312-49v11 Exam Dumps - ECCouncil CHFI Questions and Answers

Option B is the most appropriate answer because .ost files are Outlook offline-storage files tied to synchronized mail accounts, and a common forensic workflow is to convert the OST to PST so the content can be more easily opened, preserved, and analyzed in standard email-review tools. This method is more practical and forensically manageable than trying to treat the OST as plain text or ignoring it altogether.

Option A is incorrect because the .ost file absolutely can contain important email evidence. Option D is inappropriate because an OST file is not meant to be examined meaningfully with a simple text editor. Option C may be possible with certain tools, but the question asks for the proper general step to acquire and analyze the data, and the most standard, broadly defensible workflow is conversion into a PST-equivalent analysis format .

From a CHFI perspective, investigators must understand email evidence sources and use a method that preserves accessibility and supports examination. Therefore, the strongest answer is to convert the OST file to PST using a suitable forensic conversion tool and then analyze the resulting email data in a structured way.

Option A. Volatility is the best answer because CHFI v11 explicitly includes Windows Memory Analysis and Registry Analysis , Tools to Perform Windows Memory and Registry Analysis , Tools to Acquire Memory Dumps , and Tools to Examine the Memory Dumps . A stealthy rootkit that hides processes and files is exactly the type of threat that often requires deep memory-based analysis to uncover.

Volatility is built for memory forensics and can reveal hidden processes, injected code, loaded modules, suspicious drivers, and related artifacts that ordinary user-mode tools may not show. While Reg Ripper is excellent for registry artifact extraction, it is limited to registry-focused analysis and does not provide the full memory-inspection capability needed for a hidden rootkit case. DumpIt is mainly for acquiring memory, not analyzing it. Autopsy is useful for disk and file-system evidence but is not the strongest choice for rootkit-focused memory analysis.

Because Henry needs the best tool for memory and registry-oriented rootkit investigation , the strongest CHFI-aligned answer is Volatility .