ECIH 212-89 Syllabus Exam Questions Answers

The DBCC LOG command is used in SQL Server environments to analyze the transaction log files of a database. It provides insights into the transactions that have occurred, which is crucial for forensic analysis in the event of an incident. The syntaxDBCC LOG(<database_name>, <output_level>)allows an incident handler to specify the level of detail they wish to retrieve from the log files. When an incident handler like Adam requires the full information on each operation along with the hex dump of the current transaction row, the output parameter should be set to 4. This level of output is the most verbose, providing comprehensive details about each transaction, including a hex dump which is essential for a deep forensic analysis. It helps in understanding the exact changes made by transactions, which can be pivotal in investigating incidents involving data manipulation or other unauthorized database activities.

References:EC-Council's Certified Incident Handler (ECIH v3) program emphasizes the importance of understanding and utilizing various tools and commands for forensic analysis, including how to use the DBCC LOG command for transaction log analysis in SQL Server environments.

Access point monitoring is the technique that helps incident handlers to detect man-in-the-middle (MitM) attacks by continuously observing and managing the wireless access points (APs) within a network. This includes identifying unauthorized or new APs attempting to connect to the network or mimic existing APs, even if they present similar IP and MAC addresses to legitimate access points. Through access point monitoring, incident handlers can quickly identify and mitigate spoofed APs, thus preventing MitM attacks that exploit wireless networks by intercepting and manipulating communications.References:Incident Handler (ECIH v3) courses and study materials discuss network security monitoring strategies, including the importance of monitoring access points to detect and prevent MitM attacks and other threats to wireless networks.

The correct flow of stages in an Incident Handling and Response (IH&R) process as outlined in the Incident Handler (ECIH v3) by EC-Council begins with Preparation. This phase involves getting ready for potential incidents by developing plans, policies, and procedures, and ensuring that tools and team training are up to date. Incident Recording is the next stage, where incidents are documented and reported. Incident Triage follows, prioritizing incidents based on their impact and urgency. Containment is next, aiming to limit the damage of the incident and prevent further spread. Eradication comes after containment, where the root cause of the incident is removed. Recovery is the stage where affected systems are restored to their operational status. Post-Incident Activities conclude the process, reviewing and learning from the incident to improve future response efforts.

References:This structured approach is foundational in the ECIH v3 program, ensuring that incident handlers are prepared to systematically address and manage cybersecurity incidents efficiently.

Turning off the infected machine is a common immediate response to contain a malware incident and prevent it from spreading to other systems on the network. This action halts any ongoing malicious activities by the malware, thereby limiting the potential for further damage or data exfiltration. However, it is essential to note that this step can lead to the loss of volatile data that might be useful for forensic analysis. Therefore, it is advisable only when it's critical to stop the malware immediately, and there's a strategy in place for forensic investigation that includes handling non-volatile data or when the preservation of volatile data is not possible.

References:The Incident Handler (ECIH v3) curriculum by EC-Council outlines various strategies for containing malware incidents, discussing the implications and considerations of actions such as turning off infected machines.