Free Cheat-test Samples and Demo Questions Download
Adobe exams Adobe
Apple exams Apple
Avaya exams Avaya
Check Point exams Check Point
Cisco exams Cisco
Citrix exams Citrix
CIW exams CIW
CompTIA exams CompTIA
CWNP exams CWNP
EC-Council exams EC-Council
EMC exams EMC
Exin exams Exin
Fortinet exams Fortinet
GIAC exams GIAC
Hitachi exams Hitachi
HP exams HP
IBM exams IBM
Isaca exams Isaca
ISC exams ISC
ISEB exams ISEB
Juniper exams Juniper
LPI exams LPI
McAfee exams McAfee
Microsoft exams Microsoft
Oracle exams Oracle
PMI exams PMI
Riverbed exams Riverbed
SNIA exams SAP
Sun exams SAS
Symantec exams Symantec
VMware exams VMware
All certification exams

EC-Council EC1-349 Exam - Cheat-Test.com

Free EC1-349 Sample Questions:

Q: 1 Chris has been called upon to investigate a hacking incident reported by one of his clients. The company suspects the involvement of an insider accomplice in the attack. Upon reaching the incident scene, Chris secures the physical area, records the scene using visual media. He shuts the system down by pulling the power plug so that he does not disturb the system in any way. He labels all cables and connectors prior to disconnecting any. What do you think would be the next sequence of events?

A. Connect the target media; Prepare the system for acquisition; Secure the evidence; Copy the media
B. Prepare the system for acquisition; Connect the target media; Copy the media; Secure the evidence
C. Connect the target media; Prepare the system for acquisition; Secure the evidence; Copy the media
D. Secure the evidence; Prepare the system for acquisition; Connect the target media; Copy the media

Answer: B

Q: 2 Windows identifies which application to open a file with by examining which of the following?

A. The file attributes
B. The file signature at the beginning of the file
C. The file signature at the end of the file
D. The file extension

Answer: D

Q: 3 If you discover a criminal act while investigating a corporate policy abuse, it becomes a public-sector investigation and should be referred to law enforcement?

A. True
B. False

Answer: A

Q: 4 In Microsoft file structures, sectors are grouped together to form

A. drives
B. bitstreams
C. clusters
D. partitions

Answer: C

Q: 5 You are working in the Security Department of a law firm. One of the attorneys asks you about the topic of sending fake email because he has a client who has been charged with doing just that. His client alleges that he is innocent and that there is no way for a fake email to actually be sent. You inform the attorney that his client is mistaken and that fake email is a possibility and that you can prove it. You return to your desk and craft a fake email to the attorney that appears to come from his boss. What port do you send the email to on the companys SMTP server?

A. 10
B. 25
C. 110
D. 135

Answer: B

Q: 6 When obtaining a warrant it is important to:

A. particularly describe the place to be searched and generally describe the items to be seized
B. generally describe the place to be searched and generally describe the items to be seized
C. generally describe the place to be searched and particularly describe the items to be seized
D. particularly describe the place to be searched and particularly describe the items to be seized

Answer: D

Q: 7 Profiling is a forensics technique for analyzing evidence with the goal of identifying the perpetrator from their pervious activity. After a computer has been compromised by a hacker, which of the following would be most important in forming a profile of the incident?

A. The manufacture of the system compromised
B. The logic, formatting and elegance of the code used in the attack
C. The nature of the attack
D. The vulnerability exploited in the incident

Answer: B

Q: 8 Which legal document allows law enforcement to search an office, place of business, or other locale for evidence relating to an alleged crime?

A. search warrant
B. subpoena
C. wire tap
D. bench warrant

Answer: A

Q: 9 Which of following refers to the data that might still exist in a cluster even though the original file has been overwritten by another file?

A. Sector
B. Metadata
C. MFT
D. Slack Space

Answer: D

Q: 10 From the following spam mail header, identify the host IP that sent this spam?

From jie02@netvigator.com jie02@netvigator.com Tue Nov 27 17:27:11 2001
Received: from viruswall.ie.cuhk.edu.hk (viruswall [137.189.96.52]) by eng.ie.cuhk.edu.hk (8.11.6/8.11.6) with ESMTP id fAR9RAP23061 for ; Tue, 27 Nov 2001 17:27:10 +0800 (HKT)
Received: from mydomain.com (pcd249020.netvigator.com [203.218.39.20]) by viruswall.ie.cuhk.edu.hk (8.12.1/8.12.1)
with SMTP id fAR9QXwZ018431 for ; Tue, 27 Nov 2001 17:26:36 +0800 (HKT) Message-Id: >200111270926.fAR9QXwZ018431@viruswall.ie.cuhk.edu.hk
From: "china hotel web" To: "Shlam"
Subject: SHANGHAI (HILTON HOTEL) PACKAGE
Date: Tue, 27 Nov 2001 17:25:58 +0800 MIME-Version: 1.0
X-Priority: 3 X-MSMail- Priority: Normal
Reply-To: "china hotel web"

A. 137.189.96.52
B. 203.218.39.50
C. 203.218.39.20
D. 8.12.1.0

Answer: C

Q: 11 When investigating a network that uses DHCP to assign IP addresses, where would you look to determine which system (MAC address) had a specific IP address at a specific time?

A. on the individual computer's ARP cache
B. in the Web Server log files
C. in the DHCP Server log files
D. there is no way to determine the specific IP address

Answer: C

Q: 12 Lance wants to place a honeypot on his network. Which of the following would be your recommendations?

A. Use a system that has a dynamic addressing on the network
B. Use a system that is not directly interacing with the router
C. Use it on a system in an external DMZ in front of the firewall
D. It doesnt matter as all replies are faked

Answer: C

Q: 13 The use of warning banners helps a company avoid litigation by overcoming an employees assumed ______ when connecting to the companys intranet, network, or virtual private network (VPN) and will allow the companys investigators to monitor, search, and retrieve information stored within the network.

A. right to work
B. right of free speech
C. right to Internet access
D. right of privacy

Answer: D

Q: 14 You should make at least how many bit-stream copies of a suspect drive?

A. 1
B. 2
C. 3
D. 4

Answer: B

Q: 15 You are called by an author who is writing a book and he wants to know how long the copyright for his book will last after he has the book published?

A. 70 years
B. the life of the author
C. the life of the author plus 70 years
D. copyrights last forever

Answer: C

Q: 16 In a computer forensics investigation, what describes the route that evidence takes from the time you find it until the case is closed or goes to court?

A. policy of separation
B. chain of custody
C. rules of evidence
D. law of probability

Answer: B

Q: 17 ______ is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence.

A. Network forensics
B. Computer forensics
C. Incident response
D. Event reaction

Answer: B

Q: 18 In what way do the procedures for dealing with evidence in a criminal case differ from the procedures for dealing with evidence in a civil case?

A. evidence in a criminal case must be secured more tightly than in a civil case
B. evidence in a civil case must be secured more tightly than in a criminal case
C. evidence procedures are not important unless you work for a law enforcement agency
D. evidence must be handled in the same way regardless of the type of case

Answer: D

Q: 19 One way to identify the presence of hidden partitions on a suspects hard drive is to:

A. add up the total size of all known partitions and compare it to the total size of the hard drive
B. examine the FAT and identify hidden partitions by noting an H in the Partition Type field
C. examine the LILO and note an H in the Partition Type field
D. it is not possible to have hidden partitions on a hard drive

Answer: A

Q: 20 What should you do when approached by a reporter about a case that you are working on or have worked on?

A. refer the reporter to the attorney that retained you
B. say, "no comment"
C. answer all the reporters questions as completely as possible
D. answer only the questions that help your case

Answer: A

Q: 21 You have been asked to investigate the possibility of computer fraud in the finance department of a company. It is suspected that a staff member has been committing finance fraud
by printing cheques that have not been authorized. You have exhaustively searched all data files on a bitmap image of the target computer, but have found no evidence. You suspect the files may not have been saved. What should you examine next in this case?

A. The registry
B. The swapfile
C. The recycle bin
D. The metadata

Answer: B

Q: 22 A suspect is accused of violating the acceptable use of computing resources, as he has visited adult websites and downloaded images. The investigator wants to demonstrate that the suspect did indeed visit these sites. However, the suspect has cleared the search history and emptied the cookie cache. Moreover, he has removed any images he might have downloaded. What can the investigator do to prove the violation? Choose the most feasible option.

A. Image the disk and try to recover deleted files
B. Seek the help of co-workers who are eye-witnesses
C. Check the Windows registry for connection data (You may or may not recover)
D. Approach the websites for evidence

Answer: A

Q: 23 Office documents (Word, Excel, PowerPoint) contain a code that allows tracking the MAC, or unique identifier, of the machine that created the document. What is that code called?

A. Microsoft Virtual Machine Identifier
B. Personal Application Protocol
C. Globally Unique ID
D. Individual ASCII String

Answer: C

Q: 24 When you carve an image, recovering the image depends on which of the following skills?

A. recovering the image from a tape backup
B. recognizing the pattern of the data content
C. recognizing the pattern of the header content
D. recognizing the pattern of a corrupt file

Answer: C

Q: 25 Sectors in hard disks typically contain how many bytes?

A. 256
B. 512
C. 1024
D. 2048

Answer: B

Q: 26 What term is used to describe a cryptographic technique for embedding information into something else for the sole purpose of hiding that information from the casual observer?

A. key escrow
B. steganography
C. rootkit
D. offset

Answer: B

Q: 27 This organization maintains a database of hash signatures for known software

A. International Standards Organization
B. Institute of Electrical and Electronics Engineers
C. National Software Reference Library
D. American National Standards Institute

Answer: C

Q: 28 During the course of a corporate investigation, you find that an employee is committing a crime. Can the employer file a criminal complain with the police?

A. yes, and all evidence can be turned over to the police
B. yes, but only if you turn the evidence over to a federal law enforcement agency
C. no, because the investigation was conducted without following standard police procedures
D. no, because the investigation was conducted without a warrant

Answer: A

Q: 29 You are assigned to work in the computer forensics lab of a state police agency. While working on a high profile criminal case, you have followed every applicable procedure, however your boss is still concerned that the defense attorney might question wheather evidence has been changed while at the lab. What can you do to prove that the evidence is the same as it was when it first entered the lab?

A. sign a statement attesting that the evidence is the same as it was when it entered the lab
B. there is no reason to worry about this possible claim because state labs are certified
C. make an MD5 hash of the evidence and compare it to the standard database developed by NIST
D. make an MD5 hash of the evidence and compare it with the original MD5 hash that was taken when the evidence first entered the lab

Answer: D

Q: 30 An expert witness may give an opinion if:

A. the opinion, inferences, or conclusions depend on special knowledge, skill, or training not within the ordinary experience of lay jurors
B. to define the issues of the case for determination by the finder of fact
C. to stimulate discussion between the consulting expert and the expert witness
D. to deter the witness from expanding the scope of his or her investigation beyond the requirements of the case

Answer: A


© 2014 Cheat-Test.com, All Rights Reserved