New Year Special Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

ECCouncil 412-79 EC-Council Certified Security Analyst (ECSA) Exam Practice Test

Page: 1 / 20
Total 203 questions

EC-Council Certified Security Analyst (ECSA) Questions and Answers

Question 1

You are carrying out the last round of testing for your new website before it goes live. The website has many dynamic pages and connects to a SQL backend that accesses your product inventory in a database. You come across a web security site that recommends inputting the following code into a search field on web pages to check for vulnerabilities:

<script>alert("This is a test.")</script>

When you type this and click on search, you receive a pop-up window that says:

"This is a test."

What is the result of this test?

Options:

A.

Your website is vulnerable to CSS

B.

Your website is not vulnerable

C.

Your website is vulnerable to SQL injection

D.

Your website is vulnerable to web bugs

Question 2

Terri works for a security consulting firm that is currently performing a penetration test on First National Bank in Tokyo. Terri's duties include bypassing firewalls and switches to gain access to the network. Terri sends an IP packet to one of the company's switches with ACK bit and the source address of her machine set. What is Terri trying to accomplish by sending this IP packet?

Options:

A.

Enable tunneling feature on the switch

B.

Trick the switch into thinking it already has a session with Terri's computer

C.

Crash the switch with a DoS attack since switches cannot send ACK bits

D.

Poison the switch's MAC address table by flooding it with ACK bits

Question 3

You just passed your ECSA exam and are about to start your first consulting job running security audits for a financial institution in Los Angeles. The IT manager of the company you will be working for tries to see if you remember your ECSA class. He asks about the methodology you will be using to test the company's network. How would you answer?

Options:

A.

IBM Methodology

B.

LPT Methodology

C.

Google Methodology

D.

Microsoft Methodology

Question 4

When you are running a vulnerability scan on a network and the IDS cuts off your connection, what type of IDS is being used?

Options:

A.

NIPS

B.

Passive IDS

C.

Progressive IDS

D.

Active IDS

Question 5

You are trying to locate Microsoft Outlook Web Access Default Portal using Google search on the Internet. What search string will you use to locate them?

Options:

A.

outlook:"search"

B.

allinurl:"exchange/logon.asp"

C.

locate:"logon page"

D.

intitle:"exchange server"

Question 6

You are a security analyst performing a penetration tests for a company in the Midwest. After some initial reconnaissance, you discover the IP addresses of some Cisco routers used by the company. You type in the following URL that includes the IP address of one of the routers:

http://172.168.4.131/level/99/exec/show/config

After typing in this URL, you are presented with the entire configuration file for that router. What have you discovered?

Options:

A.

URL Obfuscation Arbitrary Administrative Access Vulnerability

B.

Cisco IOS Arbitrary Administrative Access Online Vulnerability

C.

HTTP Configuration Arbitrary Administrative Access Vulnerability

D.

HTML Configuration Arbitrary Administrative Access Vulnerability

Question 7

Frank is working on a vulnerability assessment for a company on the West coast. The company hired Frank to assess its network security through scanning, pen tests, and vulnerability assessments. After discovering numerous known vulnerabilities detected by a temporary IDS he set up, he notices a number of items that show up as unknown but questionable in the logs. He looks up the behavior on the Internet, but cannot find anything related. What organization should Frank submit the log to find out if it is a new vulnerability or not?

Options:

A.

RIPE

B.

CVE

C.

IANA

D.

APIPA

Question 8

Before you are called to testify as an expert, what must an attorney do first?

Options:

A.

engage in damage control

B.

prove that the tools you used to conduct your examination are perfect

C.

read your curriculum vitae to the jury

D.

qualify you as an expert witness

Question 9

When examining a hard disk without a write-blocker, you should not start windows because Windows will write data to the:

Options:

A.

Recycle Bin

B.

MSDOS.sys

C.

BIOS D.

Case files

Question 10

When examining a file with a Hex Editor, what space does the file header occupy?

Options:

A.

the last several bytes of the file

B.

the first several bytes of the file

C.

none, file headers are contained in the FAT

D.

one byte at the beginning of the file

Question 11

While working for a prosecutor, What do you think you should do if the evidence you found appears to be exculpatory and is not being released to the defense ?

Options:

A.

Keep the information of file for later review

B.

Destroy the evidence

C.

Bring the information to the attention of the prosecutor, his or her supervisor or finally to the judge

D.

Present the evidence to the defense attorney

Question 12

How many characters long is the fixed-length MD5 algorithm checksum of a critical system file?

Options:

A.

128

B.

64

C.

32

D.

16

Question 13

In General, ______________ Involves the investigation of data that can be retrieved from the hard disk or other disks of a computer by applying scientific methods to retrieve the datA.

Options:

A.

Network Forensics

B.

Data Recovery

C.

Disaster Recovery

D.

Computer Forensics

Question 14

A (n) ____________ is one that‟s performed by a computer program rather than the attacker manually performing the steps in the attack sequence.

Options:

A.

blackout attack

B.

automated attack

C.

distributed attack

D.

central processing attack

Question 15

Simon is a former employee of Trinitron XML Inc. He feels he was wrongly terminated and wants to hack into his former company's network. Since Simon remembers some of the server names, he attempts to run the axfr and ixfr commands using DIG. What is Simon trying to accomplish here?

Options:

A.

Perform a zone transfer

B.

Perform DNS poisoning

C.

Send DOS commands to crash the DNS servers

D.

Enumerate all the users in the domain

Question 16

Harold wants to set up a firewall on his network but is not sure which one would be the most appropriate. He knows he needs to allow FTP traffic to one of the servers on his network, but he wants to only allow FTP-PUT. Which firewall would be most appropriate for Harold? needs?

Options:

A.

Application-level proxy firewall

B.

Data link layer firewall

C.

Packet filtering firewall

D.

Circuit-level proxy firewall

Question 17

You are the security analyst working for a private company out of France. Your current assignment is to obtain credit card information from a Swiss bank owned by that company. After initial reconnaissance, you discover that the bank security defenses are very strong and would take too long to penetrate. You decide to get the information by monitoring the traffic between the bank and one of its subsidiaries in London. After monitoring some of the traffic, you see a lot of FTP packets traveling back and forth. You want to sniff the traffic and extract usernames and passwords. What tool could you use to get this information?

Options:

A.

RaidSniff

B.

Snort

C.

Ettercap

D.

Airsnort

Question 18

You are running known exploits against your network to test for possible vulnerabilities. To test the strength of your virus software, you load a test network to mimic your production network. Your software successfully blocks some simple macro and encrypted viruses. You decide to really test the software by using virus code where the code rewrites itself entirely and the signatures change from child to child, but the functionality stays the same. What type of virus is this that you are testing?

Options:

A.

Metamorphic

B.

Oligomorhic

C.

Polymorphic

D.

Transmorphic

Question 19

An "idle" system is also referred to as what?

Options:

A.

Zombie

B.

PC not being used

C.

Bot

D.

PC not connected to the Internet

Question 20

What is a good security method to prevent unauthorized users from "tailgating"?

Options:

A.

Electronic key systems

B.

Man trap

C.

Pick-resistant locks

D.

Electronic combination locks

Question 21

What will the following URL produce in an unpatched IIS Web Server? Question # 21

Options:

A.

Execute a buffer flow in the C: drive of the web server

B.

Insert a Trojan horse into the C: drive of the web server

C.

Directory listing of the C:\windows\system32 folder on the web server

D.

Directory listing of C: drive on the web server

Question 22

When using Windows acquisitions tools to acquire digital evidence, it is important to use a well- tested hardware write-blocking device to:

Options:

A.

Automate Collection from image files

B.

Avoiding copying data from the boot partition

C.

Acquire data from host-protected area on a disk

D.

Prevent Contamination to the evidence drive

Question 23

Melanie was newly assigned to an investigation and asked to make a copy of all the evidence from the compromised system. Melanie did a DOS copy of all the files on the system. What would be the primary reason for you to recommend a disk imaging tool?

Options:

A.

A disk imaging tool would check for CRC32s for internal self checking and validation and have MD5 checksum

B.

Evidence file format will contain case data entered by the examiner and encrypted at the beginning of the evidence file

C.

A simple DOS copy will not include deleted files, file slack and other information

D.

There is no case for an imaging tool as it will use a closed, proprietary format that if compared to the original will not match up sector for sector

Question 24

You are employed directly by an attorney to help investigate an alleged sexual harassment case at a large pharmaceutical manufacture. While at the corporate office of the company, the CEO demands to know the status of the investigation. What prevents you from discussing the case with the CEO?

Options:

A.

the attorney-work-product rule

B.

Good manners

C.

Trade secrets

D.

ISO 17799

Question 25

The police believe that Mevin Mattew has been obtaining unauthorized access to computers belonging to numerous computer software and computer operating systems manufacturers, cellular telephone manufacturers, Internet Service Providers and Educational Institutions. They also suspect that he has been stealing, copying and misappropriating proprietary computer software belonging to the several victim companies. What is preventing the police from breaking down the suspects door and searching his home and seizing all of his computer equipment if they have not yet obtained a warrant?

Options:

A.

The Fourth Amendment

B.

The USA patriot Act

C.

The Good Samaritan Laws

D.

The Federal Rules of Evidence

Question 26

You are working as a Computer forensics investigator for a corporation on a computer abuse case. You discover evidence that shows the subject of your investigation is also embezzling money from the company. The company CEO and the corporate legal counsel advise you to contact law enforcement and provide them with the evidence that you have founD. The law enforcement officer that responds requests that you put a network sniffer on your network and monitor all traffic to the subjects computer. You inform the officer that you will not be able to comply with that request because doing so would:

Options:

A.

Violate your contract

B.

Cause network congestion

C.

Make you an agent of law enforcement

D.

Write information to the subjects hard drive

Question 27

A law enforcement officer may only search for and seize criminal evidence with _____________, which are facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed, evidence of the specific crime exists and the evidence of the specific crime exists at the place to be searcheD.

Options:

A.

Mere Suspicion

B.

A preponderance of the evidence

C.

Probable cause

D.

Beyond a reasonable doubt

Question 28

One way to identify the presence of hidden partitions on a suspect‟s hard drive is to:

Options:

A.

Add up the total size of all known partitions and compare it to the total size of the hard drive

B.

Examine the FAT and identify hidden partitions by noting an H in the partition Type field

C.

Examine the LILO and note an H in the partition Type field

D.

It is not possible to have hidden partitions on a hard drive

Question 29

Area density refers to:

Options:

A.

the amount of data per disk

B.

the amount of data per partition

C.

the amount of data per square inch

D.

the amount of data per platter

Question 30

As a CHFI professional, which of the following is the most important to your professional reputation?

Options:

A.

Your Certifications

B.

The correct, successful management of each and every case

C.

The free that you charge

D.

The friendship of local law enforcement officers

Question 31

You should make at least how many bit-stream copies of a suspect drive?

Options:

A.

1

B.

2

C.

3

D.

4

Question 32

You are working as an independent computer forensics investigator and receive a call from a systems administrator for a local school system requesting your assistance. One of the students at the local high school is suspected of downloading inappropriate images from the Internet to a PC in the Computer laB. When you arrive at the school, the systems administrator hands you a hard drive and tells you that he made a simple backup copy of the hard drive in the PC and put it on this drive and requests that you examine that drive for evidence of the suspected images. You inform him that a simple backup copy will not provide deleted files or recover file fragments. What type of copy do you need to make to ensure that the evidence found is complete and admissible in future proceedings?

Options:

A.

Bit-stream Copy

B.

Robust Copy

C.

Full backup Copy

D.

Incremental Backup Copy

Question 33

Which federal computer crime law specifically refers to fraud and related activity in connection with access devices like routers?

Options:

A.

18 U.S.C. 1029

B.

18 U.S.C. 1362

C.

18 U.S.C. 2511

D.

18 U.S.C. 2703

Question 34

When obtaining a warrant it is important to:

Options:

A.

particularlydescribe the place to be searched and particularly describe the items to be seized

B.

generallydescribe the place to be searched and particularly describe the items to be seized

C.

generallydescribe the place to be searched and generally describe the items to be seized

D.

particularlydescribe the place to be searched and generally describe the items to be seized

Page: 1 / 20
Total 203 questions