Darwin is an attacker residing within the organization and is performing network sniffing by running his system in promiscuous mode. He is capturing and viewing all the network packets transmitted within the organization. Edwin is an incident handler in the same organization. In the above situation, which of the following Nmap commands Edwin must use to detect Darwin's system that is running in promiscuous mode?
Correct Answer: C
The GPG18 and Forensic readiness planning (SPF) principles outline various guidelines to enhance an organization's readiness for forensic investigation and response. Principle 5, which suggests that organizations should adopt a scenario-based Forensic Readiness Planning approach that learns from experience gained within the business, emphasizes the importance of being prepared for a wide range of potential incidents by leveraging lessons learned from past experiences. This approach helps in continuously improving forensic readiness and response capabilities by adapting to the evolving threat landscape and organizational changes. References:While specific documentation from GPG18 and SPF might detail these principles, the ECIH v3 program by EC-Council covers the concept of forensic readiness planning, including adopting scenario-based approaches and learning from past incidents as a fundamental aspect of enhancing an organization's incident response and forensic capabilities.
212-89 Exam Question 37
ThetaTec, a global fintech giant, identified that an employee was siphoning off funds using a sophisticated method undetectable by traditional monitoring tools. The firm decided to employ advanced techniques to detect such hidden insider threats. What should be its primary focus?
Correct Answer: B
Insider threats are among the most difficult risks to detect because insiders often operate within legitimate access boundaries. The ECIH Insider Threat module emphasizes that behavioral analytics is the most effective approach for identifying sophisticated, low-and-slow insider activity. Option B is correct because behavioral analytics correlates user actions over time to detect anomalies such as unusual transaction patterns, abnormal access times, or deviations from job role norms. This allows detection of malicious behavior that traditional rule-based monitoring may miss. Options A, C, and D are invasive, unethical, and often illegal, and they contradict ECIH guidance on lawful, proportional monitoring. ECIH stresses that insider threat programs must balance security, privacy, and legality while providing meaningful detection. Behavioral analytics meets these requirements and provides actionable insights, making Option B the correct answer.
212-89 Exam Question 38
During an internal audit following a surge in unauthorized financial transactions, a multinational investment firm's IR team uncovers evidence of an orchestrated campaign targeting senior staff. The attackers had pieced together fragments of sensitive data by mining executive digital footprints, reviewing online publications, and analyzing company-related mentions on external platforms. Later, they engaged directly with employees under fabricated personas, conducting scripted interviews to extract missing identifiers. With the assembled profile data, the adversaries submitted diversion requests for financial correspondence and used these to impersonate executives and execute fraudulent transfers. Forensic analysis revealed no signs of malware infection or system-level compromise. Which technique best aligns with the adversary's method of obtaining the initial sensitive information?
Correct Answer: B
The EC-Council Incident Handler (ECIH) curriculum classifies social engineering as a human-based attack technique that manipulates individuals into disclosing confidential information without exploiting technical vulnerabilities. In this scenario, the attackers first gathered publicly available information-also known as Open-Source Intelligence (OSINT)-by mining executive digital footprints, analyzing online publications, and reviewing external mentions. This reconnaissance phase aligns directly with OSINT-based profiling. The adversaries then conducted scripted interviews under fabricated personas to extract additional identifiers. This behavior is characteristic of pretexting, a specific social engineering technique where attackers create a false scenario to persuade victims to provide sensitive information. ECIH explains that pretexting often involves impersonation and carefully constructed narratives to build credibility and trust. The absence of malware infection or system-level compromise further confirms that this was not a technical exploit such as phishing with malicious macros (Option A) or pharming (Option C). Additionally, skimming (Option D) is a physical data theft technique unrelated to executive impersonation or digital profiling. ECIH emphasizes that insider threat and financial fraud investigations frequently reveal social engineering campaigns leveraging OSINT, impersonation, and psychological manipulation rather than malware. Preventive controls include executive awareness training, strict identity verification for financial change requests, multi-factor authentication, and callback verification procedures. Therefore, the technique that best aligns with the adversary's method is social engineering using open-source intelligence followed by pretexting.
212-89 Exam Question 39
Stanley works as an incident responder at a top MNC based out of Singapore. He was asked to investigate a cybersecurity incident that recently occurred in the company. While investigating the crime, he collected the evidence from the victim systems. He must present this evidence in a clear and comprehensible manner to the members of jury so that the evidence explains the facts clearly and further helps in obtaining an expert opinion on the same to confirm the investigation process. In the above scenario, what is the characteristic of the digital evidence Stanley tried to preserve?
Correct Answer: D
In the scenario described, Stanley aims to ensure that the digital evidence he collected is admissible in court. This means the evidence must be gathered, handled, and presented in a manner that complies with legal standards, ensuring it can be legally used in a trial. Admissibility is a crucial characteristic of digital evidence, as it must be relevant, authentic, and obtained without violating any laws or rights to privacy. The evidence must also be presented in a clear and comprehensible manner to be understood by the members of the jury, which further supports its admissibility in court. References:The Incident Handler (ECIH v3) certification materials cover the legal aspects of handling digital evidence, including the principles ensuring evidence is admissible in court.
212-89 Exam Question 40
Investigator Ian gives you a drive image to investigate. What type of analysis are you performing?
Correct Answer: B
When Investigator Ian gives you a drive image to investigate, the type of analysis you are performing is static analysis. Static analysis involves examining the contents of a drive, file, or binary without executing the system or the application. It's about analyzing the data at rest. This type of analysis is crucial for forensics investigations because it allows for the examination of files, directories, and system information without altering any state or data, thereby preserving the integrity of the evidence. Static analysis is contrasted with dynamic analysis, which involves analyzing a system in operation (real-time or live) or executing the application to observe its behavior. References:Incident Handler (ECIH v3) courses and study guides highlight the importance of static analysis in digital forensics, detailing methods for examining disk images, files, and other digital artifacts to gather evidence without compromising its integrity.