Question 1

EC Council CSA Practice Test | Exam 312–39

Question 1

Bonney’s system has been compromised by a gruesome malware.
What is the primary step that is advisable to Bonney in order to contain the malware incident from spreading?

• A. Complaint to police in a formal way regarding the incident
• B. Turn off the infected machine
• C. Leave it to the network administrators to handle
• D. Call the legal department in the organization and inform about the incident

Correct Answer: B

Turn off the infected machine. The primary step that Bonney should take in order to contain the malware incident from spreading is to turn off the infected machine. This will help prevent the malware from spreading to other systems on the network and minimize the damage caused by the attack. Once the infected machine has been isolated, further steps can be taken to investigate the incident and remove the malware. Options A, C, and D may be relevant in some situations, but they are not the primary step that should be taken to contain the incident.

Question 2

According to the forensics investigation process, what is the next step carried out right after collecting the evidence?

• A. Create a Chain of Custody Document
• B. Send it to the nearby police station
• C. Set a Forensic lab
• D. Call Organizational Disciplinary Team

Correct Answer: A

Create a Chain of Custody Document. After collecting the evidence, the next step in the forensics investigation process is to create a chain of custody document. This document is used to track the evidence from the time it is collected until it is presented in court. It documents who collected the evidence, when it was collected, where it was collected, and how it was stored and transported. This helps ensure that the evidence is admissible in court and that its integrity has been maintained throughout the investigation. Options B, C, and D may be relevant in some situations, but they are not the next step carried out after collecting the evidence.

Question 3

Which one of the following is the correct flow for Setting Up a Computer Forensics Lab?

• A. Planning and budgeting –> Physical location and structural design considerations –> Work area considerations –> Human resource considerations –> Physical security recommendations –> Forensics lab licensing
• B. Planning and budgeting –> Physical location and structural design considerations–> Forensics lab licensing –> Human resource considerations –> Work area considerations –> Physical security recommendations
• C. Planning and budgeting –> Forensics lab licensing –> Physical location and structural design considerations –> Work area considerations –> Physical security recommendations –> Human resource considerations
• D. Planning and budgeting –> Physical location and structural design considerations –> Forensics lab licensing –>Work area considerations –> Human resource considerations –> Physical security recommendations

Correct Answer: D

The correct answer is D. Planning and budgeting –> Physical location and structural design considerations –> Forensics lab licensing –> Work area considerations –> Human resource considerations –> Physical security recommendations. This is the correct flow for setting up a computer forensics lab. The first step is to plan and budget for the lab, followed by selecting a physical location and designing the lab’s structure. Forensics lab licensing should then be obtained, followed by setting up the work area and considering the human resources needed for the lab. Finally, physical security recommendations should be implemented to ensure the lab and evidence are protected. Option A has the incorrect order of physical location and structural design considerations and work area considerations. Option B has the incorrect order of forensics lab licensing and physical location and structural design considerations. Option C has the incorrect order of forensics lab licensing and physical location and structural design considerations, as well as the incorrect order of physical security recommendations and human resource considerations.

Question 4

Which of the following directory will contain logs related to printer access?

• A. /var/log/cups/Printer_log file
• B. /var/log/cups/access_log file
• C. /var/log/cups/accesslog file
• D. /var/log/cups/Printeraccess_log file

Correct Answer: B

The correct answer is B. /var/log/cups/access_log file. This file contains logs related to printer access in the Common Unix Printing System (CUPS), a printing system used in many Linux distributions. Option A is incorrect because it refers to a non-existent file called “Printer_log file”. Option C is incorrect because it refers to a non-existent file called “accesslog file”. Option D is incorrect because it refers to a non-existent file called “Printeraccess_log file”.

Question 5

Which of the following command is used to enable logging in iptables?

• A. $ iptables -B INPUT -j LOG
• B. $ iptables -A OUTPUT -j LOG
• C. $ iptables -A INPUT -j LOG
• D. $ iptables -B OUTPUT -j LOG

Correct Answer: C

The correct answer is C. $ iptables -A INPUT -j LOG. This command adds a rule to the INPUT chain of the iptables firewall to log all incoming packets. The -j LOG option specifies that the packets should be logged, and the -A option adds the rule to the end of the chain. Option B adds a rule to log outgoing packets, while option D uses the invalid option -B.

Question 6

Ray is a SOC analyst in a company named Queens Tech. One Day, Queens Tech is affected by a DoS/DDoS attack. For the containment of this incident, Ray and his team are trying to provide additional bandwidth to the network devices and increasing the capacity of the servers.
What is Ray and his team doing?

• A. Blocking the Attacks
• B. Diverting the Traffic
• C. Degrading the services
• D. Absorbing the Attack

Correct Answer: D

The correct answer is D. Absorbing the Attack. Ray and his team are providing additional bandwidth to the network devices and increasing the capacity of the servers in order to absorb the DoS/DDoS attack. This means that they are trying to increase the capacity of the network and server infrastructure in order to handle the increased traffic caused by the attack, rather than trying to block or divert the attack. Blocking or diverting the attack may be part of the response to the incident, but in this case, Ray and his team are focused on absorbing the attack. Option A is incorrect because blocking the attacks involves stopping the malicious traffic from reaching its target, which is not what is happening in this scenario. Option B is incorrect because diverting the traffic involves sending the traffic to a different destination, which is not what is happening in this scenario. Option C is incorrect because degrading the services involves intentionally reducing the quality of service, which is not what is happening in this scenario.

Question 7

Identify the attack when an attacker by several trial and error can read the contents of a password file present in the restricted etc folder just by manipulating the URL in the browser as shown: http://www.terabytes.com/process.php./../../../../etc/passwd

• A. Directory Traversal Attack
• B. SQL Injection Attack
• C. Denial-of-Service Attack
• D. Form Tampering Attack

Correct Answer: A

The correct answer is A. Directory Traversal Attack. In this attack, also known as path traversal attack, the attacker manipulates the URL to access files outside of the web root directory, such as files in the restricted /etc folder in this case. By using “../” sequences, the attacker is able to move up one level in the file system and eventually reach the desired file. Option B, SQL Injection Attack, is incorrect because it involves manipulating SQL queries to access or modify data in a database. Option C, Denial-of-Service Attack, is incorrect because it involves overwhelming a system with traffic or requests to make it unavailable to legitimate users. Option D, Form Tampering Attack, is incorrect because it involves manipulating the data submitted through web forms to bypass authentication or inject malicious code.

Question 8

Which encoding replaces unusual ASCII characters with “%” followed by the character’s two-digit ASCII code expressed in hexadecimal?

• A. Unicode Encoding
• B. UTF Encoding
• C. Base64 Encoding
• D. URL Encoding

Correct Answer: D

The correct answer is D. URL Encoding. URL Encoding is a technique used to convert non-ASCII characters or reserved characters in URLs to a format that can be transmitted over the internet. Unusual ASCII characters are replaced with “%” followed by the character’s two-digit ASCII code expressed in hexadecimal. For example, the URL-encoded form of the character “?” would be “%3F”. Option A, Unicode Encoding, is incorrect because it is a character encoding that maps characters to unique code points, but it does not use “%” to represent characters. Option B, UTF Encoding, is also incorrect because it is a variable-length character encoding that uses a different format to represent characters. Option C, Base64 Encoding, is used to encode binary data as ASCII characters, but it does not use “%” to represent characters.

Question 9

Which of the following formula represents the risk?

• A. Risk = Likelihood × Severity × Asset Value
• B. Risk = Likelihood × Consequence × Severity
• C. Risk = Likelihood × Impact × Severity
• D. Risk = Likelihood × Impact × Asset Value

Correct Answer: D

The correct answer is D. Risk = Likelihood × Impact × Asset Value. This formula represents the risk in terms of the likelihood of an event occurring, the impact or consequence of the event, and the value of the asset that is at risk. Likelihood refers to the probability of the event occurring, impact refers to the magnitude of the consequences of the event, and asset value refers to the value of the asset that is at risk. Option A is incorrect because it includes “severity” instead of “impact” and does not include asset value. Option B is incorrect because it includes “consequence” instead of “impact”. Option C is incorrect because it includes “impact” and “severity” but does not include asset value.

Question 10

The Syslog message severity levels are labelled from level 0 to level 7.
What does level 0 indicate?

• A. Alert
• B. Notification
• C. Emergency
• D. Debugging

Correct Answer: C

The correct answer is C. Emergency. Level 0 is the highest severity level in the Syslog protocol, and it is used to indicate that the system is unusable or has suffered a catastrophic failure. This severity level is reserved for system-level emergencies and requires immediate attention. Option A, Alert, is the second-highest severity level and is used to indicate conditions that require immediate attention. Option B, Notification, is not a valid Syslog severity level. Option D, Debugging, is the lowest severity level and is used to provide debug information.

CertMaster Group : https://www.udemy.com/user/ngdngict/