Winter Special - 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: c4sdisc65

EC0-479 PDF

$38.5

$109.99

3 Months Free Update

  • Printable Format
  • Value of Money
  • 100% Pass Assurance
  • Verified Answers
  • Researched by Industry Experts
  • Based on Real Exams Scenarios
  • 100% Real Questions

EC0-479 PDF + Testing Engine

$61.6

$175.99

3 Months Free Update

  • Exam Name: EC-Council Certified Security Analyst (ECSA)
  • Last Update: Dec 14, 2024
  • Questions and Answers: 232
  • Free Real Questions Demo
  • Recommended by Industry Experts
  • Best Economical Package
  • Immediate Access

EC0-479 Engine

$46.2

$131.99

3 Months Free Update

  • Best Testing Engine
  • One Click installation
  • Recommended by Teachers
  • Easy to use
  • 3 Modes of Learning
  • State of Art Technology
  • 100% Real Questions included

EC0-479 Practice Exam Questions with Answers EC-Council Certified Security Analyst (ECSA) Certification

Question # 6

Which of the following filesystem is used by Mac OS X?

A.

EFS

B.

HFS+

C.

EXT2

D.

NFS

Full Access
Question # 7

Which federal computer crime law specifically refers to fraud and related activity in connection with access devices like routers?

A.

18 U.S.C. 1029

B.

18 U.S.C. 1362

C.

18 U.S.C. 2511

D.

18 U.S.C. 2703

Full Access
Question # 8

You are called by an author who is writing a book and he wants to know how long the copyright for his book will last after he has the book published?

A.

70 years

B.

the life of the author

C.

the life of the author plus 70 years

D.

copyrights last forever

Full Access
Question # 9

In a FAT32 system, a 123 KB file will use how many sectors?

A.

34

B.

246

C.

11

D.

56

Full Access
Question # 10

What binary coding is used most often for e-mail purposes?

A.

MIME

B.

Uuencode

C.

IMAP

D.

SMTP

Full Access
Question # 11

Hackers can gain access to Windows Registry and manipulate user passwords, DNS settings, access rights or others features that they may need in order to accomplish their objectives. One simple method for loading an application at startup is to add an entry (Key) to the following Registry Hive:

A.

HKEY_LOCAL_MACHINEhardwarewindowsstart

B.

HKEY_LOCAL_USERSSoftware|MicrosoftoldVersionLoad

C.

HKEY_CURRENT_USERMicrosoftDefault

D.

HKEY_LOCAL_MACHINESoftwareMicrosoftCurrentVersionRun

Full Access
Question # 12

When performing a forensics analysis, what device is used to prevent the system from recording data on an evidence disk?

A.

a write-blocker

B.

a protocol analyzer

C.

a firewall

D.

a disk editor

Full Access
Question # 13

If you see the files Zer0.tar.gz and copy.tar.gz on a Linux system while doing an investigation, what can you conclude?

A.

The system files have been copied by a remote attacker

B.

The system administrator has created an incremental backup

C.

The system has been compromised using a t0rnrootkit

D.

Nothing in particular as these can be operational files

Full Access
Question # 14

George is performing security analysis for Hammond and Sons LLC. He is testing security vulnerabilities of their wireless network. He plans on remaining as "stealthy" as possible during the scan. Why would a scanner like Nessus is not recommended in this situation?

A.

Nessus is too loud

B.

There are no ways of performing a "stealthy" wireless scan

C.

Nessus cannot perform wireless testing

D.

Nessus is not a network scanner

Full Access
Question # 15

On Linux/Unix based Web servers, what privilege should the daemon service be run under?

A.

Guest

B.

You cannot determine what privilege runs the daemon service

C.

Root

D.

Something other than root

Full Access
Question # 16

John and Hillary works at the same department in the company. John wants to find out Hillary's network password so he can take a look at her documents on the file server. He enables Lophtcrack program to sniffing mode. John sends Hillary an email with a link to Error! Reference source not found. What information will he be able to gather from this?

A.

The SID of Hillary's network account

B.

The network shares that Hillary has permissions

C.

The SAM file from Hillary's computer

D.

Hillary's network username and password hash

Full Access
Question # 17

An "idle" system is also referred to as what?

A.

PC not being used

B.

PC not connected to the Internet

C.

Bot

D.

Zombie

Full Access
Question # 18

Under which Federal Statutes does FBI investigate for computer crimes involving e-mail scams and mail fraud?

A.

18 U.S.C. 1029 Possession of Access Devices

B.

18 U.S.C. 1030 Fraud and related activity in connection with computers

C.

18 U.S.C. 1343 Fraud by wire, radio or television

D.

18 U.S.C. 1361 Injury to Government Property

E.

18 U.S.C. 1362 Government communication systems

F.

18 U.S.C. 1832 Trade Secrets Act

Full Access
Question # 19

Jason is the security administrator of ACMA metal Corporation. One day he notices the company?s Oracle database server has been compromised and the customer information along with financial data has been stolen. The financial loss will be in millions of dollars if the database gets into the hands of the competitors. Jason wants to report this crime to the law enforcement agencies immediately. Which organization coordinates computer crimes investigations throughout the United States?

A.

Internet Fraud Complaint Center

B.

Local or national office of the U.S. Secret Service

C.

National Infrastructure Protection Center

D.

CERT Coordination Center

Full Access
Question # 20

How many sectors will a 125 KB file use in a FAT32 file system?

A.

32

B.

16

C.

250

D.

25

Full Access
Question # 21

Sectors in hard disks typically contain how many bytes?

A.

256

B.

512

C.

1024

D.

2048

Full Access
Question # 22

When investigating a network that uses DHCP to assign IP addresses, where would you look to determine which system (MAC address) had a specific IP address at a specific time?

A.

on the individual computer?s ARP cache

B.

in the Web Server log files

C.

in the DHCP Server log files

D.

there is no way to determine the specific IP address

Full Access
Question # 23

Windows identifies which application to open a file with by examining which of the following?

A.

The File extension

B.

The file attributes

C.

The file Signature at the end of the file

D.

The file signature at the beginning of the file

Full Access
Question # 24

When you carve an image, recovering the image depends on which of the following skills?

A.

Recognizing the pattern of the header content

B.

Recovering the image from a tape backup

C.

Recognizing the pattern of a corrupt file

D.

Recovering the image from the tape backup

Full Access
Question # 25

A suspect is accused of violating the acceptable use of computing resources, as he has visited adult websites and downloaded images. The investigator wants to demonstrate that the suspect did indeed visit these sites. However, the suspect has cleared the search history and emptied the cookie cache. Moreover, he has removed any images he might have downloadeD. What can the investigator do to prove the violation? Choose the most feasible option.

A.

Image the disk and try to recover deleted files

B.

Seek the help of co-workers who are eye-witnesses

C.

Check the Windows registry for connection data (You may or may not recover)

D.

Approach the websites for evidence

Full Access
Question # 26

When examining a file with a Hex Editor, what space does the file header occupy?

A.

the last several bytes of the file

B.

the first several bytes of the file

C.

none, file headers are contained in the FAT

D.

one byte at the beginning of the file

Full Access
Question # 27

A (n) ____________ is one that?s performed by a computer program rather than the attacker manually performing the steps in the attack sequence.

A.

blackout attack

B.

automated attack

C.

distributed attack

D.

central processing attack

Full Access
Question # 28

E-mail logs contain which of the following information to help you in your investigation? (Select up to 4)

A.

user account that was used to send the account

B.

attachments sent with the e-mail message

C.

unique message identifier

D.

contents of the e-mail message

E.

date and time the message was sent

Full Access
Question # 29

An Employee is suspected of stealing proprietary information belonging to your company that he had no rights to possess. The information was stored on the Employees Computer that was protected with the NTFS Encrypted File System (EFS) and you had observed him copy the files to a floppy disk just before leaving work for the weekenD. You detain the Employee before he leaves the building and recover the floppy disks and secure his computer. Will you be able to break the encryption so that you can verify that that the employee was in possession of the proprietary information?

A.

EFS uses a 128- bit key that can?t be cracked, so you will not be able to recover the information

B.

When the encrypted file was copied to the floppy disk, it was automatically unencrypted, so you can recover the information

C.

The EFS Revoked Key Agent can be used on the Computer to recover the information

D.

When the Encrypted file was copied to the floppy disk, the EFS private key was also copied to the floppy disk, so you can recover the information.

Full Access
Question # 30

The MD5 program is used to:

A.

wipe magnetic media before recycling it

B.

make directories on a evidence disk

C.

view graphics files on an evidence drive

D.

verify that a disk is not altered when you examine it

Full Access
Question # 31

When investigating a potential e-mail crime, what is your first step in the investigation?

A.

Trace the IP address to its origin

B.

Write a report

C.

Determine whether a crime was actually committed

D.

Recover the evidence

Full Access
Question # 32

The newer Macintosh Operating System is based on:

A.

OS/2

B.

BSD Unix

C.

Linux

D.

Microsoft Windows

Full Access
Question # 33

When monitoring for both intrusion and security events between multiple computers, it is essential that the computers? clocks are synchronize D. Synchronized time allows an administrator to reconstruct what took place during an attack against multiple computers. Without synchronized time, it is very difficult to determine exactly when specific events took place, and how events interlace. What is the name of the service used to synchronize time among multiple computers?

A.

Universal Time Set

B.

Network Time Protocol

C.

SyncTime Service

D.

Time-Sync Protocol

Full Access
Question # 34

In what way do the procedures for dealing with evidence in a criminal case differ from the procedures for dealing with evidence in a civil case?

A.

evidence must be handled in the same way regardless of the type of case

B.

evidence procedures are not important unless you work for a law enforcement agency

C.

evidence in a criminal case must be secured more tightly than in a civil case

D.

evidence in a civil case must be secured more tightly than in a criminal case

Full Access
Question # 35

Lance wants to place a honeypot on his network. Which of the following would be your recommendations?

A.

Use a system that has a dynamic addressing on the network

B.

Use a system that is not directlyinteracing with the router

C.

Use it on a system in an external DMZ in front of the firewall

D.

It doesn?t matter as all replies are faked

Full Access
Question # 36

The offset in a hexadecimal code is:

A.

The last byte after the colon

B.

The 0x at the beginning of the code

C.

The 0x at the end of the code

D.

The first byte after the colon

Full Access
Question # 37

When examining the log files from a Windows IIS Web Server, how often is a new log file created?

A.

the same log is used at all times

B.

a new log file is created everyday

C.

a new log file is created each week

D.

a new log is created each time the Web Server is started

Full Access
Question # 38

Harold is a security analyst who has just run the rdisk /s command to grab the backup SAM file on a computer. Where should Harold navigate on the computer to find the file?

A.

%systemroot%\LSA

B.

%systemroot%\repair

C.

%systemroot%\system32\drivers\etc

D.

%systemroot%\system32\LSA

Full Access
Question # 39

Paul's company is in the process of undergoing a complete security audit including logical and physical security testing. After all logical tests were performed; it is now time for the physical round to begin. None of the employees are made aware of this round of testing. The security-auditing firm sends in a technician dressed as an electrician. He waits outside in the lobby for some employees to get to work and follows behind them when they access the restricted areas. After entering the main office, he is able to get into the server room telling the IT manager that there is a problem with the outlets in that room. What type of attack has the technician performed?

A.

Fuzzing

B.

Tailgating

C.

Man trap attack

D.

Backtrapping

Full Access
Question # 40

What will the following command produce on a website login page?

SELECT email, passwd, login_id, full_name

FROM members

WHERE email = 'someone@somehwere.com'; DROP TABLE members; --'

A.

Inserts the Error! Reference source not found. email address into the members table

B.

Retrieves the password for the first user in the members table

C.

Deletes the entire members table

D.

This command will not produce anything since the syntax is incorrect

Full Access
Question # 41

When you are running a vulnerability scan on a network and the IDS cuts off your connection, what type of IDS is being used?

A.

NIPS

B.

Passive IDS

C.

Progressive IDS

D.

Active IDS

Full Access
Question # 42

What is the target host IP in the following command?

EC0-479 question answer

A.

Firewalk does not scan target hosts

B.

172.16.28.95

C.

This command is using FIN packets, which cannot scan target hosts

D.

10.10.150.1

Full Access
Question # 43

Bill is the accounting manager for Grummon and Sons LLC in Chicago. On a regular basis, he needs to send PDF documents containing sensitive information through E-mail to his customers. Bill protects the PDF documents with a password and sends them to their intended recipients. Why PDF passwords do not offer maximum protection?

A.

PDF passwords can easily be cracked by software brute force tools

B.

PDF passwords are not considered safe by Sarbanes-Oxley

C.

PDF passwords are converted to clear text when sent through E-mail

D.

When sent through E-mail, PDF passwords are stripped from the document completely

Full Access
Question # 44

On Linux/Unix based Web servers, what privilege should the daemon service be run under?

A.

You cannot determine what privilege runs the daemon service

B.

Guest

C.

Root

D.

Something other than root

Full Access
Question # 45

Harold is a security analyst who has just run the rdisk /s command to grab the backup SAM file on a computer. Where should Harold navigate on the computer to find the file?

A.

%systemroot%\system32\drivers\etc

B.

%systemroot%\repair

C.

%systemroot%\LSA

D.

%systemroot%\system32\LSA

Full Access
Question # 46

You are trying to locate Microsoft Outlook Web Access Default Portal using Google search on the Internet. What search string will you use to locate them?

A.

outlook:"search"

B.

allinurl:"exchange/logon.asp"

C.

locate:"logon page"

D.

intitle:"exchange server"

Full Access
Question # 47

You are running through a series of tests on your network to check for any security vulnerabilities. After normal working hours, you initiate a DoS attack against your external firewall. The firewall quickly freezes up and becomes unusable. You then initiate an FTP connection from an external IP into your internal network. The connection is successful even though you have FTP blocked at the external firewall. What has happened?

A.

The firewall failed-open

B.

The firewall failed-bypass

C.

The firewall failed-closed

D.

The firewall ACL has been purged

Full Access
Question # 48

To preserve digital evidence, an investigator should ____________________

A.

Make tow copies of each evidence item using a single imaging tool

B.

Make a single copy of each evidence item using an approved imaging tool

C.

Make two copies of each evidence item using different imaging tools

D.

Only store the original evidence item

Full Access
Question # 49

You have completed a forensic investigation case. You would like to destroy the data contained in various disks at the forensics lab due to sensitivity of the case. How would you permanently erase the data on the hard disk?

A.

Throw the hard disk into the fire

B.

Run the powerful magnets over the hard disk

C.

Format the hard disk multiple times using a low level disk utility

D.

Overwrite the contents of the hard disk with Junk data

Full Access
Question # 50

What information do you need to recover when searching a victims computer for a crime committed with specific e-mail message?

A.

Internet service provider information

B.

E-mail header

C.

Username and password

D.

Firewall log

Full Access
Question # 51

What should you do when approached by a reporter about a case that you are working on or have worked on?

A.

Refer the reporter to the attorney that retained you

B.

Say, “no comment”

C.

Answer all the reporters questions as completely as possible

D.

Answer only the questions that help your case

Full Access
Question # 52

Office Documents (Word, Excel and PowerPoint) contain a code that allows tracking the MAC or unique identifier of the machine that created the document. What is that code called?

A.

Globally unique ID

B.

Microsoft Virtual Machine Identifier

C.

Personal Application Protocol

D.

Individual ASCII string

Full Access
Question # 53

A law enforcement officer may only search for and seize criminal evidence with _____________, which are facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed, evidence of the specific crime exists and the evidence of the specific crime exists at the place to be searcheD.

A.

Mere Suspicion

B.

A preponderance of the evidence

C.

Probable cause

D.

Beyond a reasonable doubt

Full Access
Question # 54

The use of warning banners helps a company avoid litigation by overcoming an employees assumed

____________ When connecting to the company?s intranet, network or Virtual Private Network(VPN) and will allow the company?s investigators to monitor, search and retrieve information stored within the network.

A.

Right to work

B.

Right of free speech

C.

Right to Internet Access

D.

Right of Privacy

Full Access
Question # 55

When using Windows acquisitions tools to acquire digital evidence, it is important to use a well- tested hardware write-blocking device to:

A.

Automate Collection from image files

B.

Avoiding copying data from the boot partition

C.

Acquire data from host-protected area on a disk

D.

Prevent Contamination to the evidence drive

Full Access
Question # 56

____________________ is simply the application of Computer Investigation and analysis techniques in the interests of determining potential legal evidence.

A.

Network Forensics

B.

Computer Forensics

C.

Incident Response

D.

Event Reaction

Full Access
Question # 57

An Expert witness give an opinion if:

A.

The Opinion, inferences or conclusions depend on special knowledge, skill or training not within the ordinary experience of lay jurors

B.

To define the issues of the case for determination by the finder of fact

C.

To stimulate discussion between the consulting expert and the expert witness

D.

To deter the witness form expanding the scope of his or her investigation beyond the requirements of the case

Full Access
Question # 58

When investigating a Windows System, it is important to view the contents of the page or swap file because:

A.

Windows stores all of the systems configuration information in this file

B.

This is file that windows use to communicate directly with Registry

C.

A Large volume of data can exist within the swap file of which the computer user has no knowledge

D.

This is the file that windows use to store the history of the last 100 commands that were run from the command line

Full Access
Question # 59

One way to identify the presence of hidden partitions on a suspect?s hard drive is to:

A.

Add up the total size of all known partitions and compare it to the total size of the hard drive

B.

Examine the FAT and identify hidden partitions by noting an H in the partition Type field

C.

Examine the LILO and note an H in the partition Type field

D.

It is not possible to have hidden partitions on a hard drive

Full Access
Question # 60

Which of the following refers to the data that might still exist in a cluster even though the original file has been overwritten by another file?

A.

Sector

B.

Metadata

C.

MFT

D.

Slack Space

Full Access
Question # 61

During the course of a corporate investigation, you find that an Employee is committing a crime. Can the Employer file a criminal complain with Police?

A.

Yes, and all evidence can be turned over to the police

B.

Yes, but only if you turn the evidence over to a federal law enforcement agency

C.

No, because the investigation was conducted without following standard police procedures

D.

No, because the investigation was conducted without warrant

Full Access
Question # 62

What are the security risks of running a "repair" installation for Windows XP?

A.

There are no security risks when running the "repair" installation for Windows XP

B.

Pressing Shift+F1 gives the user administrative rights

C.

Pressing Ctrl+F10 gives the user administrative rights

D.

Pressing Shift+F10 gives the user administrative rights

Full Access
Question # 63

Jim performed a vulnerability analysis on his network and found no potential problems. He runs another utility that executes exploits against his system to verify the results of the vulnerability test. The second utility executes five known exploits against his network in which the vulnerability analysis said were not exploitable. What kind of results did Jim receive from his vulnerability analysis?

A.

True negatives

B.

False negatives

C.

False positives

D.

True positives

Full Access
Question # 64

Michael works for Kimball Construction Company as senior security analyst. As part of yearly security audit, Michael scans his network for vulnerabilities. Using Nmap, Michael conducts XMAS scan and most of the ports scanned do not give a response. In what state are these ports?

A.

Filtered

B.

Stealth

C.

Closed

D.

Open

Full Access
Question # 65

Harold is a web designer who has completed a website for ghttech.net. As part of the maintenance agreement he signed with the client, Harold is performing research online and seeing how much exposure the site has received so far. Harold navigates to google.com and types in the following search.

link:www.ghttech.net

What will this search produce?

A.

All sites that link to ghttech.net

B.

Sites that contain the code: link:www.ghttech.net

C.

All sites that ghttech.net links to

D.

All search engines that link to .net domains

Full Access
Question # 66

What is a good security method to prevent unauthorized users from "tailgating"?

A.

Electronic key systems

B.

Man trap

C.

Pick-resistant locks

D.

Electronic combination locks

Full Access
Question # 67

You work as an IT security auditor hired by a law firm in Boston to test whether you can gain access to sensitive information about the company clients. You have rummaged through their trash and found very little information. You do not want to set off any alarms on their network, so you plan on performing passive footprinting against their Web servers. What tool should you use?

A.

Nmap

B.

Netcraft

C.

Ping sweep

D.

Dig

Full Access
Question # 68

To test your website for vulnerabilities, you type in a quotation mark (? for the username field. After you click Ok, you receive the following error message window:

What can you infer from this error window?

Exhibit:

EC0-479 question answer

A.

SQL injection is not possible

B.

SQL injection is possible

C.

The user for line 3306 in the SQL database has a weak password

D.

The quotation mark (? is a valid username

Full Access
Question # 69

You are carrying out the last round of testing for your new website before it goes live. The website has many dynamic pages and connects to a SQL backend that accesses your product inventory in a database. You come across a web security site that recommends inputting the following code into a search field on web pages to check for vulnerabilities:

<script>alert("This is a test.")</script>

When you type this and click on search, you receive a pop-up window that says:

"This is a test."

What is the result of this test?

A.

Your website is vulnerable to web bugs

B.

Your website is vulnerable to CSS

C.

Your website is not vulnerable

D.

Your website is vulnerable to SQL injection

Full Access