Looking for Real Exam Questions for IT Certification Exams!

We guarantee you can pass any IT certification exam at your first attempt with just 10-12
hours study of our guides.

Our study guides contain actual exam questions; accurate answers with detailed explanation
verified by experts and all graphics and drag-n-drop exhibits shown just as on the real test.

To test the quality of our guides, you can download the one-fourth portion of any guide from
http://www.certificationking.com absolutely free. You can also download the guides for retired
exams that you might have taken in the past.

For pricing and placing order, please visit http://certificationking.com/order.html

We accept all major credit cards through www.paypal.com

For other payment options and any further query, feel free to mail us at
[email protected]
 ECCouncil 312-49v8 Exam
QUESTION NO: 1

What is the First Step required in preparing a computer for forensics investigation?

A. Do not turn the computer off or on, run any programs, or attempt to access data on a computer
B. Secure any relevant media
C. Suspend automated document destruction and recycling policies that may pertain to any
relevant media or users at Issue
D. Identify the type of data you are seeking, the Information you are looking for, and the urgency
level of the examination

Answer: A
Explanation:

QUESTION NO: 2

Network forensics can be defined as the sniffing, recording, acquisition and analysis of the
network traffic and event logs in order to investigate a network security incident.

A. True
B. False

Answer: A
Explanation:

QUESTION NO: 3

Which of the following commands shows you the names of all open shared files on a server and
number of file locks on each file?

A. Net sessions
B. Net file
C. Netconfig
D. Net share

Answer: B
Explanation:

www.CertificationKing.com 2
 ECCouncil 312-49v8 Exam
QUESTION NO: 4

The Recycle Bin exists as a metaphor for throwing files away, but it also allows user to retrieve
and restore files. Once the file is moved to the recycle bin, a record is added to the log file that
exists in the Recycle Bin.

Which of the following files contains records that correspond to each deleted file in the Recycle
Bin?

A. INFO2 file
B. INFO1 file
C. LOGINFO2 file
D. LOGINFO1 file

Answer: A
Explanation:

QUESTION NO: 5

Email archiving is a systematic approach to save and protect the data contained in emails so that
it can be accessed fast at a later date. There are two main archive types, namely Local Archive
and Server Storage Archive. Which of the following statements is correct while dealing with local
archives?

A. It is difficult to deal with the webmail as there is no offline archive in most cases. So consult
your counsel on the case as to the best way to approach and gain access to the required data on
servers
B. Local archives do not have evidentiary value as the email client may alter the message data
C. Local archives should be stored together with the server storage archives in order to be
admissible in a court of law
D. Server storage archives are the server information and settings stored on a local system
whereas the local archives are the local email client information stored on the mail server

Answer: A
Explanation:

QUESTION NO: 6

Which of the following email headers specifies an address for mailer-generated errors, like "no
such user" bounce messages, to go to (instead of the sender's address)?

www.CertificationKing.com 3
 ECCouncil 312-49v8 Exam
A. Errors-To header
B. Content-Transfer-Encoding header
C. Mime-Version header
D. Content-Type header

Answer: A
Explanation:

QUESTION NO: 7

Which of the following commands shows you all of the network services running on Windows-
based servers?

A. Net start
B. Net use
C. Net Session
D. Net share

Answer: A
Explanation:

QUESTION NO: 8

Email archiving is a systematic approach to save and protect the data contained in emails so that
it can tie easily accessed at a later date.

A. True
B. False

Answer: A
Explanation:

QUESTION NO: 9

Which of the following commands shows you the NetBIOS name table each?

www.CertificationKing.com 4
 ECCouncil 312-49v8 Exam

A. Option A
B. Option B
C. Option C
D. Option D

Answer: A
Explanation:

QUESTION NO: 10

Windows Security Accounts Manager (SAM) is a registry file which stores passwords in a hashed
format.

SAM file in Windows is located at:

A. C:\windows\system32\config\SAM
B. C:\windows\system32\con\SAM
C. C:\windows\system32\Boot\SAM
D. C:\windows\system32\drivers\SAM

Answer: A
Explanation:

QUESTION NO: 11

FAT32 is a 32-bit version of FAT file system using smaller clusters and results in efficient storage
capacity. What is the maximum drive size supported?

A. 1 terabytes
B. 2 terabytes

www.CertificationKing.com 5
 ECCouncil 312-49v8 Exam
C. 3 terabytes
D. 4 terabytes

Answer: B
Explanation:

QUESTION NO: 12

In which step of the computer forensics investigation methodology would you run MD5 checksum
on the evidence?

A. Obtain search warrant

B. Evaluate and secure the scene
C. Collect the evidence
D. Acquire the data

Answer: D
Explanation:

QUESTION NO: 13

Network forensics allows Investigators 10 inspect network traffic and logs to identify and locate the
attack system

Network forensics can reveal: (Select three answers)

A. Source of security incidents’ and network attacks

B. Path of the attack
C. Intrusion techniques used by attackers
D. Hardware configuration of the attacker's system

Answer: A,B,C
Explanation:

QUESTION NO: 14

Determine the message length from following hex viewer record:

www.CertificationKing.com 6
 ECCouncil 312-49v8 Exam

A. 6E2F
B. 13
C. 27
D. 810D

Answer: D
Explanation:

QUESTION NO: 15

TCP/IP (Transmission Control Protocol/Internet Protocol) is a communication protocol used to

connect different hosts in the Internet. It contains four layers, namely the network interface layer.
Internet layer, transport layer, and application layer.

Which of the following protocols works under the transport layer of TCP/IP?

A. UDP
B. HTTP
C. FTP
D. SNMP

Answer: A
Explanation:

QUESTION NO: 16

Which of the following statements does not support the case assessment?

www.CertificationKing.com 7
 ECCouncil 312-49v8 Exam
A. Review the case investigator's request for service
B. Identify the legal authority for the forensic examination request
C. Do not document the chain of custody
D. Discuss whether other forensic processes need to be performed on the evidence

Answer: C
Explanation:

QUESTION NO: 17

Wireless access control attacks aim to penetrate a network by evading WLAN access control
measures, such as AP MAC filters and Wi-Fi port access controls.

Which of the following wireless access control attacks allows the attacker to set up a rogue access
point outside the corporate perimeter, and then lure the employees of the organization to connect
to it?

A. War driving
B. Rogue access points
C. MAC spoofing
D. Client mis-association

Answer: D
Explanation:

QUESTION NO: 18

File deletion is a way of removing a file from a computer's file system. What happens when a file is
deleted in windows7?

A. The last letter of a file name is replaced by a hex byte code E5h
B. The operating system marks the file's name in the MFT with a special character that indicates
that the file has been deleted
C. Corresponding clusters in FAT are marked as used
D. The computer looks at the clusters occupied by that file and does not avails space to store a
new file

Answer: B
Explanation:

www.CertificationKing.com 8
 ECCouncil 312-49v8 Exam

QUESTION NO: 19

What is cold boot (hard boot)?

A. It is the process of starting a computer from a powered-down or off state

B. It is the process of restarting a computer that is already turned on through the operating system
C. It is the process of shutting down a computer from a powered-on or on state
D. It is the process of restarting a computer that is already in sleep mode

Answer: A
Explanation:

QUESTION NO: 20

When a file or folder is deleted, the complete path, including the original file name, is stored in a
special hidden file called "INF02" in the Recycled folder. If the INF02 file is deleted, it is re-created
when you___________.

A. Restart Windows
B. Kill the running processes in Windows task manager
C. Run the antivirus tool on the system
D. Run the anti-spyware tool on the system

Answer: A
Explanation:

QUESTION NO: 21

WPA2 provides enterprise and Wi-Fi users with stronger data protection and network access
control which of the following encryption algorithm is used DVWPA2?

A. RC4-CCMP
B. RC4-TKIP
C. AES-CCMP
D. AES-TKIP

Answer: C
Explanation:

www.CertificationKing.com 9
 ECCouncil 312-49v8 Exam

QUESTION NO: 22

The disk in the disk drive rotates at high speed, and heads in the disk drive are used only to read
data.

A. True
B. False

Answer: B
Explanation:

QUESTION NO: 23

What is a bit-stream copy?

A. Bit-Stream Copy is a bit-by-bit copy of the original storage medium and exact copy of the
original disk
B. A bit-stream image is the file that contains the NTFS files and folders of all the data on a disk or
partition
C. A bit-stream image is the file that contains the FAT32 files and folders of all the data on a disk
or partition
D. Creating a bit-stream image transfers only non-deleted files from the original disk to the image
disk

Answer: A
Explanation:

QUESTION NO: 24

System software password cracking is defined as cracking the operating system and all other
utilities that enable a computer to function

A. True
B. False

Answer: A
Explanation:

www.CertificationKing.com 10
 ECCouncil 312-49v8 Exam

QUESTION NO: 25

Which of the following Steganography techniques allows you to encode information that ensures
creation of cover for secret communication?

A. Substitution techniques
B. Transform domain techniques
C. Cover generation techniques
D. Spread spectrum techniques

Answer: C
Explanation:

QUESTION NO: 26

Ron. a computer forensics expert, Is Investigating a case involving corporate espionage. He has
recovered several mobile computing devices from the crime scene. One of the evidence that Ron
possesses is a mobile phone from Nokia that was left in on condition. Ron needs to recover the
IMEI number of the device to establish the identity of the device owner. Which of the following key
combinations he can use to recover the IMEI number?

A. #*06*#
B. *#06#
C. #06r
D. *1MEI#

Answer: B
Explanation:

QUESTION NO: 27

Who is responsible for the following tasks?

- Secure the scene and ensure that it is maintained In a secure state until the Forensic Team
advises
- Make notes about the scene that will eventually be handed over to the Forensic Team

A. Non-Laboratory Staff

www.CertificationKing.com 11
 ECCouncil 312-49v8 Exam
B. System administrators
C. Local managers or other non-forensic staff
D. Lawyers

Answer: A
Explanation:

QUESTION NO: 28

A system with a simple logging mechanism has not been given much attention during
development, this system is now being targeted by attackers, if the attacker wants to perform a
new line injection attack, what will he/she inject into the log file?

A. Plaintext
B. Single pipe character
C. Multiple pipe characters
D. HTML tags

Answer: A
Explanation:

QUESTION NO: 29

During the seizure of digital evidence, the suspect can be allowed touch the computer system.

A. True
B. False

Answer: B
Explanation:

QUESTION NO: 30

Which of the following password cracking techniques works like a dictionary attack, but adds some
numbers and symbols to the words from the dictionary and tries to crack the password?

A. Brute forcing attack

B. Hybrid attack

www.CertificationKing.com 12
 ECCouncil 312-49v8 Exam
C. Syllable attack
D. Rule-based attack

Answer: B
Explanation:

QUESTION NO: 31

Consistency in the investigative report is more important than the exact format in the report to
eliminate uncertainty and confusion.

A. True
B. False

Answer: A
Explanation:

QUESTION NO: 32

When dealing with the powered-off computers at the crime scene, if the computer is switched off,
turn it on

A. True
B. False

Answer: B
Explanation:

QUESTION NO: 33

MAC filtering is a security access control methodology, where a ___________ is assigned to each
network card to determine access to the network

A. 16-bit address
B. 24-bit address
C. 32-bit address
D. 48-bit address

www.CertificationKing.com 13
 ECCouncil 312-49v8 Exam
Answer: D
Explanation:

QUESTION NO: 34

The ARP table of a router comes in handy for Investigating network attacks, as the table contains
IP addresses associated with the respective MAC addresses.

The ARP table can be accessed using the __________command in Windows 7.

A. Option A
B. Option B
C. Option C
D. Option D

Answer: A
Explanation:

QUESTION NO: 35

You can interact with the Registry through intermediate programs. Graphical user interface (GUI)
Registry editors such as Regedit.exe or Regedt32 exe are commonly used as intermediate
programs in Windows 7. Which of the following is a root folder of the registry editor?

A. HKEY_USERS
B. HKEY_LOCAL_ADMIN
C. HKEY_CLASSES_ADMIN
D. HKEY_CLASSES_SYSTEM

www.CertificationKing.com 14
 ECCouncil 312-49v8 Exam
Answer: A
Explanation:

QUESTION NO: 36

You have been given the task to investigate web attacks on a Windows-based server.

Which of the following commands will you use to look at which sessions the machine has opened
with other systems?

A. Net sessions
B. Net use
C. Net config
D. Net share

Answer: B
Explanation:

QUESTION NO: 37

What is a SCSI (Small Computer System Interface)?

A. A set of ANSI standard electronic interfaces that allow personal computers to communicate with
peripheral hardware such as disk drives, tape drives. CD-ROM drives, printers, and scanners
B. A standard electronic interface used between a computer motherboard's data paths or bus and
the computer's disk storage devices
C. A "plug-and-play" interface, which allows a device to be added without an adapter card and
without rebooting the computer
D. A point-to-point serial bi-directional interface for transmitting data between computer devices at
data rates of up to 4 Gbps

Answer: A
Explanation:

QUESTION NO: 38

The status of the network interface cards (NICs) connected to a system gives information about
whether the system is connected to a wireless access point and what IP address is being used.

www.CertificationKing.com 15
 ECCouncil 312-49v8 Exam
Which command displays the network configuration of the NICs on the system?

A. ipconfig /all
B. netstat
C. net session
D. tasklist

Answer: A
Explanation:

QUESTION NO: 39

Which Is a Linux journaling file system?

A. Ext3
B. HFS
C. FAT
D. BFS

Answer: A
Explanation:

QUESTION NO: 40

Which of the following steganography types hides the secret message in a specifically designed
pattern on the document that is unclear to the average reader?

A. Open code steganography

B. Visual semagrams steganography
C. Text semagrams steganography
D. Technical steganography

Answer: A
Explanation:

QUESTION NO: 41

Web applications provide an Interface between end users and web servers through a set of web

www.CertificationKing.com 16
 ECCouncil 312-49v8 Exam
pages that are generated at the server-end or contain script code to be executed dynamically
within the client Web browser.

A. True
B. False

Answer: A
Explanation:

QUESTION NO: 42

Jason, a renowned forensic investigator, is investigating a network attack that resulted in the
compromise of several systems in a reputed multinational's network. He started Wireshark to
capture the network traffic. Upon investigation, he found that the DNS packets travelling across
the network belonged to a non-company configured IP. Which of the following attack Jason can
infer from his findings?

A. DNS Poisoning
B. Cookie Poisoning Attack
C. DNS Redirection
D. Session poisoning

Answer: A
Explanation:

QUESTION NO: 43

Which table is used to convert huge word lists (i .e. dictionary files and brute-force lists) into
password hashes?

A. Rainbow tables
B. Hash tables
C. Master file tables
D. Database tables

Answer: A
Explanation:

www.CertificationKing.com 17
 ECCouncil 312-49v8 Exam
QUESTION NO: 44

Data acquisition system is a combination of tools or processes used to gather, analyze and record
Information about some phenomenon. Different data acquisition system are used depends on the
location, speed, cost. etc. Serial communication data acquisition system is used when the actual
location of the data is at some distance from the computer. Which of the following communication
standard is used in serial communication data acquisition system?

A. RS422
B. RS423
C. RS232
D. RS231

Answer: C
Explanation:

QUESTION NO: 45

Which of the following statements is incorrect when preserving digital evidence?

A. Document the actions and changes that you observe in the monitor, computer, printer, or in
other peripherals
B. Verily if the monitor is in on, off, or in sleep mode
C. Remove the power cable depending on the power state of the computer i.e., in on. off, or in
sleep mode
D. Turn on the computer and extract Windows event viewer log files

Answer: D
Explanation:

QUESTION NO: 46

Which of the following would you consider an aspect of organizational security, especially focusing
on IT security?

A. Biometric information security

B. Security from frauds
C. Application security
D. Information copyright security

Answer: C

www.CertificationKing.com 18
 ECCouncil 312-49v8 Exam
Explanation:

QUESTION NO: 47

Which of the following approaches checks and compares all the fields systematically and
intentionally for positive and negative correlation with each other to determine the correlation
across one or multiple fields?

A. Graph-based approach
B. Neural network-based approach
C. Rule-based approach
D. Automated field correlation approach

Answer: D
Explanation:

QUESTION NO: 48

Log management includes all the processes and techniques used to collect, aggregate, and
analyze computer-generated log messages. It consists of the hardware, software, network and
media used to generate, transmit, store, analyze, and dispose of log data.

A. True
B. False

Answer: A
Explanation:

QUESTION NO: 49

Data files from original evidence should be used for forensics analysis

A. True
B. False

Answer: B
Explanation:

www.CertificationKing.com 19
 ECCouncil 312-49v8 Exam

QUESTION NO: 50

Attackers can manipulate variables that reference files with "dot-dot-slash (./)" sequences and
their variations such as http://www.juggyDoy.corn/GET/process.php./././././././././etc/passwd.

Identify the attack referred.

A. Directory traversal
B. SQL Injection
C. XSS attack
D. File injection

Answer: A
Explanation:

QUESTION NO: 51

Subscriber Identity Module (SIM) is a removable component that contains essential information
about the subscriber. Its main function entails authenticating the user of the cell phone to the
network to gain access to subscribed services. SIM contains a 20-digit long Integrated Circuit Card
identification (ICCID) number, identify the issuer identifier Number from the ICCID below.

A. 89
B. 44
C. 245252
D. 001451548

Answer: C
Explanation:

www.CertificationKing.com 20
 ECCouncil 312-49v8 Exam

QUESTION NO: 52

The Electronic Serial Number (ESN) is a unique __________ recorded on a secure chip in a
mobile phone by the manufacturer.

A. 16-bit identifier
B. 24-bit identifier
C. 32-bit identifier
D. 64-bit identifier

Answer: C
Explanation:

QUESTION NO: 53

First response to an incident may involve three different groups of people, and each will have
differing skills and need to carry out differing tasks based on the incident. Who is responsible for
collecting, preserving, and packaging electronic evidence?

A. System administrators
B. Local managers or other non-forensic staff
C. Forensic laboratory staff
D. Lawyers

Answer: C
Explanation:

QUESTION NO: 54

Task list command displays a list of applications and services with their Process ID (PID) for all
tasks running on either a local or a remote computer.

Which of the following task list commands provides information about the listed processes,
including the image name, PID, name, and number of the session for the process?

A. tasklist/s
B. tasklist/u
C. tasklist/p

www.CertificationKing.com 21