Free Preparation Discussions
MENU
Eccouncil 212-89 Exam Questions
- Topic 1: Handling and Responding to Insider Threats/ Forensic Readiness and First Response
- Topic 2: Handling and Responding to Cloud Security Incidents/ Incident Handling and Response Process
- Topic 3: Handling and Responding to Web Application Security Incidents/ Introduction to Incident Handling and Response
- Topic 4: Handling and Responding to Network Security Incidents/ Handling and Responding to Malware Incidents
- Topic 5: Handling and Responding to Email Security Incidents
Free Eccouncil 212-89 Exam Actual Questions
Note: Premium Questions for 212-89 were last updated On Jun. 15, 2025 (see below)
[Introduction to Incident Handling and Response]
Alice is an incident handler and she has been informed by her lead that the data on affected systems must be backed up so that it can be retrieved if it is damaged during the incident response process. She was also told that the system backup can also be used for further investigation of the incident. In which of the following stages of the incident handling and response (IH&R) process does Alice need to do a complete backup of the infected system?
In the incident handling and response (IH&R) process, backing up the data on affected systems is a critical step that usually falls under the Containment phase. The Containment phase is crucial for limiting the scope and severity of an incident, ensuring that it does not spread further or affect additional systems. Backing up affected systems during containment is essential for several reasons: it preserves a snapshot of the system in its current state for forensic analysis, ensures that data is not lost if the system needs to be wiped or altered during the response process, and helps in the recovery process if data is corrupted or lost.
By performing a complete backup of the infected system during the Containment phase, Alice ensures that there is a reliable copy of all data and system states before any major actions, such as eradication or deeper forensic analysis, are taken. This step is also preparatory for the potential use of the backup in analyzing how the incident occurred and in restoring system functionality after the incident is resolved.
Bonney's system has been compromised by a gruesome malware.
What is the primary step that is advisable to Bonney in order to contain the malware
incident from spreading?
Turning off the infected machine is a common immediate response to contain a malware incident and prevent it from spreading to other systems on the network. This action halts any ongoing malicious activities by the malware, thereby limiting the potential for further damage or data exfiltration. However, it is essential to note that this step can lead to the loss of volatile data that might be useful for forensic analysis. Therefore, it is advisable only when it's critical to stop the malware immediately, and there's a strategy in place for forensic investigation that includes handling non-volatile data or when the preservation of volatile data is not possible.
After a recent email attack, Harry is analyzing the incident to obtain important information related to the incident. While investigating the incident, he is trying to
extract information such as sender identity, mail server, sender's IP address, location, and so on.
Which of the following tools Harry must use to perform this task?
Yesware is a tool primarily known for its email tracking capabilities, which can be useful for sales, marketing, and customer relationship management. However, in the context of investigating email attacks and analyzing incidents to extract details such as sender identity, mail server, sender's IP address, and location, a more appropriate tool would be one that specializes in analyzing and extracting detailed header information from emails, providing insights into the path an email took across the internet. While Yesware can provide data related to email interactions, it might not offer the depth of forensic analysis required for incident investigation. Tools like email header analyzers, which are designed specifically for dissecting and interpreting email headers, would be more fitting. In the absence of a direct match from the given options, the description might imply a broader interpretation of tools like Yesware in context but traditionally, tools specifically designed for email forensics would be sought after for this task.
Bonney's system has been compromised by a gruesome malware.
What is the primary step that is advisable to Bonney in order to contain the malware
incident from spreading?
Turning off the infected machine is a common immediate response to contain a malware incident and prevent it from spreading to other systems on the network. This action halts any ongoing malicious activities by the malware, thereby limiting the potential for further damage or data exfiltration. However, it is essential to note that this step can lead to the loss of volatile data that might be useful for forensic analysis. Therefore, it is advisable only when it's critical to stop the malware immediately, and there's a strategy in place for forensic investigation that includes handling non-volatile data or when the preservation of volatile data is not possible.
An organization's customers are experiencing either slower network communication or unavailability of services. In addition, network administrators are receiving alerts from security tools such as IDS/IPS and firewalls about a possible DoS/DDoS attack. In result, the organization requests the incident handling and response (IH&R) team further investigates the incident. The IH&R team decides to use manual techniques to detect DoS/DDoS attack.
Which of the following commands helps the IH&R team to manually detect DoS/DDoS attack?
The netstat -an command is used to display network connections, routing tables, and a number of network interface statistics. It is particularly useful for identifying unusual volumes of traffic to and from a system, which can be indicative of a DoS/DDoS attack. The option -a shows all active connections and the TCP and UDP ports on which the computer is listening, and -n displays addresses and port numbers in numerical form. This can help the incident handling and response (IH&R) team to identify suspicious patterns, such as a large number of connections from a single source or to a specific port, which are common during DoS/DDoS attacks.
- Select Question Types you want
- Set your Desired Pass Percentage
- Allocate Time (Hours : Minutes)
- Create Multiple Practice tests with Limited Questions
- Customer Support
jalolag
20 days agoMari
2 months agoJaime
3 months agoBeckie
3 months agoCurtis
3 months agoDorothy
4 months agoDesirae
4 months agoAndree
4 months agoRosio
4 months agoArletta
5 months agoTeri
5 months agoAugustine
5 months agoQuiana
5 months agoTori
6 months agoKallie
6 months agoAlise
6 months agoMike
6 months agoStaci
7 months agoJulio
7 months agoAnnice
7 months agoAnnabelle
7 months agoElli
7 months agoCarisa
8 months agoEugene
8 months agoAdelina
8 months agoReed
9 months agoCecil
9 months agoPeggie
9 months agoMi
9 months agoLashonda
9 months agoCletus
9 months agoCharlesetta
10 months agoLanie
11 months agoAmos
11 months agoWilford
11 months agoBeckie
12 months agoAleta
12 months agoDaniel
1 years ago