Setting up a computer forensics lab involves several critical steps that need to be executed in a logical and efficient order. The correct sequence starts with planning and budgeting (2), as it is essential to understand the scope, resources, and financial commitment required for the lab. The next step involves considering the physical location and structural design (1) to ensure the lab meets operational needs and security requirements. Work area considerations (3) follow, focusing on the layout and functionality of the workspace. Human resource considerations (6) are crucial next, to ensure the lab is staffed with qualified personnel. Physical security recommendations (4) are then implemented to protect the lab and its resources. Finally, forensic lab licensing (5) ensures the lab operates within legal and regulatory frameworks.

The EC-Council Incident Handler (ECIH) curriculum stresses that mobile malware often enters enterprise environments through sideloaded applications obtained from untrusted sources. Android devices that allow installation from unknown sources significantly increase organizational risk.

Mobile Device Management (MDM) solutions are recommended to enforce application control policies, including restricting installations to digitally signed applications from approved app stores. By enforcing signed app installation policies, organizations prevent the execution of tampered or malicious APK files.

Option A (remote tracking) assists with lost device recovery but does not prevent malicious installations. Option B (Bluetooth/NFC restriction) addresses wireless communication risks, not app integrity. Option C (full-disk encryption) protects stored data but does not stop malware from executing.

ECIH guidance highlights enforcing mobile security baselines, restricting unknown sources, implementing application whitelisting, and applying MDM-enforced controls to prevent sideloaded malware infections. Therefore, enforcing MDM policies that allow only signed app installations is the most effective preventive control.

In Wireshark, to identify ICMP ping sweep attempts, the filtericmp.type == 8 or icmp.type ==0is used. This filter captures ICMP echo requests and echo replies, which are indicative of ping commands. Type 8 represents an echo request used when a source sends a ping, and type 0 represents an echo reply, which is the response from the target. By filtering for these ICMP types, Miko can detect a surge in ping requests across the network, which could indicate a ping sweep attempt—an exploratory activity often used by attackers to discover active hosts on a network by sending ping requests to multiple addresses.

In incident response protocols, incidents are categorized based on their severity, impact, and the urgency of the response required. The categorization helps in prioritizing incident response activities and allocating resources accordingly. A CAT 1 (Category 1) incident is typically considered the highest priority, involving significant threats that require immediate response. Given the scenario where a malware incident in one of the largest social network companies must be reported within 1 hour of discovery/detection, this indicates a high-priority incident due to the potential widespread impact and the need for a rapid response to contain and mitigate the malware ' s spread. The urgency of the reporting timeframe suggests that the incident is considered critical, aligning with the characteristics of a CAT 1 incident, which necessitates immediate action to prevent significant damage or disruption to the company ' s operations and services.

A TCP Xmas scan is a type of network scanning technique used by attackers to identify open ports on a target machine. The name " Xmas " comes from the set of flags that are turned on within the packet, making it ' lit up like a Christmas tree ' . Specifically, the FIN, PSH, and URG flags are set, which corresponds to the hexadecimal value 0X029 in the TCP header ' s flags field. Wireshark, a popular network protocol analyzer, allows users to create custom filters to detect specific types of network traffic, including malicious scanning attempts. By using the filtertcp.flags==0X029, Rose can detect packets that have these specific flags set, indicating a potential TCP Xmas scan attempt.

In IoT and OT environments, the ECIH curriculum emphasizes that containment is the highest first-response priority , especially when public safety and critical services are involved. The abnormal data transmission strongly suggests compromise, and allowing the device to remain connected risks lateral movement, data exfiltration, and operational disruption.

Option C is correct because immediate isolation of the affected IoT device prevents further unauthorized communication while preserving the system’s current state for forensic analysis. Isolation limits the blast radius without unnecessarily disrupting the entire infrastructure.

Option A introduces risk by changing system states during an active incident. Option B is preventive and not an incident response action. Option D is appropriate after containment but not before.

Thus, isolating the compromised device aligns with ECIH endpoint and IoT incident handling principles.

Omnipeek is a network analyzer tool that allows for the capture and analysis of data packets transmitted across a network. It is designed to provide deep insights into network traffic, enabling users to examine various aspects of the data packets, including network protocols, ports, devices, and potential issues in network transmission. This tool would be ideal for Chandler, who is targeting the Technote organization with the intent of intercepting and analyzing network traffic to obtain sensitive organizational information. Omnipeek ' s capabilities in packet analysis make it suitable for such activities, offering detailed visibility into the network ' s operation and data flows.

This question is based on the shared responsibility model , a fundamental concept in ECIH cloud incident handling. While customers manage applications, configurations, and data, the cloud service provider (CSP) controls the underlying infrastructure, including orchestration engines, schedulers, and runtime environments.

System-level telemetry such as hypervisor activity and orchestration logs cannot be accessed by customers. Only the CSP can provide this visibility. Therefore, Option C is correct.

The other options manage higher-level responsibilities but lack authority over infrastructure-layer components.

A Trojan, or Trojan horse, is a type of malware that disguises itself as a legitimate, harmless program or file to trick users into downloading and installing it. Once activated, a Trojan can perform a range of malicious activities, including giving attackers unauthorized access to the infected system. This can lead to the theft of sensitive information, such as credit card numbers and passwords, and can also allow the attacker to install additional malware, potentially leading to further damage, such as the erasure of data. Unlike viruses and worms, Trojans do not replicate themselves but rely on the deception of users to spread.