Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. EC-Council
  5. 312-49

EC-Council 312-49 Exam
Computer Hacking Forensic Investigator (Page 8 )

Updated On: 12-Feb-2026
Page 8 of 108
PDF with 704 Questions

In a forensic examination of hard drives for digital evidence, what type of user is most likely to have the most file slack to analyze?

  1. one who has NTFS 4 or 5 partitions
  2. one who uses dynamic swap file capability
  3. one who uses hard disk writes on IRQ 13 and 21
  4. one who has lots of allocation units per block or cluster

Answer(s): D



In what way do the procedures for dealing with evidence in a criminal case differ from the procedures for dealing with evidence in a civil case?

  1. evidence must be handled in the same way regardless of the type of case
  2. evidence procedures are not important unless you work for a law enforcement agency
  3. evidence in a criminal case must be secured more tightly than in a civil case
  4. evidence in a civil case must be secured more tightly than in a criminal case

Answer(s): C



You are assigned to work in the computer forensics lab of a state police agency. While working on a high profile criminal case, you have followed every applicable procedure, however your boss is still concerned that the defense attorney might question whether evidence has been changed while at the lab. What can you do to prove that the evidence is the same as it was when it first entered the lab?

  1. make an MD5 hash of the evidence and compare it with the original MD5 hash that was taken when the evidence first entered the lab
  2. make an MD5 hash of the evidence and compare it to the standard database developed by NIST
  3. there is no reason to worry about this possible claim because state labs are certified
  4. sign a statement attesting that the evidence is the same as it was when it entered the lab

Answer(s): A



Study the log given below and answer the following question:

Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169
Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482
Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53
Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21
Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53
Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111
Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80
Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53
Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53
Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0)
Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506)
Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080
Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558

Precautionary measures to prevent this attack would include writing firewall rules. Of these firewall rules, which among the following would be appropriate?

  1. Disallow UDP53 in from outside to DNS server
  2. Allow UDP53 in from DNS server to outside
  3. Disallow TCP53 in from secondaries or ISP server to DNS server
  4. Block all UDP traffic

Answer(s): A



When monitoring for both intrusion and security events between multiple computers, it is essential that the computers' clocks are synchronized. Synchronized time allows an administrator to reconstruct what took place during an attack against multiple computers. Without synchronized time, it is very difficult to determine exactly when specific events took place, and how events interlace. What is the name of the service used to synchronize time among multiple computers?

  1. Universal Time Set
  2. Network Time Protocol
  3. SyncTime Service
  4. Time-Sync Protocol

Answer(s): B






Post your Comments and Discuss EC-Council 312-49 exam prep with other Community members:

Join the 312-49 Discussion