Winter Sale- Special Discount Limited Time 65% Offer - Ends in 0d 00h 00m 00s - Coupon code: netdisc

ECCouncil EC0-479 EC-Council Certified Security Analyst (ECSA) Exam Practice Test

Page: 1 / 23
Total 232 questions

EC-Council Certified Security Analyst (ECSA) Questions and Answers

Question 1

What TCP/UDP port does the toolkit program netstat use?

Options:

A.

Port 7

B.

Port 15

C.

Port 23

D.

Port 69

Question 2

Hackers can gain access to Windows Registry and manipulate user passwords, DNS settings, access rights or others features that they may need in order to accomplish their objectives. One simple method for loading an application at startup is to add an entry (Key) to the following Registry Hive:

Options:

A.

HKEY_LOCAL_MACHINEhardwarewindowsstart

B.

HKEY_LOCAL_USERSSoftware|MicrosoftoldVersionLoad

C.

HKEY_CURRENT_USERMicrosoftDefault

D.

HKEY_LOCAL_MACHINESoftwareMicrosoftCurrentVersionRun

Question 3

What header field in the TCP/IP protocol stack involves the hacker exploit known as the Ping of Death?

Options:

A.

ICMP header field

B.

TCP header field

C.

IP header field

D.

UDP header field

Question 4

You are working for a local police department that services a population of 1,000,000 people and you have been given the task of building a computer forensics laB. How many law-enforcement computer investigators should you request to staff the lab?

Options:

A.

8

B.

1

C.

4

D.

2

Question 5

You are conducting an investigation of fraudulent claims in an insurance company that involves complex text searches through large numbers of documents. Which of the following tools would allow you to quickly and efficiently search for a string within a file on the bitmap image of the target computer?

Options:

A.

Stringsearch

B.

grep

C.

dir

D.

vim

Question 6

Sectors in hard disks typically contain how many bytes?

Options:

A.

256

B.

512

C.

1024

D.

2048

Question 7

Why should you note all cable connections for a computer you want to seize as evidence?

Options:

A.

to know what outside connections existed

B.

in case other devices were connected

C.

to know what peripheral devices exist

D.

to know what hardware existed

Question 8

What is the target host IP in the following command?

Options:

A.

Firewalk does not scan target hosts

B.

172.16.28.95

C.

This command is using FIN packets, which cannot scan target hosts

D.

10.10.150.1

Question 9

Bill is the accounting manager for Grummon and Sons LLC in Chicago. On a regular basis, he needs to send PDF documents containing sensitive information through E-mail to his customers. Bill protects the PDF documents with a password and sends them to their intended recipients. Why PDF passwords do not offer maximum protection?

Options:

A.

PDF passwords can easily be cracked by software brute force tools

B.

PDF passwords are not considered safe by Sarbanes-Oxley

C.

PDF passwords are converted to clear text when sent through E-mail

D.

When sent through E-mail, PDF passwords are stripped from the document completely

Question 10

After passively scanning the network of Department of Defense (DoD), you switch over to active scanning to identify live hosts on their network. DoD is a lage organization and should respond to any number of scans. You start an ICMP ping sweep by sending an IP packet to the broadcast address. Only five hosts responds to your ICMP pings; definitely not the number of hosts you were expecting. Why did this ping sweep only produce a few responses?

Options:

A.

A switched network will not respond to packets sent to the broadcast address

B.

Only IBM AS/400 will reply to this scan

C.

Only Unix and Unix-like systems will reply to this scan

D.

Only Windows systems will reply to this scan

Question 11

George is the network administrator of a large Internet company on the west coast. Per corporate policy, none of the employees in the company are allowed to use FTP or SFTP programs without obtaining approval from the IT department. Few managers are using SFTP program on their computers. Before talking to his boss, George wants to have some proof of their activity.

George wants to use Ethereal to monitor network traffic, but only SFTP traffic to and from his network. What filter should George use in Ethereal?

Options:

A.

src port 22 and dst port 22

B.

src port 23 and dst port 23

C.

net port 22

D.

udp port 22 and host 172.16.28.1/24

Question 12

When you are running a vulnerability scan on a network and the IDS cuts off your connection, what type of IDS is being used?

Options:

A.

NIPS

B.

Passive IDS

C.

Progressive IDS

D.

Active IDS

Question 13

Kimberly is studying to be an IT security analyst at a vocational school in her town. The school offers many different programming as well as networking languages. What networking protocol language should she learn that routers utilize?

Options:

A.

OSPF

B.

BPG

C.

ATM

D.

UDP

Question 14

After passing her CEH exam, Carol wants to ensure that her network is completely secure. She implements a DMZ, statefull firewall, NAT, IPSEC, and a packet filtering firewall. Since all security measures were taken, none of the hosts on her network can reach the Internet. Why is that?

Options:

A.

Statefull firewalls do not work with packet filtering firewalls

B.

NAT does not work with statefull firewalls

C.

NAT does not work with IPSEC

D.

IPSEC does not work with packet filtering firewalls

Question 15

What operating system would respond to the following command?

Options:

A.

Mac OS X

B.

Windows XP

C.

Windows 95

D.

FreeBSD

Question 16

At what layer of the OSI model do routers function on?

Options:

A.

3

B.

4

C.

5

D.

1

Question 17

Jonathan is a network administrator who is currently testing the internal security of his network. He is attempting to hijack a session, using Ettercap, of a user connected to his Web server. Why will Jonathan not succeed?

Options:

A.

Only an HTTPS session can be hijacked

B.

Only DNS traffic can be hijacked

C.

Only FTP traffic can be hijacked

D.

HTTP protocol does not maintain session

Question 18

How many bits is Source Port Number in TCP Header packet?

Options:

A.

48

B.

32

C.

64

D.

16

Question 19

Why are Linux/Unix based computers better to use than Windows computers for idle scanning?

Options:

A.

Windows computers will not respond to idle scans

B.

Linux/Unix computers are constantly talking

C.

Linux/Unix computers are easier to compromise

D.

Windows computers are constantly talking

Question 20

When setting up a wireless network with multiple access points, why is it important to set each access point on a different channel?

Options:

A.

Avoid cross talk

B.

Avoid over-saturation of wireless signals

C.

So that the access points will work on different frequencies

D.

Multiple access points can be set up on the same channel without any issues

Question 21

Jim performed a vulnerability analysis on his network and found no potential problems. He runs another utility that executes exploits against his system to verify the results of the vulnerability test. The second utility executes five known exploits against his network in which the vulnerability analysis said were not exploitable. What kind of results did Jim receive from his vulnerability analysis?

Options:

A.

False negatives

B.

True positives

C.

True negatives

D.

False positives

Question 22

Paula works as the primary help desk contact for her company.Paula has just received a call from a user reporting that his computer just displayed a Blue Screen of Death screen and he can no longer work.Paula

walks over to the user‟s computer and sees the Blue Screen of Death screen.The user‟s computer is running

Windows XP, but the Blue Screen looks like a familiar one that Paula had seen on Windows 2000 computers periodically. The user said he stepped away from his computer for only 15 minutes and when he got back, the Blue Screen was there.Paula also noticed that the hard drive activity light was flashing, meaning that the computer was processing something.Paula knew this should not be the case since the computer should be completely frozen during a Blue Screen. She checks the network IDS live log entries and notices numerous nmap scan alerts.

What is Paula seeing happen on this computer?

Options:

A.

Paula‟s network was scanned using Floppyscan

B.

There was IRQ conflict in Paula‟s PC

C.

Paula‟s network was scanned using Dumpsec

D.

Tools like Nessus will cause BSOD

Question 23

When examining a hard disk without a write-blocker, you should not start windows because Windows will write data to the:

Options:

A.

Recycle Bin

B.

MSDOS.sys

C.

BIOS D.

Case files

Question 24

What happens when a file is deleted by a Microsoft operating system using the FAT file system?

Options:

A.

only the reference to the file is removed from the FAT

B.

the file is erased and cannot be recovered

C.

a copy of the file is stored and the original file is erased

D.

the file is erased but can be recovered

Question 25

Which legal document allows law enforcement to search an office, place of business, or other locale for evidence relating to an alleged crime?

Options:

A.

bench warrant

B.

wire tap

C.

subpoena

D.

search warrant

Question 26

When a file is deleted by Windows Explorer or through the MS-DOS delete command, the operating system inserts _______________ in the first letter position of the filename in the FAT database.

Options:

A.

A Capital X

B.

A Blank Space

C.

The Underscore Symbol

D.

The lowercase Greek Letter Sigma (s)

Question 27

Lance wants to place a honeypot on his network. Which of the following would be your recommendations?

Options:

A.

Use a system that has a dynamic addressing on the network

B.

Use a system that is not directlyinteracing with the router

C.

Use it on a system in an external DMZ in front of the firewall

D.

It doesn‟t matter as all replies are faked

Question 28

What does the acronym POST mean as it relates to a PC?

Options:

A.

Primary Operations Short Test

B.

Power On Self Test

C.

Pre Operational Situation Test

D.

Primary Operating System Test

Question 29

Diskcopy is:

Options:

A.

a utility byAccessData

B.

a standard MS-DOS command

C.

Digital Intelligence utility

D.

dd copying tool

Question 30

Chris has been called upon to investigate a hacking incident reported by one of his clients. The company suspects the involvement of an insider accomplice in the attack. Upon reaching the incident scene, Chris secures the physical area, records the scene using visual mediA. He shuts the system down by pulling the power plug so that he does not disturb the system in any way. He labels all cables and connectors prior to disconnecting any. What do you think would be the next sequence of events?

Options:

A.

Connect the target media; prepare the system for acquisition; Secure the evidence; Copy the media

B.

Prepare the system for acquisition; Connect the target media; copy the media; Secure the evidence

C.

Connect the target media; Prepare the system for acquisition; Secure the evidence; Copy the media

D.

Secure the evidence; prepare the system for acquisition; Connect the target media; copy the media

Question 31

Office Documents (Word, Excel and PowerPoint) contain a code that allows tracking the MAC or unique identifier of the machine that created the document. What is that code called?

Options:

A.

Globally unique ID

B.

Microsoft Virtual Machine Identifier

C.

Personal Application Protocol

D.

Individual ASCII string

Question 32

What information do you need to recover when searching a victims computer for a crime committed with specific e-mail message?

Options:

A.

Internet service provider information

B.

E-mail header

C.

Username and password

D.

Firewall log

Question 33

Printing under a Windows Computer normally requires which one of the following files types to be created?

Options:

A.

EME

B.

MEM

C.

EMF

D.

CME

Question 34

You have been asked to investigate after a user has reported a threatening e-mail they have received from an external source. Which of the following are you most interested in when trying to trace the source of the message?

Options:

A.

The X509 Address

B.

The SMTP reply Address

C.

The E-mail Header

D.

The Host Domain Name

Page: 1 / 23
Total 232 questions