BadGuy Bob hid files in the slack space, changed the file headers, hid suspicious files in executables, and changed the metadata for all types of files on his hacker laptop. What has he committed?
Correct Answer: A
Anti-forensics refers to techniques used to hinder the forensic analysis of a computer system. By hiding files in slack space, changing file headers, embedding suspicious files in executables, and altering metadata, BadGuy Bob is attempting to make it difficult for forensic analysts to find, analyze, and attribute the malicious activities and data on his laptop. These actions are designed to conceal evidence, manipulate digital artifacts, and obstruct investigations, making them clear examples of anti-forensic techniques. While such actions could be part of broader criminal activities, constituting a felony, and could be seen as adversarial mechanics or legal hostility in specific contexts, the most accurate classification of these techniques is anti- forensics. References:The ECIH v3 certification program includes discussions on forensic analysis and the challenges posed by anti-forensic techniques, teaching incident handlers how to recognize and counteract attempts to obstruct investigations.
212-89 Exam Question 27
OmegaTech Corp identified unauthorized remote access to its primary server and data exfiltration tunnels. Simultaneously, IoT device firmware corruption was reported. As the first responder, what should Olivia prioritize?
Correct Answer: B
ECIH prioritizes containment of the most critical threat vector. The primary server actively exfiltrating data represents the highest risk. Option B is correct because isolating the primary server immediately stops data loss and attacker control. IoT remediation can follow once core assets are secured. Options A and D delay containment. Option C causes unnecessary disruption. ECIH stresses that responders must address the most damaging threat first, making Option B correct.
212-89 Exam Question 28
Which of the following techniques helps incident handlers to detect man-in-the-middle attack by finding the new APs and trying to connect an already established channel, even if the spoofed AP consists similar IP and MAC addresses as of the original AP?
Correct Answer: D
Access point monitoring is the technique that helps incident handlers to detect man-in-the-middle (MitM) attacks by continuously observing and managing the wireless access points (APs) within a network. This includes identifying unauthorized or new APs attempting to connect to the network or mimic existing APs, even if they present similar IP and MAC addresses to legitimate access points. Through access point monitoring, incident handlers can quickly identify and mitigate spoofed APs, thus preventing MitM attacks that exploit wireless networks by intercepting and manipulating communications. References:Incident Handler (ECIH v3) courses and study materials discuss network security monitoring strategies, including the importance of monitoring access points to detect and prevent MitM attacks and other threats to wireless networks.
212-89 Exam Question 29
Logan, an incident handler, ensures the chain of custody is documented while handling backup media post- attack. The goal is to preserve evidence integrity while restoring critical systems. Which recovery principle is Logan adhering to?
Correct Answer: A
The EC-Council Incident Handler (ECIH) curriculum stresses the importance of maintaining evidence integrity during recovery operations. Documenting the chain of custody ensures that evidence remains admissible in legal proceedings and maintains forensic validity. Chain of custody documentation tracks who handled the evidence, when it was accessed, how it was stored, and what actions were performed. This aligns directly with forensic compliance principles, which require proper evidence preservation, documentation, and controlled handling procedures. While restoring systems, responders must ensure that backup media and affected systems are handled in a way that does not compromise evidence. ECIH emphasizes that recovery should not destroy or contaminate forensic artifacts that may be required for legal, regulatory, or disciplinary action. Option B (Network segmentation) relates to containment strategies. Option C (Immutable infrastructure) refers to architectural resilience models. Option D (Enhanced authentication) concerns access control, not evidence handling. Therefore, Logan is adhering to forensic compliance principles during recovery.
212-89 Exam Question 30
During the vulnerability assessment phase, the incident responders perform various steps as below: 1. Run vulnerability scans using tools 2. Identify and prioritize vulnerabilities 3. Examine and evaluate physical security 4. Perform OSINT information gathering to validate the vulnerabilities 5. Apply business and technology context to scanner results 6. Check for misconfigurations and human errors 7. Create a vulnerability scan report Identify the correct sequence of vulnerability assessment steps performed by the incident responders.
Correct Answer: C
The correct sequence of steps performed by incident responders during the vulnerability assessment phase is as follows: * Perform OSINT information gathering to validate the vulnerabilities (4):Initially, Open Source Intelligence (OSINT) is used to gather information about the organization's digital footprint and potential vulnerabilities. * Run vulnerability scans using tools (1):Next, specialized tools are employed to scan the organization's networks and systems for vulnerabilities. * Identify and prioritize vulnerabilities (2):The identified vulnerabilities are then analyzed and prioritized based on their severity and potential impact on the organization. * Examine and evaluate physical security (3):Physical security assessments are also crucial as they can impact the overall security posture and protection of digital assets. * Check for misconfigurations and human errors (6):This step involves looking for misconfigurations in systems and networks, as well as potential human errors that could lead to vulnerabilities. * Apply business and technology context to scanner results (5):The results from the scans are evaluated within the context of the business and its technology environment to accurately assess risks. * Create a vulnerability scan report (7):Finally, a comprehensive report is created, detailing the vulnerabilities, their severity, and recommended mitigation strategies. This sequence ensures a thorough assessment, prioritizing vulnerabilities that pose the greatest risk and providing actionable insights for mitigation. References:ECIH v3 courses and study guides elaborate on the vulnerability assessment process, detailing the steps involved in identifying, evaluating, and addressing security vulnerabilities within an organization's IT infrastructure.