ECCouncil Updated 312-50v13 Exam Questions and Answers by chelsea

The correct answer is A. Creepy because the task is specifically about extracting and analyzing geolocation information (geotags) from publicly shared media and mapping that data to real-world locations to infer employee movement patterns. In CEH-aligned reconnaissance/OSINT workflows, geolocation intelligence is a common element of footprinting because it can reveal sensitive operational details such as office locations, travel routines, meeting venues, home addresses, and patterns of presence/absence. Tools designed for geolocation OSINT help testers identify whether staff are unintentionally exposing location metadata through social media posts, uploaded photos, or other public sources.

Creepy is purpose-built for geolocation reconnaissance: it collects location metadata associated with content and presents results in a way that supports mapping and timeline-style analysis, helping analysts correlate people, posts, and coordinates. This directly supports the goal of evaluating whether employees are disclosing sensitive information about office routines by publishing geotagged images. When used in an authorized assessment, such tooling helps demonstrate risk in a measurable way—for example, showing clusters of posts around a specific building, repeated visits at predictable times, or regular travel routes that could support surveillance, targeted social engineering, or physical intrusion planning.

Why the other options are less suitable: Social Searcher is primarily used for monitoring and searching social media content by keywords, usernames, hashtags, and mentions; it is useful for broad OSINT collection but is not specifically focused on geotag extraction and movement mapping. Sherlock is designed to find a username across many platforms, helping link identities, but it does not specialize in geolocation mapping. Maltego is a powerful link-analysis platform that can correlate entities (people, domains, emails, social profiles) and can support OSINT investigations, but for the narrow requirement of extracting and mapping geotagged location data from media, Creepy is the most direct and purpose-specific tool.

Therefore, the best tool for this geotagged image movement analysis task is Creepy.

CEH v13 details that fragmentation attacks are a common IDS evasion strategy. Signature-based IDS systems depend on reassembling packets to detect malicious patterns. When attackers fragment TCP headers into smaller segments, the IDS may be unable to reconstruct the original packet sequence, especially if the fragments are intentionally crafted to confuse reassembly buffers. Meanwhile, the target host typically recombines the fragments correctly, allowing the scan or payload to pass undetected. This technique is specifically discussed under IDS evasion methods, where fragmentation prevents complete packet inspection. Options A and B describe unrelated evasion mechanisms such as IP spoofing and MAC spoofing, and Option C does not fundamentally affect IDS reconstruction. The tester is clearly using packet fragmentation to evade detection while still mapping open ports successfully.

CEH materials describe this attack pattern as Living-off-the-Land (LotL), where attackers abuse legitimate tools to avoid detection. Because these binaries are normally trusted, traditional antivirus solutions may not flag them.

CEH recommends file integrity monitoring (FIM), which tracks cryptographic hashes of sensitive executables and alerts administrators when unauthorized modifications occur.

Option D is correct.

Options A and B support resilience but do not detect tampering.

Option C alone is insufficient against LotL attacks.

This scenario most closely matches spam and phishing delivered through social networking platforms, a technique emphasized in CEH social engineering coverage as social media phishing or spear phishing via professional networks. Nadia impersonates a trusted internal authority figure, a senior HR manager, and uses believable branding elements such as a stolen logo and accurate employee details to establish credibility. She then initiates contact through connection requests and funnels targets into a controlled space, a private group, where she requests sensitive information. Collecting a work email address and department role may appear harmless, but CEH guidance notes that attackers often start with small, plausible requests to build trust and assemble data for deeper compromise. Work emails and roles enable targeted spear phishing, business email compromise preparation, password reset targeting, and crafting convincing pretexts aligned to the victim’s function.

The core mechanics align with phishing: deception, impersonation, and a call to action designed to extract information. The “exclusive project updates” hook is a classic lure used to increase compliance. While the exercise could lead to involuntary data leakage as a downstream effect, the primary simulated threat is the phishing process itself, using social media as the delivery channel. Loss of productivity is not the intent here, and network vulnerability exploitation refers to technical system flaws rather than manipulating human trust. Therefore, the most accurate classification of Nadia’s drill is spam and phishing conducted through a social media pretext.