ECCouncil Updated 212-89 Exam Questions and Answers by ameera

According to the EC-Council Incident Handler (ECIH) curriculum, proper handling of digital evidence is a critical responsibility of first responders. This includes photographing the scene, labeling devices, packaging them in anti-static or static-resistant bags, and documenting detailed information such as time, location, and device identifiers.

These steps are part of evidence preservation and packaging procedures designed to prevent contamination, electrostatic damage, or loss of evidentiary integrity. ECIH emphasizes maintaining a clear chain of custody and ensuring that all digital evidence is properly documented before transportation to a forensic laboratory.

Option B relates to policy review, not field evidence handling. Option C involves technical log analysis performed later during investigation. Option D concerns witness interviews, which are separate from physical evidence handling.

Rachel’s actions clearly describe the packaging and transporting of electronic evidence while maintaining forensic standards and documentation integrity.

The correct sequence of steps involved in forensic readiness planning, based on the activities described, is as follows:

Identify the potential evidence required for an incident.

Determine the source of the evidence.

Define a policy that determines the pathway to legally extract electronic evidence with minimal disruption.

Establish a policy for securely handling and storing the collected evidence.

Identify if the incident requires full or formal investigation.

Train the staff to handle the incident and preserve the evidence.

Create a special process for documenting the procedure.

Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. Autopsy enables incident handlers to view the file system, retrieve deleted data, perform timeline analysis, and analyze web artifacts, among other functionalities. This tool is particularly useful during the incident response process for conducting in-depth investigations into the nature of a security incident, identifying the methods used by attackers, and recovering lost or compromised data.

The EC-Council Incident Handler (ECIH) curriculum identifies excessive privileges as a major contributor to insider threats. In this scenario, Daniel had unrestricted access to all file servers, violating the Principle of Least Privilege (PoLP). The absence of enforcement mechanisms or alerts further indicates a lack of access governance.

Zero Trust architecture operates on the principle of “never trust, always verify.” It enforces strict identity verification, continuous authentication, micro-segmentation, and role-based access control. Under Zero Trust, users are granted access only to specific resources required for their job role, and all access attempts are logged and monitored.

User segmentation ensures that even administrators are restricted to only authorized systems and datasets. ECIH stresses the importance of monitoring privileged accounts, implementing least privilege, enabling access auditing, and enforcing real-time alerting for unauthorized data access attempts.

Option A (manual surveillance) is impractical and ineffective at scale. Option B (personal firewall rules) protects network traffic but does not restrict file server permissions. Option C (disabling removable media) addresses data exfiltration via USB devices, not unauthorized file access.

Therefore, user segmentation through Zero Trust access would have prevented Daniel from accessing irrelevant encrypted project files and aligns directly with ECIH insider threat mitigation strategies.