Certified Incident Handler (CIH) Practice Ecam

What is the correct sequence of steps to examine the originating IP address from an email?

• A. 2 → 1 → 3 → 4
• B. 1 → 2 → 4 → 3
• C. 2 → 1 → 4 → 3
• D. 4 → 3 → 1 → 2

The correct answer is: 2 → 1 → 4 → 3

To determine the originating IP address from an email, the correct sequence involves specific steps that effectively lead to the identification of the sender's IP address. Firstly, you would start by examining the email headers. This is critical because the headers contain important routing information that reveals the path the email took across servers. The headers will often include the originating IP address of the sending mail server. This step is pivotal; without checking the headers, the analysis cannot proceed. Secondly, you'd identify the specific server that the email came from. In the headers, you should be able to see different "Received" lines, which document each server the email passed through. The first "Received" line typically shows where the email originated. The next step usually involves tracing back through these headers to confirm that the identified server is indeed the source of the email. This could also include looking for any indications of whether the IP address matches that of the sender’s known infrastructure. Finally, you would verify the IP address through additional means, such as using a WHOIS lookup to confirm the ownership and further details about that IP address. This would help solidify your findings regarding the legitimacy of the email, as well as the sender's identity. This logical progression of steps—starting from inspecting the