Michael, a digital forensic responder, enters a server room after a suspected data breach. He ensures all individuals not involved in the investigation are escorted out, avoids altering any device configurations, and isolates the server from the network without powering it down. What is the main goal of Michael's actions?
Correct Answer: C
Michael's actions reflect crime scene control, a foundational first-response principle in the ECIH forensic readiness module. Securing the area, preventing unauthorized access, and avoiding system changes preserve evidence integrity. Option C is correct because his primary objective is to secure and evaluate the digital crime scene before evidence collection begins. ECIH stresses that scene control prevents contamination, tampering, and accidental evidence destruction. Options A, B, and D may follow but are not the immediate objective.
212-89 Exam Question 7
Farheen is an incident responder at reputed IT Firm based in Florida. Farheen was asked to investigate a recent cybercrime faced by the organization. As part of this process, she collected static data from a victim system. She used DD tool command to perform forensic duplication to obtain an NTFS image of the original disk. She created a sector-by-sector mirror imaging of the disk and saved the output image file as image.dd. Identify the static data collection process step performed by Farheen while collecting static data.
Correct Answer: C
Farheen's activity of using the DD tool to create a sector-by-sector mirror image of the original disk is an example of system preservation. This process is crucial in digital forensics for creating an exact copy of a storage device to ensure that the original data remains unchanged during the investigation. By making a forensic duplication, or image, of the disk, Farheen ensures that the static data on the disk is preserved in its current state for thorough analysis, without altering the original evidence. This step allows investigators to work with a precise replica of the data, protecting the integrity of the original evidence. References:The Incident Handler (ECIH v3) certification materials discuss various methods and tools for data acquisition and preservation, highlighting the importance of system preservation in the initial stages of forensic analysis.
212-89 Exam Question 8
Which of the following is an attack that attempts to prevent the use of systems, networks, or applications by the intended users?
Correct Answer: A
A Denial of Service (DoS) attack aims to make a computer resource, network, or application unavailable to its intended users, thereby preventing legitimate users from using the service. This is achieved by overwhelming the target with a flood of internet traffic or sending information that triggers a crash. In contrast, fraud and theft involve the unauthorized acquisition of data or assets, unauthorized access refers to gaining entry into systems without permission, and malicious code or insider threat attacks relate to software designed to cause harm or unauthorized actions by trusted users within the organization. The specific intent of a DoS attack is to disrupt service, making it a distinct category focused on denial of availability. References:The Incident Handler (ECIH v3) certification materials discuss various types of cybersecurity threats, including DoS attacks, outlining their methods, objectives, and impacts on targeted systems or networks.
212-89 Exam Question 9
Which of the following methods help incident responders to reduce the false-positive alert rates and further provide benefits of focusing on topmost priority issues reducing potential risk and corporate liabilities?
Correct Answer: C
Threat correlation is a method used by incident responders to analyze and associate various indicators of compromise (IoCs) and alerts to identify genuine threats. By correlating data from multiple sources and applying intelligence to distinguish between unrelated events and coordinated attack patterns, responders can significantly reduce the rate of false-positive alerts. This enables teams to prioritize their efforts on the most critical and likely threats, thereby reducing potential risks and corporate liabilities. Effective threat correlation involves the use of sophisticated security information and event management (SIEM) systems, threat intelligence platforms, and analytical techniques to identify relationships between seemingly disparate security events and alerts. References:The role of threat correlation in improving the efficiency of incident response activities by reducing false positives and focusing on high-priority issues is outlined in various cybersecurity frameworks and incident response guides, including those related to the ECIH v3 certification. These resources emphasize the importance of applying context and intelligence to security alerts to accurately identify and respond to genuine threats.
212-89 Exam Question 10
A company facing a wave of spoofed payment emails launched an investigation and found that employees had unknowingly interacted with malicious sender domains. Despite blocking initial IPs and purging visible email content, similar threats resurfaced using altered variants. The team moved to eliminate recurring delivery mechanisms and close technical loopholes. Which step is most aligned with this eradication initiative?
Correct Answer: D
This scenario describes a persistent phishing campaign leveraging spoofed domains and variant-based delivery mechanisms. According to the EC-Council Incident Handler (ECIH) curriculum under Email Security Incident Handling and Eradication, once detection and containment measures (such as blocking malicious IP addresses and purging emails) have been implemented, the eradication phase must focus on eliminating root causes and recurring technical vectors. The key phrase in the question is "eliminate recurring delivery mechanisms and close technical loopholes." ECIH emphasizes that phishing campaigns frequently evolve by modifying URLs, sender domains, encoding techniques, and payload structures to bypass simple IP blocking controls. Therefore, security teams must analyze decoded message components, extract malicious URLs, and generate URL-based deny-lists at the secure email gateway, web proxy, and firewall layers. Creating email-specific URL deny-lists directly disrupts the attack infrastructure and prevents repeated access to malicious domains-even when attackers use variant IP addresses or modified content. This is a technical eradication control aligned with eliminating delivery vectors. Options B and C (training and simulations) are preventive awareness measures and fall under the preparation or post-incident improvement phase-not eradication. Option A (WHOIS masking) is unrelated to preventing phishing delivery. ECIH guidance stresses strengthening email filtering rules, updating domain and URL blacklists, implementing SPF/DKIM/DMARC validation, and hardening secure email gateways as core eradication techniques. Therefore, option D best aligns with the eradication objective.