Questions for the ECSS were updated on : Dec 08 ,2025
Jessica, a user, wanted to access the Internet from her laptop and therefore sends a connection
request to the access point. To identify the wireless client, the access point forwarded that request to
a RADIUS server. The RADIUS server transmitted authentication keys to both the access point and
Jessica's laptop. This key helps the access point identify a particular wireless client.
Identify the authentication method demonstrated in the above scenario.
D
Explanation:
The scenario described involves the use of a RADIUS (Remote Authentication Dial-In User Service)
server.
RADIUS is a client-server protocol that provides centralized network authentication12
. In this
case, the access point (client) forwards the connection request to the RADIUS server, which then
sends authentication keys to both the access point and the user’s laptop (supplicant).
This process
helps the access point identify the wireless client12
.
RADIUS servers are also known as AAA (Authentication, Authorization, and Accounting) servers
because they provide these three services1
. The authentication process begins when a user attempts
to log into the network.
Their device will request access either through the use of credentials or by
presenting an X.509 digital certificate1
.
The RADIUS server then compares the user’s information
with a list of users stored in a directory or IDP (Identity Provider)1
.
Therefore, the authentication method demonstrated in the scenario is centralized
authentication (Option D), where a central server (in this case, the RADIUS server) handles the
authentication of users.
Jacob, a network defender in an organization, was instructed to improve the physical security
measures to prevent unauthorized intrusion attempts. In this process, Jacob implemented certain
physical security controls by using warning messages and signs that notify legal consequences to
discourage hackers from making intrusion attempts.
Which of the following type of physical security controls has Jacob implemented in the above
scenario?
C
Explanation:
Jacob has implemented deterrent controls by using warning messages and signs to discourage
hackers from attempting unauthorized intrusions.
Deterrent controls aim to deter potential attackers
by creating a visible deterrent effect, such as displaying signs indicating legal consequences or
security measures1
. These controls serve as a preventive measure by discouraging unauthorized
access. Reference: EC-Council Certified Security Specialist (E|CSS) documents and course materials.
Clark, a digital forensic expert, was assigned to investigate a malicious activity performed on an
organization's network. The organization provided Clark with all the information related to the
incident. In this process, he assessed the impact of the incident on the organization, reasons for and
source of the incident, steps required to tackle the incident, investigating team required to handle
the case, investigative procedures, and possible outcome of the forensic process.
Identify the type of analysis performed by Clark in the above scenario.
D
Explanation:
In the given scenario, Clark performed a case analysis. This involves assessing the impact of the
incident, understanding its reasons and source, determining the necessary steps to address it,
assembling an investigative team, defining investigative procedures, and considering potential
outcomes of the forensic process. Case analysis is crucial in digital forensics to effectively handle
incidents and gather relevant evidence.
Reference: 12
https://www.eccouncil.org/train-certify/certified-soc-analyst-csa/
A disk drive has 16.384 cylinders, 80 heads, and 63 sectors per track, and each sector can store 512
bytes of data. What is the total size of the disk?
B
Explanation:
Sectors per Cylinder: Multiply heads * sectors per track: 80 * 63 = 5040 sectors/cylinder
Bytes per Cylinder: Multiply sectors per cylinder * bytes per sector: 5040 * 512 = 2,580,480
bytes/cylinder
Total Bytes: Multiply bytes per cylinder * total cylinders: 2,580,480 * 16,384 = 42,278,584,320 bytes
Explanation
To find the total disk size, we need to calculate the storage capacity per cylinder and then multiply
that by the total number of cylinders.
Michael, a forensic expert, was assigned to investigate an incident that involved unauthorized
intrusion attempts. In this process, Michael identified all the open ports on a system and disabled
them because these open ports can allow attackers to install malicious services and compromise the
security of the system or network.
Which of the following commands assisted Michael in identifying open ports in the above scenario?
B
Explanation:
Michael used the netstat command with the -i option to identify open ports on the system. The -i flag
displays network interfaces and their statistics, including information about open ports. By analyzing
this output, Michael could determine which ports were active and potentially vulnerable to
unauthorized access.
Reference:
EC-Council Certified Security Specialist (E|CSS) course materials and study guide12
.
EC-Council Certified Security Specialist (ECSS) program information1
.
EC-Council ECSS Certification Syllabus and Prep Guide.
EC-Council ECSS Certification Sample Questions and Practice Exam.
EC-Council ECSS brochure3
.
Identify the backup mechanism that is performed within the organization using external devices such
as hard disks and requires human interaction to perform the backup operations, thus, making it
suspect able to theft or natural disasters.
D
Explanation:
The backup mechanism described in the scenario, which involves using external devices (such as
hard disks) and requires human interaction for backup operations, is known as onsite data backup. In
this approach, backups are stored within the organization’s premises, making them susceptible to
theft, damage, or natural disasters. It is essential to consider additional offsite or cloud-based backup
solutions to enhance data resilience and security.
Reference: EC-Council Certified Security Specialist (E|CSS) documents and study guide12
.
While investigating a web attack on a Windows-based server, Jessy executed the following command
on her system:
C:\> net view <10.10.10.11>
What was Jessy’s objective in running the above command?
D
Explanation:
The net view command in Windows is used to display a list of resources being shared on a
computer.
When used with a specific computer name or IP address, as in net view <10.10.10.11>, it
displays the shared resources available on that particular computer1
. Jessy’s objective in running this
command was likely to review the file shares on the server with the IP address 10.10.10.11 to ensure
that they are correctly purposed and not maliciously altered or added as part of the web attack.
This command does not verify users using open sessions, check file space usage, or check whether
sessions have been opened with other systems. Instead, it specifically lists the shared resources,
which can include file shares and printer shares, providing insight into what is being shared from the
server in question. This information is crucial during a forensic investigation of a web attack to
understand if and how the server’s shared resources were compromised or utilized by the attacker.
Below is the syntax of a command-line utility that displays active TCP connections and ports on which
the computer is listening.
netstat [ a] [e] [-nJ [-o] [ p Protocol] [-r] [-s] [interval]
Identify the netstat parameter that displays active TCP connections and includes the process ID (PID)
for each connection.
B
Explanation:
The netstat parameter that displays active TCP connections and includes the process ID (PID) for each
connection is [-O]. When you use this option, netstat will show the associated process ID (PID) for
each active connection.
Reference:
EC-Council Certified Security Specialist (E|CSS) documents and study guide.
EC-Council Certified Security Specialist (E|CSS) course materials12
Below is an extracted Apache error log entry.
"(Wed Aug 28 13:35:38.878945 2020] (core:error] (pid 12356:tid 8689896234] (client 10.0.0.8] File
not found: /images/folder/pic.jpg"
Identify the element in the Apache error log entry above that represents the IP address from which
the request was made.
A
Explanation:
Certainly! Let’s analyze the Apache error log entry to identify the IP address:
The IP address from which the request was made is 10.0.0.8 (option A).
This address appears in the log entry as follows:
(client 10.0.0.8] File not found: /images/folder/pic.jpg"
Reference:
EC-Council Certified Security Specialist (E|CSS) documents and study guide provide insights into
network security and log analysis1
.
Apache error logs follow a specific format, where the client IP address is indicated1
.
Cibel.org, an organization, wanted to develop a web application for marketing its products to the
public. In this process, they consulted a cloud service provider and requested provision of
development tools, configuration management, and deployment platforms for developing
customized applications.
Identify the type of cloud service requested by Cibel.org in the above scenario.
D
Explanation:
Cibel.org requested a cloud service that provides development tools, configuration management,
and deployment platforms for developing customized applications.
This aligns with the
characteristics of Platform-as-a-service (PaaS), which offers a platform for developers to build,
deploy, and manage applications without worrying about infrastructure management. Reference: EC-
Council Certified Security Specialist (E|CSS) course materials12
.
Kalley, a shopping freak, often visits different e commerce websites from her office system. One day,
she received a free software on her mail with the claim that it is loaded with new clothing offers.
Tempted by this, Kalley downloaded the malicious software onto her system. The software infected
Kalley's system and began spreading the infection to other systems connected to the network.
Identify the threat source through which Kalley unintentionally invited the malware into the
network?
D
Explanation:
Kalley’s actions inadvertently introduced malware into the network. Here’s how:
Decoy Application:
A decoy application is a seemingly legitimate software or tool that disguises itself as something
useful or appealing.
In Kalley’s case, she received an email claiming that the software was loaded with new clothing
offers. Tempted by this, she downloaded it.
Unfortunately, the software turned out to be malicious, infecting her system.
Decoy applications often exploit users’ curiosity or desire for freebies, enticing them to install
harmful software.
Reference:
EC-Council Certified Security Specialist (E|CSS) documents and course materials.
Williams, a forensic specialist, was tasked with performing a static malware analysis on a suspect
system in an organization. For this purpose, Williams used an automated tool to perform a string
search and saved all the identified strings in a text file. After analyzing the strings, he determined all
the harmful actions that were performed by malware.
Identify the tool employed by Williams in the above scenario.
A
Explanation:
The scenario's focus on extracting strings from a suspect system for malware analysis aligns with the
functionality of tools like ResourcesExtract:
ResourcesExtract's Purpose: It's designed to extract specific resources, including strings, from
executables and other file types. This is crucial for static malware analysis.
String Search and Analysis: Finding and analyzing embedded strings can reveal malicious code
behavior, function calls, and other clues about the malware's intent.
Stephen, an attacker, decided to gain access to an organization’s server. He identified a user with
access to the remote server. He used sniffing programs to gain the user's credentials and captured
the authentication tokens transmitted by the user. Then, he transmitted the captured tokens back to
the server to gain unauthorized access.
Identify the technique used by Stephen to gain unauthorized access to the target server.
D
Explanation:
Stephen used a replay attack technique to gain unauthorized access to the target server. In this
scenario, he captured authentication tokens transmitted by the user and then replayed those tokens
back to the server to impersonate the user and gain access.
Reference: 12
https://www.cynet.com/network-attacks/unauthorized-access-5-best-practices-to-avoid-the-next-
data-breach/
Peter, an attacker aiming to disrupt organizational services, targeted a configuration protocol that
issues IP addresses to host systems. To disrupt the issuance of IP addresses. Peter flooded the target
server with spoofed MAC addresses so that valid users cannot receive IP addresses to access the
network.
Identify the type of attack Peter has performed in the above scenario.
D
Explanation:
Peter has performed a DHCP starvation attack in the given scenario. In this attack, the attacker floods
the target DHCP server with spoofed MAC addresses, depleting the pool of available IP addresses.
As
a result, legitimate users cannot obtain IP addresses via DHCP, causing a Denial of Service
(DoS) attack12
.
Additionally, the attacker could set up a rogue DHCP server to assign IP addresses to
legitimate users, potentially leading to a Man-in-the-Middle (MITM) attack1
. The correct answer
is D.
5 -> 1 -> 6 -> 2 -> 3 -> 41
.
Below are the elements included in the order of volatility for a typical computing system as per the
RFC 3227 guidelines for evidence collection and archiving.
l.Archival media
2.Remote logging and monitoring data related to the target system
3.Routing table, process table, kernel statistics, and memory
4.Registers and processor cache
5-Physical configuration and network topology
6.Disk or other storage media
7.Temporary system files
Identify the correct sequence of order of volatility from the most to least volatile for a typical system.
D
Explanation:
This order correctly reflects the volatility of data from most volatile (disappears quickly) to least
volatile (most persistent):
Registers and processor cache: These contain the CPU's most immediate working data, changing
rapidly.
Routing table, process table, kernel statistics, and memory (RAM): These hold system state
information, but can be modified by running processes or events.
Temporary system files: Designed to be transient, but may persist for some time depending on usage
patterns.
Disk or other storage media: Holds data intended to persist, but is subject to modification.
Remote logging and monitoring data related to the target system: Often stored off-site, less volatile
than local data.
Physical configuration and network topology: Relatively static information about the system's setup.
Archival media: Designed for long-term storage, changes to this data are intentional and infrequent.