EC-Council Certified Security Analyst(ECSA) (EC0-479) Free Practice Test

Question 1

Before you are called to testify as an expert, what must an attorney do first?

A. prove that the tools you used to conduct your examination are perfect

B. engage in damage control

C. qualify you as an expert witness

D. read your curriculum vitae to the jury

Correct Answer: C

Question 2

You have compromised a lower-level administrator account on an Active Directory network of a small company in Dallas, Texas. You discover Domain Controllers through enumeration. You connect to one of the Domain Controllers on port 389 using ldp.exe. What are you trying to accomplish here?

A. Establish a remote connection to the Domain Controller

B. Poison the DNS records with false records

C. Enumerate MX and A records from DNS

D. Enumerate domain user accounts and built-in groups

Correct Answer: D

Question 3

What does the acronym POST mean as it relates to a PC?

A. Primary Operations Short Test

B. Primary Operating System Test

C. Power On Self Test

D. Pre Operational Situation Test

Correct Answer: C

Question 4

What is the following command trying to accomplish?

A. Verify that TCP port 445 is open for the 192.168.0.0 network

B. Verify that UDP port 445 is open for the 192.168.0.0 network

C. Verify that NETBIOS is running for the 192.168.0.0 network

D. Verify that UDP port 445 is closed for the 192.168.0.0 network

Correct Answer: B

Question 5

John and Hillary works at the same department in the company. John wants to find out Hillary's network password so he can take a look at her documents on the file server. He enables Lophtcrack program to sniffing mode. John sends Hillary an email with a link to Error! Reference source not found. What information will he be able to gather from this?

A. The network shares that Hillary has permissions

B. The SID of Hillary's network account

C. The SAM file from Hillary's computer

D. Hillary's network username and password hash

Correct Answer: D

Question 6

What will the following command produce on a website login page?What will the following command produce on a website? login page?
SELECT email, passwd, login_id, full_name
FROM members
WHERE email = '[email protected]'; DROP TABLE members; --'

A. Deletes the entire members table

B. This command will not produce anything since the syntax is incorrect

C. Retrieves the password for the first user in the members table

D. Inserts the Error! Reference source not found. email address into the members table

Correct Answer: A

Question 7

Under which Federal Statutes does FBI investigate for computer crimes involving e-mail scams and mail fraud?

A. 18 U.S.C. 1362 Government communication systems

B. 18 U.S. 1343 Fraud by wire, radio or television

C. 18 U.S.C. 1030 Fraud and related activity in connection with computers

D. 18 U.S.C. 1029 Possession of Access Devices

E. 18 U.S.C. 1832 Trade Secrets Act

F. 18 U.S.C. 1361 Injury to Government Property

Correct Answer: C

Question 8

When using Windows acquisitions tools to acquire digital evidence, it is important to use a well- tested hardware write-blocking device to:

A. Prevent Contamination to the evidence drive

B. Avoiding copying data from the boot partition

C. Acquire data from host-protected area on a disk

D. Automate Collection from image files

Correct Answer: A

Question 9

You have used a newly released forensic investigation tool, which doesnt meet the Daubert T
est, during a case. The case has ended-up in court. What argument could the defense make to weaken your case?

A. The tool hasnt been tested by the International Standards Organization (ISO)

B. You are not certified for using the tool

C. The total has not been reviewed and accepted by your peers

D. Only the local law enforcement should use the tool

Correct Answer: C

Question 10

Paula works as the primary help desk contact for her company.Paula has just received a call from a user reporting that his computer just displayed a Blue Screen of Death screen and he can no longer work.Paula
walks over to the users computer and sees the Blue Screen of Death screen.The users computer is running
Windows XP, but the Blue Screen looks like a familiar one that Paula had seen on Windows 2000 computers periodically. The user said he stepped away from his computer for only 15 minutes and when he got back, the Blue Screen was there.Paula also noticed that the hard drive activity light was flashing, meaning that the computer was processing something.Paula knew this should not be the case since the computer should be completely frozen during a Blue Screen. She checks the network IDS live log entries and notices numerous nmap scan alerts.
What is Paula seeing happen on this computer?

A. Tools like Nessus will cause BSOD

B. Paulas network was scanned using Floppyscan

C. Paulas network was scanned using Dumpsec

D. There was IRQ conflict in Paulas PC

Correct Answer: B

Question 11

When you carve an image, recovering the image depends on which of the following skills?

A. Recovering the image from the tape backup

B. Recognizing the pattern of the header content

C. Recovering the image from a tape backup

D. Recognizing the pattern of a corrupt file

Correct Answer: B

Question 12

Bob has been trying to penetrate a remote production system for the past tow weeks. This time however, he is able to get into the system. He was able to use the System for a period of three weeks. However law enforcement agencies were recoding his every activity and this was later presented as evidence. The organization had used a Virtual Environment to trap BoB. What is a Virtual Environment?

A. A system Using Trojaned commands

B. An environment set up after the user logs in

C. A Honeypot that traps hackers

D. An environment set up before an user logs in

Correct Answer: C

Question 13

Harold is a security analyst who has just run the rdisk /s command to grab the backup SAM file on a computer. Where should Harold navigate on the computer to find the file?

A. %systemroot%\system32\drivers\etc

B. %systemroot%\LSA

C. %systemroot%\repair

D. %systemroot%\system32\LSA

Correct Answer: C

Question 14

George is the network administrator of a large Internet company on the west coast. Per corporate policy, none of the employees in the company are allowed to use FTP or SFTP programs without obtaining approval from the IT department. Few managers are using SFTP program on their computers. Before talking to his boss, George wants to have some proof of their activity.
George wants to use Ethereal to monitor network traffic, but only SFTP traffic to and from his network. What filter should George use in Ethereal?

A. src port 23 and dst port 23

B. udp port 22 and host 172.16.28.1/24

C. net port 22

D. src port 22 and dst port 22

Correct Answer: D

Question 15

Jim performed a vulnerability analysis on his network and found no potential problems. He runs another utility that executes exploits against his system to verify the results of the vulnerability test. The second utility executes five known exploits against his network in which the vulnerability analysis said were not exploitable. What kind of results did Jim receive from his vulnerability analysis?

A. False positives

B. True positives

C. False negatives

D. True negatives

Correct Answer: C

Welcome to TestSimulate

EC-COUNCIL EC-Council Certified Security Analyst(ECSA) (EC0-479) Free Practice Test