Eccouncil 312-49v11 Exam - Topic 8 Question 5 Discussion

According to the CHFI v11 syllabus under Malware Forensics and System Behavior Analysis, the Windows Registry is one of the most critical sources of forensic evidence when investigating malware activity. Malware frequently interacts with registry keys to achieve persistence, configure execution parameters, disable security controls, or maintain state information across reboots. By analyzing registry key modifications, forensic investigators can identify how malware embeds itself into the operating system and understand its long-term behavior.

Common persistence mechanisms include modifications to registry locations such as Run, RunOnce, Services, Winlogon, and scheduled task-related keys. Changes in these keys can reveal how and when malware is executed, whether it runs at system startup, and which privileges it attempts to obtain. CHFI v11 emphasizes monitoring registry artifacts using tools like Process Monitor, Registry Editor, and registry diff utilities to detect unauthorized additions, deletions, or value changes.

The other options are incorrect in this context. Monitoring network traffic patterns (Option A) is useful for command-and-control analysis but does not directly reveal registry-based persistence. Browser history logs (Option B) are related to user activity, not system-level malware behavior. Tracking system file executions (Option C) focuses on executable activity but does not expose configuration or persistence logic stored in the registry.

The CHFI Exam Blueprint v4 explicitly highlights registry-based malware persistence mechanisms as a key investigative focus, making analyzing registry key modifications the correct and exam-aligned answer