212-89 ECCouncil EC Council Certified Incident Handler (ECIH v3) Free Practice Exam Questions (2026 Updated)

Bob is in the Investigation phase of the forensic investigation process. This phase involves the detailed examination and analysis of the collected evidence to identify the source of the crime and the perpetrator behind the incident. It is a crucial step that follows the acquisition and preservation of evidence, where the incident responder applies various techniques and methodologies to analyze the evidentiary data. This analysis aims to uncover how the cybercrime was committed, trace the activities of the culprit, and gather actionable intelligence to support legal actions and prevent future incidents.

Explanation (OT/IoT incident handling):

For smart grid and IoT/OT environments, the first step is to activate the dedicated incident response process that prioritizes safety and continuity while isolating affected components. Immediate shutdown (A) can create operational and safety consequences and should be reserved for clear safety threats. Firmware updates (B) are risky during an active incident; updating can brick devices, change system states, and destroy evidence while not guaranteeing removal of compromise. Third-party engagement (D) can help, but it’s not the first operational step—your internal playbook must begin containment now.

(C) correctly focuses on isolating affected devices/segments, limiting lateral movement, and preserving operational stability. In practice, this can include network segmentation, blocking suspicious outbound communications, switching to manual controls where necessary, and capturing logs/telemetry before making changes. This aligns with common containment strategy: stop spread first, then analyze/eradicate, then recover with validated clean states.

ECIH cloud incident handling guidance emphasizes that containment must be immediate and within the organization’s control. Modifying cloud security groups allows responders to restrict network access instantly, preventing further data exfiltration.

Option D is correct because it is actionable without CSP dependency and directly limits attacker movement. Option A may take time. Option B is investigative. Option C is regulatory and premature.

Containment through security group modification is therefore the most critical first step.

According to the EC-Council Incident Handler (ECIH) curriculum, the first responder’s primary responsibility upon discovering a potential cybercrime is to preserve and protect the crime scene. This includes isolating affected systems, preventing further network communication, restricting physical and logical access, and ensuring no evidence is altered or destroyed.

Sophia’s actions—isolating the system, restricting access, preventing tampering, and escalating to the IR team—align precisely with crime scene protection principles. ECIH emphasizes that improper handling during the early stages of an incident can contaminate evidence and compromise forensic investigations.

Option A (chain of custody documentation) occurs once evidence is formally collected. Option B (evidence log collection) is part of forensic acquisition. Option C (advanced forensic analysis) is performed by specialized investigators later in the response lifecycle.

Therefore, Sophia is performing the role of protecting the integrity of the crime scene as a first responder.

The root cause of this incident is unvalidated input poisoning the AI training process, resulting in malicious output. ECIH web application security principles emphasize that input validation is the primary control against injection and manipulation attacks.

Option B is correct because strict validation ensures that malicious or untrusted data cannot influence training or response generation. This addresses the vulnerability at its source.

Option A adds friction but does not stop poisoning. Option C is disruptive and not efficient. Option D limits functionality without fixing the underlying issue.

ECIH stresses fixing vulnerabilities at the root rather than applying superficial controls, making Option B correct.

When a corporate network's servers are sending huge amounts of traffic to a specific website, as detected by the network's Intrusion Prevention System (IPS), this behavior is indicative of a Botnet attack. A Botnet is a network of compromised computers, often referred to as "bots," that are controlled remotely by an attacker, typically without the knowledge of the owners of the computers. The attacker can command these bots to execute distributed denial-of-service (DDoS) attacks, send spam, or conduct other malicious activities. In this scenario, the servers behaving as bots and targeting a website with large volumes of traffic suggests that they have been co-opted into a Botnet to potentially perform a DDoS attack on the website abc.xyz.

This scenario is a clear example of a deceptive phishing attack, which is extensively covered in the ECIH Email Security Incident module. Deceptive phishing involves impersonating a trusted internal entity—such as HR—to trick recipients into disclosing sensitive information like credentials or personal data.

Option D is correct because the email impersonates HR, uses social engineering, and directs users to a visually identical but fraudulent login page hosted on an unfamiliar domain. These characteristics are classic indicators of deceptive phishing.

Option A refers to DNS manipulation and is not evidenced here. Option B involves overwhelming email volume rather than deception. Option C refers to unsolicited bulk email without impersonation.

Elena’s actions align with ECIH best practices: preserving headers for forensic validation, capturing screenshots to document fraudulent infrastructure, and blocking malicious domains to prevent further exposure. Correctly categorizing the incident as deceptive phishing ensures appropriate eradication, awareness, and reporting measures.

Cross-Site Scripting attacks occur when untrusted input is processed and rendered by an application without proper validation or encoding. ECIH web application security guidance identifies input validation and output encoding as the most effective primary defense against XSS.

Option B is correct because sanitizing and validating all user input ensures that malicious scripts are neutralized before being stored or rendered. This addresses the root cause of XSS vulnerabilities.

Option A is a detection control, not a prevention mechanism. Option C improves system security but does not prevent application-level XSS flaws. Option D addresses abuse and DoS scenarios, not script injection.

Therefore, focusing on input validation is the most effective proactive control against XSS, as emphasized in the ECIH curriculum.

The EC-Council Incident Handler (ECIH) curriculum emphasizes that recovery must not only restore functionality but also eliminate residual security weaknesses that could enable reinfection or continued compromise. In operational technology (OT) and industrial environments, identity validation, certificate trust, and strict access control between interconnected systems are critical.

The scenario highlights two major issues: excessive permissions between authentication servers and automation modules, and anomalies in authentication tokens with unidentified fingerprints. These findings indicate compromised trust relationships and over-privileged system communications.

ECIH recovery guidance stresses revalidating authentication mechanisms, enforcing the Principle of Least Privilege, reviewing trust relationships, and ensuring certificate integrity before declaring systems fully restored. Implementing granular role-based access controls (RBAC) and validating trusted device certificates directly addresses both excessive permissions and authentication anomalies.

Option A improves detection but does not correct trust misconfigurations. Option B (red-team simulation) is useful but secondary to securing authentication controls. Option C (system reboot) does not resolve permission or certificate validation issues.

Therefore, enforcing granular role-based access policies and validating trusted device certificates is the most critical secure restoration action.

This scenario describes a persistent phishing campaign leveraging spoofed domains and variant-based delivery mechanisms. According to the EC-Council Incident Handler (ECIH) curriculum under Email Security Incident Handling and Eradication, once detection and containment measures (such as blocking malicious IP addresses and purging emails) have been implemented, the eradication phase must focus on eliminating root causes and recurring technical vectors.

The key phrase in the question is “eliminate recurring delivery mechanisms and close technical loopholes.” ECIH emphasizes that phishing campaigns frequently evolve by modifying URLs, sender domains, encoding techniques, and payload structures to bypass simple IP blocking controls. Therefore, security teams must analyze decoded message components, extract malicious URLs, and generate URL-based deny-lists at the secure email gateway, web proxy, and firewall layers.

Creating email-specific URL deny-lists directly disrupts the attack infrastructure and prevents repeated access to malicious domains—even when attackers use variant IP addresses or modified content. This is a technical eradication control aligned with eliminating delivery vectors.

Options B and C (training and simulations) are preventive awareness measures and fall under the preparation or post-incident improvement phase—not eradication. Option A (WHOIS masking) is unrelated to preventing phishing delivery.

ECIH guidance stresses strengthening email filtering rules, updating domain and URL blacklists, implementing SPF/DKIM/DMARC validation, and hardening secure email gateways as core eradication techniques. Therefore, option D best aligns with the eradication objective.

During the incident handling and response (IH&R) process, the stage of "Evidence gathering and forensics analysis" involves the collection of evidence, forensic analysis, and detailed investigation to uncover the root cause of the incident. This stage is crucial for understanding how the incident occurred, identifying the threat actors involved, the methods they used (threat vectors), and the extent of the impact. By analyzing evidence, incident responders can reconstruct the sequence of events, identify the vulnerabilities exploited, and determine the scope of the incident. This information is vital for resolving the incident effectively and taking steps to prevent future occurrences.

By classifying and encrypting customer Personally Identifiable Information (PHI), you are specifically guarding against the risk of Sensitive Data Exposure. This OWASP security risk involves the accidental or unlawful exposure of protected data to unauthorized individuals. Encryption serves as a critical defense mechanism by ensuring that, even if data is accessed without authorization, it remains unintelligible and useless to the attacker without the decryption keys. Data classification further supports this by identifying which data is sensitive and requires such protections, ensuring that appropriate security controls are applied to prevent exposure.

This incident involves adaptive malware embedded within an AI system, actively evolving its behavior. The ECIH malware incident handling methodology prioritizes containment and eradication of the threat before recovery actions. Restoring data without removing the malware risks immediate reinfection and continued manipulation.

Option B is correct because deploying the AI-security module directly targets the malware’s adaptive mechanisms, allowing responders to detect, contain, and eradicate the malicious logic within the AI environment. ECIH emphasizes using appropriate, context-aware security controls that match the technology stack involved in the incident. For AI-driven environments, specialized tools are necessary to counter threats that traditional controls may not detect.

Option A is premature and unsafe prior to eradication. Option C disrupts business operations without resolving the threat. Option D is a communication step that should follow containment and validation.

Therefore, neutralizing the evolved malware using the AI-security module is the correct primary step.

Stored XSS vulnerabilities arise when untrusted input is rendered without proper output encoding. The ECIH Web Application module clearly states that output encoding is the primary defense against XSS.

Option A is correct because encoding ensures that user-supplied input is treated as data rather than executable script. This directly prevents malicious script execution in users’ browsers.

Options B and C provide additional protection but do not fix the root cause. Option D is unrelated to XSS prevention.

ECIH emphasizes fixing vulnerabilities at the application logic level, making output encoding the correct focus.

Evidence assessment is a critical step in the investigation phase of the computer forensics process. This step involves evaluating the evidence collected to determine its relevance and significance to the case at hand. It includes analyzing the secured data to identify what information can be used as evidence, its integrity, and how it can be related to the security incident. This phase is pivotal as it helps in building a coherent understanding of the incident and in establishing facts that can be presented in management reports or legal proceedings.

James's activities, including creating anonymous access to cloud services to carry out attacks such as password and key cracking, hosting malicious data, and conducting DDoS attacks, exemplify the abuse and nefarious use of cloud services. This threat involves exploiting cloud computing resources to conduct malicious activities, which can impact the cloud service provider as well as other users of the cloud services. This abuse ranges from using the cloud platform's resources for computationally intensive tasks like cracking passwords or encryption keys to conducting DDoS attacks that can disrupt services for legitimate users.

Forensic readiness refers to an organization's ability to maximize its capability to use digital evidence effectively in an investigation, while minimizing the cost of an investigation and disruption to its operations. It involves having policies, procedures, and technologies in place to collect, preserve, and analyze digital evidence efficiently, so when an incident occurs, the organization is prepared to handle it quickly and with minimal costs. Forensic readiness not only helps in reducing the time and resources spent on investigations but also ensures that the evidence is reliable and can be used in legal proceedings if necessary.

The DBCC LOG command is used in SQL Server environments to analyze the transaction log files of a database. It provides insights into the transactions that have occurred, which is crucial for forensic analysis in the event of an incident. The syntaxDBCC LOG(, )allows an incident handler to specify the level of detail they wish to retrieve from the log files. When an incident handler like Adam requires the full information on each operation along with the hex dump of the current transaction row, the output parameter should be set to 4. This level of output is the most verbose, providing comprehensive details about each transaction, including a hex dump which is essential for a deep forensic analysis. It helps in understanding the exact changes made by transactions, which can be pivotal in investigating incidents involving data manipulation or other unauthorized database activities.