View 212-89 Exam Questions

Q: 1

[Incident Handling and Response Process] Alice is a disgruntled employee. She decided to acquire critical information from her organization for financial benefit. To acccomplish this, Alice started running a virtual machine on the same physical host as her victim's virtual machine and took advantage of shared physical resources (processor cache) to steal data (cryptographic key/plain text secrets) from the victim machine. Identify the type of attack Alice is performing in the above scenario.

Options

Discussion

Cameron V. Feb 20, 2026 4:56 am

A. unless the VM isolation broke some other way, but cache attacks point to A here.

Riley G. Feb 26, 2026 9:12 am

Option A here. Cache-based data theft between VMs is textbook side channel, not service hijack or cloud sync stuff. Pretty sure about this, but if someone sees another angle chime in.

Arjun C. Feb 24, 2026 6:20 am

A . B is tempting but the shared CPU cache means it's textbook side channel, not service hijacking.

Robin V. Mar 2, 2026 12:24 am

Option A is the right pick. Side channel attacks are all about exploiting hardware resources like CPU cache, which fits this scenario better than the other choices. Service hijacking might look tempting but doesn't involve this kind of info leak. Disagree?

Mason Feb 22, 2026 11:10 am

A Seen questions like this in official practice tests. If you want more on side channel techniques, the EC-Council courseware actually covers some solid scenarios.

Noah F. Feb 16, 2026 10:59 am

Most guides point to A for cache attacks between VMs, matches EC-Council's official materials I've seen. Worth re-reading the incident response section and grabbing a few lab scenarios if you want more clarity.

Taylor A. Mar 1, 2026 5:34 pm

Cache timing between VMs usually means side channel right? Not seeing why it would be B or D based on exam reports.

CalmAuditor8014 Feb 17, 2026 5:15 am

Not D, it's A. Service hijacking sounds tempting but the cache method is classic side channel stuff here. Open to pushback though.

Mia Feb 14, 2026 10:53 pm

This is A. Similar scenario showed up in the official guide, so check that and maybe some practice tests for deeper dives.

EthanX Feb 23, 2026 1:23 am

A tbh. D is cloud sync, which doesn't fit the CPU cache trick here.

Be respectful. No spam.

Q: 2

[Introduction to Incident Handling and Response] Which of the following GPG18 and Forensic readiness planning (SPF) principles states that “organizations should adopt a scenario based Forensic Readiness Planning approach that learns from experience gained within the business”?

Options

Q: 3

[Introduction to Incident Handling and Response] ZYX company experienced a DoS/DDoS attack on their network. Upon investigating the incident, they concluded that the attack is an application-layer attack. Which of the following attacks did the attacker use?

Options

Q: 4

[Introduction to Incident Handling and Response] An insider threat response plan helps an organization minimize the damage caused by malicious insiders. One of the approaches to mitigate these threats is setting up controls from the human resources department. Which of the following guidelines can the human resources department use?

Options

Q: 5

[Introduction to Incident Handling and Response] Which of the following is the BEST method to prevent email incidents?

Options

Discussion

Priya I. Feb 16, 2026 12:20 pm

Its D. Technical controls like B (disabling HTML) help, but attackers always find new tricks. End-user training actually changes behavior so people spot phishing or suspicious links before damage happens. EC-Council usually wants the control that reduces human error, not just technical exposure. Pretty sure D is what they'd expect unless it said 'only technical'. Agree?

Cameron Feb 26, 2026 1:22 am

B, not D

Cameron E. Feb 27, 2026 8:11 am

Probably B for this one. Disabling HTML in email fields stops a lot of script-based attacks and makes phishing attempts look less convincing. Not sure if it's the best, but seems like a strong technical control here.

Arjun F. Feb 14, 2026 10:17 am

Had something like this in a mock, I chose B

Robin Feb 19, 2026 10:55 pm

Cameron, I don’t think it’s B. D is what EC-Council expects since user error drives most incidents, not just HTML exploits.

Luke S. Feb 19, 2026 1:52 am

D or B, but D makes more sense since a lot of incidents start with users clicking bad links. Even if you disable HTML, social engineering still gets through. Pretty sure EC-Council wants D here unless they're asking technical only. Agree?

Ravi Feb 19, 2026 12:56 pm

D tbh. B is tempting technically, but 'best' on the exam usually points to training since most incidents are human error. Some folks pick B as a trap option, seen similar logic on practice sets.

Meera Mar 5, 2026 12:08 am

B , because disabling HTML blocks a bunch of malicious scripts and makes phishing harder. It’s a common technical trap answer on these. Maybe not the most holistic, but seems safest to me here.

Be respectful. No spam.

Q: 6

[Introduction to Incident Handling and Response] Which of the following techniques prevent or mislead incident-handling process and may also affect the collection, preservation, and identification phases of the forensic investigation process?

Options

Discussion

Leo Z. Feb 20, 2026 2:25 pm

D. saw this in a similar exam question before. Anti-forensics directly targets the IR and forensic phases.

Noah Feb 20, 2026 6:11 am

If we're being precise, D is right unless the context was asking about accidental interference, which isn't implied. D

Robin S. Mar 4, 2026 9:18 pm

I don't think C fits here. Anti-forensics (D) is all about deliberately stopping or confusing the response and forensic process, like erasing traces or corrupting logs. The others-scanning, footprinting, enumeration-are just info gathering steps, not designed to mislead investigators. Pretty sure D is right but I get why C might look tempting if you're thinking about indirect effects. Anyone disagree?

Sanjay Feb 15, 2026 2:11 pm

Why wouldn't D be the best choice? The others are just info gathering, not really interfering with forensic phases.

Nina Y. Feb 14, 2026 1:39 am

D imo. None of the other options actually disrupt the response or forensics process, they're just about gathering info. Anti-forensics is designed to mess with evidence collection and preservation. If I'm missing something let me know.

Avery P. Mar 5, 2026 4:36 am

Hannah Feb 19, 2026 2:04 am

Its D here. None of the others directly interfere with evidence handling like anti-forensics does. Pretty sure that's what the exam wants.

EthanG Feb 22, 2026 11:14 am

B tbh. Footprinting might mess with forensics since it’s info gathering and could cover tracks, right? Not totally sure but scanning/enumeration don’t seem as impactful. Let me know if I’m missing something obvious here.

Quinn I. Feb 24, 2026 6:57 am

D , this pops up in a lot of exam reports under anti-forensics so not really a trick question here.

Maya S. Mar 2, 2026 12:46 pm

Probably D. Scanning, footprinting and enumeration are all recon techniques, but only D (anti-forensics) is meant to mess with collection and preservation in forensics. A common trap is picking A or B just because they're attack phases.

Be respectful. No spam.

Q: 7

[Handling and Responding to Web Application Attacks] Oscar receives an email from an unknown source containing his domain name oscar.com. Upon checking the link, he found that it contains a malicious URL that redirects to the website evilsite.org. What type of vulnerability is this?

Options

Discussion

Jason Z. Feb 16, 2026 8:47 pm

Option C makes more sense here. The key part is the malicious URL redirecting to evilsite.org, which fits unvalidated redirects and forwards from OWASP. D (SQL injection) would need details about database queries, but nothing in the scenario suggests that. Easy to mix up if you just see "malicious URL" though! Pretty sure it's C, open to discussion if I'm missing something.

Casey F. Feb 13, 2026 12:18 pm

C . Practice questions and the official ECC guide both match this scenario for unvalidated redirects.

Grace Mar 1, 2026 4:09 pm

Makes sense to pick C for this one.

Emma Feb 21, 2026 8:18 am

Hard to say, C, saw a similar question in exam reports. Matches the scenario with redirects. Not totally sure, but C seems right here.

Aaron W. Feb 13, 2026 2:24 am

My vote is C since both the ECC official guide and lab exercises use very similar redirect scenarios for unvalidated redirects and forwards. Not a perfect match to malware or SQL injection. I think C lines up best, but open if someone can counter!

Emma K. Mar 2, 2026 4:55 am

Malware looks right to me. A

Nathan Feb 16, 2026 8:45 pm

C , because the main issue is the redirect to a malicious domain, which matches 'unvalidated redirects and forwards' from OWASP. There's nothing in the scenario about database access or SQL queries, so D doesn't fit here. Pretty sure C is the one, unless I'm missing some hidden detail.

Noah Feb 26, 2026 3:03 am

Hate how they throw in weird names like "Bolen" just to trip you up. C

Parker Feb 27, 2026 8:45 pm

I was thinking A here just because it mentions a malicious URL.

Avery N. Feb 21, 2026 12:30 am

A not C

Be respectful. No spam.

Q: 8

[Introduction to Incident Handling and Response] Darwin is an attacker residing within the organization and is performing network sniffing by running his system in promiscuous mode. He is capturing and viewing all the network packets transmitted within the organization. Edwin is an incident handler in the same organization. In the above situation, which of the following Nmap commands Edwin must use to detect Darwin’s system that is running in promiscuous mode?

Options

Discussion

Vikram N. Feb 16, 2026 7:45 pm

C or D tbh. C is for sniffers but 'hostmap' in D maps hosts, which could theoretically be used to find devices in odd modes if you parse the results creatively. I think C is more direct but D feels tempting if you just skim the question. Anyone else see a reason to pick D?

Luna B. Feb 28, 2026 5:34 pm

For me, C since the sniffer-detect script is specifically designed to find NICs in promiscuous mode. But do we know if Edwin has credentials or special network access? If the tool needs elevated privileges on target machines, the answer could shift.

Aaron G. Feb 17, 2026 7:55 am

It's C-sniffer-detect is made for spotting NICs in promiscuous mode, which is what you need here. D is a map script, not for promiscuous detection. Pretty sure about C unless the network blocks that scan.

Chris U. Feb 18, 2026 10:29 am

I see why people pick C, since sniffer-detect is meant for finding systems in promiscuous mode. D is more about mapping, doesn't really help with sniffers directly. Leaning C here but willing to hear other arguments.

Nina C. Feb 18, 2026 2:36 pm

C makes sense here since -script=sniffer-detect is designed to spot promiscuous mode, which is what the attacker’s using. D just maps hosts but won’t actually help with sniffer detection. Pretty sure it’s C but open to other takes.

Ethan J. Mar 5, 2026 4:36 am

D . Hostmap is tempting but it's a trap since the question asks for sniffers, which fits C better. Agree?

CuriousCandidate8734 Feb 18, 2026 7:57 am

C but a bit unsure since some sources say hostmap for mapping and sniffer-detect for this use case.

Nathan Feb 28, 2026 12:38 am

My vote is C, saw similar on official practice and the nmap script sniffer-detect is made for this. Official guide covers those scripts too.

Leo Feb 22, 2026 7:24 am

Not sure but I'd pick D.

Riley M. Feb 27, 2026 5:08 pm

Seen similar in practice tests, C is the type of nmap script for this situation.

Be respectful. No spam.

Q: 9

[Handling and Responding to Email Security Incidents] Francis received a spoof email asking for his bank information. He decided to use a tool to analyze the email headers. Which of the following should he use?

Options

Discussion

Grace W. Mar 4, 2026 2:05 am

B . C is tempting but it's only for address validity, not header analysis like MxToolbox. Seen similar on other practice sets.

Aaron R. Feb 16, 2026 9:21 pm

Francis needs something focused on email header analysis, so I'd go with B (MxToolbox). It's designed for checking message headers and tracing the sender. The other options don't really do in-depth header analysis, at least not like MxToolbox. Anyone see a reason to pick one of the others?

Liam Feb 13, 2026 7:14 am

B , saw a similar question on a practice and MxToolbox was expected.

Priya A. Feb 12, 2026 5:24 pm

Its B for this, since MxToolbox is actually designed for checking email headers. I’ve never seen Email Checker do that. Agree?

Adam Feb 22, 2026 7:22 am

C vs B for me. I was thinking C (Email Checker) might work since it sounds like it checks email stuff, but I think it just validates addresses, not headers. B (MxToolbox) does the full header analysis but not totally sure if C could have header features too. Somebody else see a reason for C?

Nora D. Feb 26, 2026 2:07 pm

Probably B here since MxToolbox actually digs into email headers, tracks sender info and can reveal spoofing indicators. The other tools don’t really focus on header analysis. Pretty sure that's the way to go for this scenario. Disagree?

Grace Z. Feb 26, 2026 9:42 am

Its B here. Had something like this in a mock and MxToolbox was the pick since it handles actual header analysis, not just address checks. Pretty sure that's what they're testing for.

CuriousReviewer5201 Feb 23, 2026 12:54 am

Why not C? Does Email Checker actually parse full headers or just address validity checks?

SharpAuditor3711 Feb 22, 2026 8:08 pm

C vs B, seen similar questions in practice exams and official guide.

Ryan Y. Mar 1, 2026 8:58 pm

B, not C. Email Checker can just validate addresses but won't help with header analysis, that's a common mix-up on these questions.

Be respectful. No spam.

Q: 10

[Introduction to Incident Handling and Response] Farheen is an incident responder at reputed IT Firm based in Florid a. Farheen was asked to investigate a recent cybercrime faced by the organization. As part of this process, she collected static data from a victim system. She used DD tool command to perform forensic duplication to obtain an NTFS image of the original disk. She created a sector-by-sector mirror imaging of the disk and saved the output image file as image.dd. Identify the static data collection process step performed by Farheen while collecting static data.

Options

Discussion

Sanjay Feb 20, 2026 5:33 pm

C . The DD tool imaging is a textbook case of system preservation since it’s all about making a forensic copy to keep the original untouched. D always tempts people when they see 'physical', but that’s more for courtroom stuff, not actual collection. If I’m off, let me know.

Daniel L. Feb 13, 2026 11:07 pm

Its C here

Taylor Y. Feb 13, 2026 12:25 pm

Ugh, EC-Council always loves their odd terminology for standard forensic steps. C

Sofia V. Feb 22, 2026 8:41 pm

I think C fits here.

Sara Feb 15, 2026 5:07 pm

Option A

Ryan Feb 21, 2026 1:41 am

Pretty sure C, saw a similar question in exam reports. Imaging with dd is all about system preservation, not presentation. Agree?

Sara B. Mar 3, 2026 8:51 pm

D makes sense to me since creating an image can be seen as a physical presentation of data, not just preservation. I think comparison or admin stuff don't fit here. Not totally sure, but D looks like a possible pick.

Priya F. Mar 4, 2026 9:20 pm

I don’t think D is right here. Making a forensic dd image is all about system preservation, so C fits best. D is more about actually presenting evidence in a legal setting, which comes after. Trap for anyone reading too fast! Open to corrections if I missed something.

Grace Feb 23, 2026 11:45 am

Logan Mar 1, 2026 6:14 am

D imo. People keep picking C but with the wording about collecting and sector-by-sector copies, feels like it could trip you since D almost sounds right for chain of custody steps. Open to pushback if I'm missing something.

Be respectful. No spam.

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE