212-89 Exam Dumps - ECCouncil ECIH Questions and Answers

This scenario reflects misuse of system resources, a category defined in ECIH network and endpoint incident classification.

Option C is correct because unauthorized software caused excessive CPU usage and system strain, violating acceptable use policies.

Options A, B, and D do not match the behavior described.

ECIH classifies such activity as a security incident because it impacts availability, performance, and risk exposure.

This scenario is a clear example of a deceptive phishing attack, which is extensively covered in the ECIH Email Security Incident module. Deceptive phishing involves impersonating a trusted internal entity—such as HR—to trick recipients into disclosing sensitive information like credentials or personal data.

Option D is correct because the email impersonates HR, uses social engineering, and directs users to a visually identical but fraudulent login page hosted on an unfamiliar domain. These characteristics are classic indicators of deceptive phishing.

Option A refers to DNS manipulation and is not evidenced here. Option B involves overwhelming email volume rather than deception. Option C refers to unsolicited bulk email without impersonation.

Elena’s actions align with ECIH best practices: preserving headers for forensic validation, capturing screenshots to document fraudulent infrastructure, and blocking malicious domains to prevent further exposure. Correctly categorizing the incident as deceptive phishing ensures appropriate eradication, awareness, and reporting measures.

The root cause of this incident is unvalidated input poisoning the AI training process, resulting in malicious output. ECIH web application security principles emphasize that input validation is the primary control against injection and manipulation attacks.

Option B is correct because strict validation ensures that malicious or untrusted data cannot influence training or response generation. This addresses the vulnerability at its source.

Option A adds friction but does not stop poisoning. Option C is disruptive and not efficient. Option D limits functionality without fixing the underlying issue.

ECIH stresses fixing vulnerabilities at the root rather than applying superficial controls, making Option B correct.

Bob is in the Investigation phase of the forensic investigation process. This phase involves the detailed examination and analysis of the collected evidence to identify the source of the crime and the perpetrator behind the incident. It is a crucial step that follows the acquisition and preservation of evidence, where the incident responder applies various techniques and methodologies to analyze the evidentiary data. This analysis aims to uncover how the cybercrime was committed, trace the activities of the culprit, and gather actionable intelligence to support legal actions and prevent future incidents.

The Volatility framework is a widely used tool for analyzing volatile memory (RAM) dumps. It is especially useful in digital forensics and malware analysis. One of the fundamental tasks in memory analysis is to list the processes that were running on the system at the time the memory dump was taken. Thepslistcommand in the Volatility framework serves this purpose by listing all processes from the process list in memory, which can provide valuable insights into what was happening on the system, including the presence of any malicious processes.

The syntax provided in the answer option corresponds to the usage of thepslistcommand with the Volatility tool, specifying the memory dump file to be analyzed (-f /root/Desktop/memdump.mem) and the profile of the system from which the dump was taken (--profile=Win2008SP1x86). This information is crucial for accurate analysis, as the profile helps Volatility interpret the memory structures correctly.

This scenario describes a persistent phishing campaign leveraging spoofed domains and variant-based delivery mechanisms. According to the EC-Council Incident Handler (ECIH) curriculum under Email Security Incident Handling and Eradication, once detection and containment measures (such as blocking malicious IP addresses and purging emails) have been implemented, the eradication phase must focus on eliminating root causes and recurring technical vectors.

The key phrase in the question is “eliminate recurring delivery mechanisms and close technical loopholes.” ECIH emphasizes that phishing campaigns frequently evolve by modifying URLs, sender domains, encoding techniques, and payload structures to bypass simple IP blocking controls. Therefore, security teams must analyze decoded message components, extract malicious URLs, and generate URL-based deny-lists at the secure email gateway, web proxy, and firewall layers.

Creating email-specific URL deny-lists directly disrupts the attack infrastructure and prevents repeated access to malicious domains—even when attackers use variant IP addresses or modified content. This is a technical eradication control aligned with eliminating delivery vectors.

Options B and C (training and simulations) are preventive awareness measures and fall under the preparation or post-incident improvement phase—not eradication. Option A (WHOIS masking) is unrelated to preventing phishing delivery.

ECIH guidance stresses strengthening email filtering rules, updating domain and URL blacklists, implementing SPF/DKIM/DMARC validation, and hardening secure email gateways as core eradication techniques. Therefore, option D best aligns with the eradication objective.

In the scenario described, Dickson is performing an active assessment. This type of vulnerability assessment involves using automated tools to actively scan and probe the network for identifying hosts, services, and vulnerabilities. Unlike passive assessments, which rely on monitoring network traffic without direct interaction with the targets, active assessments engage directly with the network infrastructure to discover vulnerabilities, misconfigurations, and other security issues by sending data to systems and analyzing the responses. This approach provides a more immediate and detailed view of the security posture but can also generate detectable traffic that might be noticed by defensive systems or affect the performance of live systems.

James is working on the post-incident activities stage of the Incident Handling and Response (IH&R) process. After containing the spread of the infection and removing the malware, the focus shifts to assessing the impact of the incident on the organization and preparing a detailed report. This phase involves analyzing the extent of the damage, determining the cost of the attack, evaluating how well the incident was managed, and identifying lessons learned to improve future response efforts. The objective is to restore systems to normal operation, ensure no remnants of the threat remain, and implement measures to prevent recurrence.

The first step in securing an employee's account following an email hacking incident involves restoring access to the email services if necessary and immediately changing the password to prevent unauthorized access. This action ensures that the attacker is locked out of the account as quickly as possible. While enabling two-factor authentication, scanning links and attachments, and disabling automatic file sharing are important security measures, they come into play after ensuring that the compromised account is first secured by changing its password to halt any ongoing unauthorized access.

The ECIH Endpoint Security module identifies EDR systems as the cornerstone of modern endpoint incident response. Advanced attacks targeting intellectual property often bypass traditional antivirus controls.

Option C is correct because EDR provides continuous monitoring, behavioral detection, rapid containment, and automated response across endpoints. This capability is critical during high-risk periods such as product launches.

Options A, B, and D are important but insufficient alone for real-time detection and response.

Therefore, deploying a robust EDR system is essential.