A multinational financial institution notices unusual network activity during a routine security audit. The SOC detects multiple failed login attempts, followed by a successful access attempt using an administrator's credentials from an unrecognized IP address. Shortly after, sensitive customer records are accessed without authorization. The company suspects a breach and calls in the forensic investigation team. During evidence collection, the forensic team creates a detailed record that tracks every individual who handled the evidence, its storage location, and timestamps of transfers.What is this process called?
Answer(s): A
Chain of custody is the formal process used to document and preserve evidence integrity by recording who collected the evidence, who accessed it, where it was stored, and when it changed hands. In SOC and forensic operations, chain of custody is essential for maintaining evidentiary reliability, especially in cases with regulatory, legal, or disciplinary implications. It ensures that evidence has not been altered, tampered with, or mishandled, and it supports defensible conclusions about what occurred. Incident documentation is broader and includes timelines, decisions, actions taken, and communications, but it does not specifically track evidence handling transfers. Data imaging is the creation of a forensic copy of storage media (disk image), a separate technical step that may be recorded within chain-of-custody logs. Digital fingerprinting refers to generating hashes or other identifiers to confirm file integrity; again, it is a technique used within evidence handling, but the tracking record of handlers, locations, and transfers is chain of custody. For SOC analysts, correctly maintaining chain of custody is critical when responding to breaches involving sensitive customer records and potential compliance investigations.
You are a Level 1 SOC analyst at a critical infrastructure provider. Threat actors infiltrated the network and exfiltrated sensitive system blueprints. Before detection, they executed commands that altered system logs, wiped forensic artifacts, and modified timestamps to mimic normal activity. They also manipulated security monitoring tools to prevent unusual login events from being recorded. Which APT lifecycle phase does this represent?
Answer(s): C
Cleanup is the phase where adversaries attempt to cover their tracks and reduce the chance of detection or attribution. The described behaviors--altering logs, wiping forensic artifacts, modifying timestamps, and tampering with monitoring tools--are classic defense evasion and anti-forensic actions. In SOC investigations, these actions indicate the attacker is prioritizing stealth and persistence after completing objectives, making reconstruction more difficult. Search and exfiltration focuses on locating valuable data and transferring it out; while that happened earlier, the key activities described are about removing evidence and obscuring the timeline. Initial intrusion refers to the first entry (phishing, exploit, stolen credentials). Expansion refers to broadening access (lateral movement, privilege escalation) across the environment. The scenario explicitly emphasizes manipulating logs and monitoring to hide activity and prevent alerts, which aligns most closely with cleanup. For defenders, this phase drives urgency: isolate affected systems, preserve volatile data quickly, validate logging pipelines, and use independent telemetry sources (network flows, cloud control-plane logs, immutable logging) to rebuild the attack chain despite tampering.
During a threat intelligence briefing, a SOC analyst comes across a classified report detailing a sophisticated cybercrime syndicate targeting executives of high-profile financial institutions. These adversaries rarely leave digital footprints and seem to anticipate security measures. Several breaches began with seemingly innocent conversations: a foreign journalist requesting an interview with a CEO and a "security consultant" offering free risk assessments. Further investigation reveals attackers socially engineered employees, manipulated trust, and extracted critical security details long before launching technical attacks. The analyst decides to focus on intelligence involving deception detection and psychological profiling to uncover true intent and methods. Which type of intelligence is the analyst leveraging?
Human Intelligence (HUMINT) involves information gathered from people, relationships, and human behavior rather than purely technical artifacts. The scenario describes adversaries using social engineering and pretexting--building trust through conversations and manipulating employees to reveal sensitive information. The analyst is focusing on deception detection and psychological profiling, which are rooted in understanding human intent, influence tactics, and interpersonal manipulation patterns. That aligns with HUMINT, where insights may come from interviews, insider reporting, investigative findings, or controlled engagements that reveal motivations and methods that logs will not show. Threat intelligence feeds and technical threat intelligence primarily provide machine-consumable indicators, malware signatures, infrastructure data, and observed TTPs; they are valuable but not the main lens here because these attackers "rarely leave digital footprints." OSINT is derived from publicly available sources, which can help identify personas or prior campaigns, but the core described intelligence method is interpreting human behavior and social manipulation. From a SOC standpoint, HUMINT-driven insights inform security awareness training, executive protection protocols, identity verification procedures, and "out-of-band" validation processes that reduce success of pretexting and business email compromise.
Bob is a SOC analyst in a multinational corporation that relies on a centralized file-sharing system for storing confidential project documents. One morning, he notices that a few critical financial records stored on the shared server appear to have been altered without authorization. Version history confirms unexpected changes made outside business hours. Bob must investigate by inspecting logs. Which log should he check to determine who accessed the files and when the modifications occurred?
Security logs are the primary source for auditing access and changes to protected objects, including files and folders, when file auditing is enabled. In Windows environments, this typically maps to "Object Access" auditing, which can record who accessed a file, what type of access was attempted(read, write, delete), and when it occurred. For a SOC analyst investigating unauthorized modifications, the goal is attribution (which user/account), timing (outside business hours), and action (write/modify/delete). Authentication logs show who logged in and from where, but they don't reliably indicate which file was modified unless correlated with object access events. Firewall and general network logs can help confirm remote access paths or suspicious connections, but they won't provide authoritative "who modified which file" evidence. In practice, the SOC would validate that file/folder auditing is enabled on the file server and that relevant events are being collected centrally. Then they correlate file access/modify events with sign-in activity, source device, and any privilege escalation indicators. Because the question specifically asks for determining "who accessed the files and when modifications occurred," Security logs are the most direct and forensically valuable option.
You are a SOC analyst on duty during a high-severity incident involving a DDoS attack targeting your organization's e-commerce platform. The attack disrupts online transactions. Using SIEM tools and packet capture systems, you identify unusual traffic patterns and trace activity back to command- and-control (C2) servers directing a botnet. Your goal is to recommend an eradication strategy that will sever the attackers' control over infected devices and halt the attack. Which strategy should your team implement?
Answer(s): B
"Neutralizing handlers" is the best match because it focuses on disrupting the botnet's command- and-control layer that coordinates the attack. In classic botnet terminology, handlers (or C2 nodes) issue instructions to compromised hosts. If you can block, sinkhole, or otherwise disrupt communication to those controlling nodes, you reduce the adversary's ability to direct traffic and sustain the DDoS. Rate limiting is a useful mitigation to reduce immediate impact on your services, but it does not sever attacker control; it is more a resilience measure than eradication. "Blocking potential attacks" is too generic and describes a broad defensive posture rather than a specific botnet-focused eradication action. "Disabling botnets" is an outcome, but it is not a precise operational strategy in the way "neutralizing handlers" is; disabling a botnet often requires a combination of takedowns, sinkholing, upstream provider coordination, and endpoint remediation-- activities that are commonly operationalized by targeting the handler/C2 infrastructure. From a SOC standpoint, this also aligns with coordinated response: implement network blocks, collaborate with ISP/CDN, and use threat intel to identify additional C2 endpoints while continuing service-level mitigations.
A threat hunter analyzing an infected endpoint finds that malicious processes keep reappearing even after termination, making traditional remediation ineffective. The user reports slowdowns, abnormal pop-ups, and unauthorized application launches. Deeper inspection reveals multiple scheduled tasks executing unknown scripts at intervals, along with suspicious registry modifications enabling automatic execution on startup. The endpoint makes intermittent encrypted outbound connections to an unclassified external server. The organization also observed multiple failed privileged logins from the same subnet. Which signs should the threat hunter look for to confirm and mitigate the threat?
Host-based artifacts are the most direct evidence to confirm persistence and recurring execution on an endpoint. The scenario already describes classic host persistence mechanisms: scheduled tasks and registry autorun modifications. To confirm and mitigate, a threat hunter should focus on endpoint-resident artifacts such as: persistence entries (scheduled tasks, Run/RunOnce keys, services, WMI subscriptions), process ancestry (which parent launches the malicious script), file system changes (dropped scripts, DLLs, staged payloads), and security control tampering. These artifacts enable containment and eradication because they point to what must be removed and what must be prevented from re-creating itself after reboot. Network-based artifacts are important for identifying C2 destinations and potential lateral movement, but they won't fully explain how the malware survives termination. Threat intelligence context can help attribute and match TTPs, but it's not required to confirm persistence locally. Indicators of Attack are behavior patterns (like scheduled task creation, registry autoruns, process injection) and are valuable conceptually, but the option that best represents the concrete evidence you need to examine and remediate on the endpoint is "host- based artifacts." In SOC response, you'd combine host artifact removal with credential resets and scoping for similar persistence across endpoints.
A financial institution suspects an insider threat due to unauthorized access attempts on restricted databases. However, SIEM alerts lack sufficient information to differentiate between legitimate and malicious access. The SOC manager recommends integrating contextual data to improve detection. Which contextual data source should be integrated in this scenario?
User context from HR systems is the most relevant contextual source for insider-threat differentiation because it helps determine whether access aligns with the user's role, employment status, and business need. HR context can include department, job title, manager, location assignment, employment status (active/terminated), and sometimes risk signals like recent role changes or offboarding timelines. For restricted database access, the key questions are "should this person have access?" and "is this behavior normal for their role?" Threat intelligence feeds primarily help with external adversaries (malicious IPs, domains, known actor infrastructure) and are less useful for insiders who operate from legitimate networks and accounts. Vulnerability context is useful for exposure management and exploit prioritization, but it doesn't explain whether a particular employee's access attempt is legitimate. Physical/CPS sensor context can be valuable in some environments (badge access vs. login), but the most broadly applicable and directly relevant enrichment for insider cases is HR-based identity context. In SOC operations, combining HR context with identity logs and data access telemetry improves detection logic (for example, flagging restricted access attempts by users outside the relevant business unit or after termination) and reduces false positives from legitimate administrative activity.
You are working as a SOC analyst for a cloud-based service provider that relies on PostgreSQL databases to store critical customer data. During a security review, you discover that logs are not being generated for failed authentication attempts, slow queries, or database errors. This lack of visibility is making it difficult to detect threats and investigate suspicious activity. To ensure PostgreSQL captures and stores logs for centralized monitoring and forensic analysis, which configuration parameter should you enable?
In PostgreSQL, the configuration parameter that enables writing logs to files via the logging collector process is log_collector. When enabled, PostgreSQL can collect stderr output from backend processes and route it into log files, which is foundational for centralized log shipping and retention. From a SOC standpoint, turning on log collection is necessary but not sufficient: you typically also need to configure what gets logged (authentication failures, statement duration thresholds for slow queries, and error verbosity), define log line prefixes for consistent parsing, and set rotation/retention to meet operational and compliance needs. However, the question specifically asks which parameter should be enabled to ensure PostgreSQL captures and stores logs, and log_collector is the correct parameter name and casing. The other options include incorrect naming or formatting. Once enabled, the SOC team can forward PostgreSQL logs to the SIEM to correlate database activity with identity, endpoint, and network signals--critical for detecting brute force attempts, suspicious administrative actions, and anomalous query behavior.
Share your comments for EC-Council 312-39 exam with other users:
good material
lets see if this is good stuff...
useful information
intéressant
thank you for making the interactive questions
questions are accurate
i need questions/dumps for this exam.
i need this exam, when will it be uploaded
i need the dumps !
very helpful
good source
my 3rd test and passed on first try. hats off to this brain dumps site.
please upload it
does anybody know if are these real exam questions?
are these questions similar to actual questions in the exam? because they seem to be too easy
i have a lot of experience but what comes in the exam is totally different from the practical day to day tasks. so i thought i would rather rely on these brain dumps rather failing the exam.
good questions
valied exam dumps. they were very helpful and i got a pretty good score. i am very grateful for this service and exam questions
will it help?
very useful to verify knowledge before exam
good stuffs
question 17 : responses arent b and c ?
just passed the exam on my first try using these dumps.
these questions look good.
this is very helpful content
please provide the dumps
it is amazing
quesion 178 about "a banking system that predicts whether a loan will be repaid is an example of the" the answer is classification. not regresion, you should fix it.
please upload apache spark dumps
q14 is b&c to reduce you will switch off mail for every single alert and you will switch on daily digest to get a mail once per day, you might even skip the empty digest mail but i see this as a part of the daily digest adjustment
i think it is good question
good for students who wish to give certification.
is there a google drive link to the images? the links in questions are not working.
Keeping this site free takes real effort. We constantly battle automated scraping and unauthorized content copying. A quick account helps us protect the community and keep the site free.
To continue studying for your 312-39, please sign in or create a free account.