212-89 Exam Dumps - ECCouncil ECIH Questions and Answers

Email-bombing refers to the attack where the attacker sends a massive volume of emails to a specific email address or mail server in order to overflow the mailbox or overwhelm the server, potentially causing it to fail or deny service to legitimate users. This attack can disrupt communications and, in some cases, lead to the targeted email account being disabled. Masquerading involves pretending to be another legitimate user, spoofing is the creation of emails (or other communications) with a forged sender address, and a smurf attack is a specific type of Distributed Denial of Service (DDoS) attack that exploits Internet Protocol (IP) and Internet Control Message Protocol (ICMP) to flood a target with traffic. Email-bombing specifically targets email services with the goal of causing disruption by overflowing inboxes.

The vulnerability exploited by Clark through tampering with form and parameter values to gain unauthorized access to information assets is indicative of Broken Access Control. Broken Access Control vulnerabilities occur when a web application does not properly enforce restrictions on what authenticated users are allowed to do. Attackers can exploit these vulnerabilities to access unauthorized functionality or data, such as accessing other users' accounts, viewing sensitive files, and modifying other users’ data.

Rachel is applying the forensic principle of preserving volatile and screen-based digital evidence, which is a core concept in the ECIH First Response and Digital Forensics modules. When a mobile device is powered on and unlocked, the data visible on the screen—such as messages, timestamps, sender details, and session states—constitutes volatile evidence that may be lost permanently if the device locks, reboots, or powers off.

ECIH guidance instructs first responders to document the live state of a device before any interaction that could alter its condition. Photographing the screen captures evidence that may not be recoverable later due to encryption or session expiration. Maintaining power ensures the device does not enter a locked or encrypted state during transport.

Option A refers to forensic analysis, not first response. Option C would destroy evidence and violates forensic principles. Option D risks loss of volatile data.

Preserving screen-based evidence ensures integrity, admissibility, and continuity of evidence, making Option B correct.

Evidence assessment is a critical step in the investigation phase of the computer forensics process. This step involves evaluating the evidence collected to determine its relevance and significance to the case at hand. It includes analyzing the secured data to identify what information can be used as evidence, its integrity, and how it can be related to the security incident. This phase is pivotal as it helps in building a coherent understanding of the incident and in establishing facts that can be presented in management reports or legal proceedings.

In cloud computing environments, the responsibility for providing and managing network services, as well as handling incidents related to these services, primarily falls on the cloud service provider. This includes Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) models. The cloud service provider is tasked with ensuring the availability, integrity, and security of the network services they offer. This responsibility includes managing and responding to incidents that may affect these services, ranging from security breaches to performance issues. The cloud service provider employs a variety of tools and techniques to monitor the network, identify potential threats, and implement corrective actions to mitigate any impact on the services and their users.

The correct sequence of steps involved in forensic readiness planning, based on the activities described, is as follows:

Identify the potential evidence required for an incident.

Determine the source of the evidence.

Define a policy that determines the pathway to legally extract electronic evidence with minimal disruption.

Establish a policy for securely handling and storing the collected evidence.

Identify if the incident requires full or formal investigation.

Train the staff to handle the incident and preserve the evidence.

Create a special process for documenting the procedure.

When Joseph, the IH&R team lead, alerted service providers, developers, and manufacturers about the affected resources, he was engaged in the Containment stage of the Incident Handling and Response (IH&R) process. Containment involves taking steps to limit the spread or impact of an incident and to isolate affected systems to prevent further damage. Alerting relevant stakeholders, including service providers and developers, is part of containment efforts to ensure that the threat does not escalate and that measures are taken to protect unaffected resources. This stage precedes eradication and recovery, focusing on immediate response actions to secure the environment.

This scenario highlights violations of forensic readiness and safe malware handling, which are explicitly covered in the ECIH First Response and Malware Analysis modules. ECIH stresses that malware samples must never be handled on production or enterprise-connected systems, as this creates a high risk of accidental execution, lateral infection, and organizational impact.

Option A is correct because ECIH mandates that malicious code samples be stored in isolated, non-networked environments and renamed with non-executable extensions (for example, .malware, .bin, or .txt) to prevent accidental execution. This practice ensures operational safety and preserves forensic integrity.

Option B improves confidentiality but does not prevent accidental execution. Option C supports documentation but does not mitigate execution risk. Option D aids classification but does not address safe handling.

The described behavior—handling live malware on enterprise systems without isolation or renaming—directly contradicts ECIH best practices. Proper sample isolation, renaming, and access restriction are mandatory controls to prevent secondary incidents during investigations, making Option A the correct answer.

This scenario demonstrates preservation of volatile evidence, a critical first-response principle in the ECIH forensic readiness module. Volatile evidence includes data that exists only while a system is powered on, such as active sessions, running processes, open files, and on-screen information.

Option B is correct because David documents the live system state without interacting in a way that would alter evidence. Photographing the screen, recording visible activity, and documenting connections are all recommended ECIH practices when dealing with powered-on systems.

Option A is unrelated. Option C alters system state. Option D applies only to inactive devices.

ECIH stresses that mishandling active systems can destroy crucial evidence. David’s actions align precisely with first responder best practices, making Option B correct.

This scenario describes an active malware infection with confirmed command-and-control (C2) communication, which represents an immediate and severe risk to sensitive financial data. According to the EC-Council ECIH malware incident handling process, the first priority in such cases is containment, specifically stopping ongoing malicious activity and preventing further data exfiltration.

Option A is correct because disconnecting the affected servers from the network immediately severs the attacker’s control channel and halts outbound data leakage. ECIH emphasizes that when C2 traffic is observed, responders must act decisively to isolate compromised systems before pursuing deeper forensic analysis or remediation. Containment minimizes damage and reduces legal, financial, and reputational impact.

Option B may preserve system state but allows continued exfiltration until shutdown is complete and may disrupt critical banking operations. Option C is a preventive measure and does not stop an active infection. Option D is valuable for investigation but should occur after containment, not before.

ECIH guidance consistently prioritizes stopping harm over gathering evidence when critical assets are at risk. Therefore, immediate network disconnection of affected servers is the correct triage action.