup Copy
- B. Robust Copy
- C. Incremental Backup Copy
- D. Bit-stream Copy
Answer: D
NEW QUESTION 33
Which of the following Event Correlation Approach is an advanced correlation method that assumes and predicts what an attacker can do next after the attack by studying the statistics and probability and uses only two variables?
- A. Vulnerability-Based Approach
- B. Bayesian Correlation
- C. Rule-Based Approach
- D. Route Correlation
Answer: B
NEW QUESTION 34
A computer forensics investigator is inspecting the firewall logs for a large financial institution that has employees working 24 hours a day, 7 days a week.
What can the investigator infer from the screenshot seen below?
- A. A smurf attack has been attempted
- B. Network intrusion has occurred
- C. Buffer overflow attempt on the firewall.
- D. A denial of service has been attempted
Answer: B
NEW QUESTION 35
Under which Federal Statutes does FBI investigate for computer crimes involving e-mail scams and mail fraud?
- A. 18 U.S.C. 1343 Fraud by wire, radio or television
- B. 18 U.S.C. 1030 Fraud and related activity in connection with computers
- C. 18 U.S.C. 1831 Economic Espionage Act
- D. 18 U.S.C. 1361 Injury to Government Property
- E. 18 U.S.C. 1029 Possession of Access Devices
- F. 18 U.S.C. 1832 Trade Secrets Act
- G. 18 U.S.C. 1362 Government communication systems
Answer: B
NEW QUESTION 36
......
Trend for 312-49v9 pdf dumps before actual exam: https://testking.exams-boost.com/312-49v9-valid-materials.html