The following table contains details about types of evidence in the Basic Information
category collected by the Incident Response Evidence Collection playbook, Collect Evidence task, and Trend Micro
Incident Response Toolkit.
|
Evidence Type
|
Evidence Data
|
Description
|
|
System Information
|
Host name
|
DNS host name of the endpoint
|
|
UUID
|
System-generated globally unique identifier (GUID) string for the endpoint
hardware profile
|
|
|
CPU type
|
The system processor architecture
|
|
|
CPU brand
|
Brand of the currently supported processor
|
|
|
CPU physical cores
|
Number of physical cores in the CPU
|
|
|
CPU logical cores
|
Number of logical cores in the CPU
|
|
|
CPU microcode
|
Intermediary code acting as CPU firmware | |
| Physical memory (KB) |
Amount of physical memory displayed in KB
|
|
|
Hardware vendor
|
Manufacturer of the system motherboard | |
|
Hardware model
|
Device model of the endpoint | |
|
Hardware serial
|
Serial number of the endpoint hardware's software component | |
|
Computer name
|
NetBIOS name of the endpoint
|
|
|
OS Version
|
Name
|
OS distribution or product name
|
|
Installation time
|
Date the OS was installed on the endpoint
|
|
|
Version
|
Primary OS version running on the endpoint
|
|
|
Major
|
Major release version of the current OS
|
|
|
Minor
|
Minor release version of the current OS | |
|
Build
|
Build-specific or variant OS version identifier | |
|
Platform
|
OS platform or ID
|
|
|
Platform like
|
Closely related platforms
|
|
|
Code name
|
OS version code name | |
|
Arch
|
OS architecture | |
|
Interface Detail
|
MAC
|
Media Access Control (MAC) address for the endpoint network adapter
|
|
Last modification time
|
Time of last device modification | |
|
Network interface
|
Index of IPv4 interface associated with network IPv4 addresses
|
|
|
MTU
|
Maximum transmission unit (MTU) size in bytes
|
|
|
Metric
|
IPv4 interface metric for the network adapter address
|
|
|
Flags
|
Flags specifying network adapter settings | |
|
Collisions
|
Number of packet collisions detected | |
|
Friendly name
|
User-friendly name for the network adapter | |
|
Description
|
Description of the network adapter
|
|
|
Manufacturer
|
Manufacturer of the network adapter
|
|
|
Connection ID
|
Name of the network connections as appearing in the Control Panel Network
Connections section
|
|
|
Connection status
|
State of the network adapter network connection | |
|
Enabled
|
Indication of whether or not the adapter is enabled
|
|
| Physical adapter | Indication of whether or not the adapter is physical | |
|
Speed
|
Estimation of current bandwidth in bits per second or the nominal bandwidth when no estimation can be made | |
|
Service
|
Service name of the network adapter
|
|
| DHCP enabled | Indication of whether or not DHCP v4 is enabled | |
|
DHCP lease expires
|
Expiration date and time of the leased IP address assigned to the endpoint bu the DHCP server | |
|
DHCP lease obtained
|
Date and time the leased IP address was assigned to the endpoint through the DHCP server | |
|
DHCP server
|
IP address of the DHCP server
|
|
|
DNS domain
|
Domain name and suffix of the organization
|
|
|
DNS domain suffix search order
|
List of DNS domain suffixes to be applied at the end of the end of the host name
when attempting domain name resolution
|
|
|
DNS host name
|
Name used to identify the endpoint for authentication
|
|
|
DNS server search order
|
List of server IP addresses used when querying for DNS servers
|
|
|
iPackets
|
Number of unicast packets received by the interface | |
|
oPackets
|
Number of octets of data sent through the interface | |
|
iBytes
|
Number of octets of data received by the interface
|
|
|
oBytes
|
Number of unicast packets sent through the interface
|
|
|
iErrors
|
Number of incoming packets discarded because of errors
|
|
|
oErrors
|
Number of outgoing packets discarded because of errors
|
|
|
iDrops
|
Number of incoming packets discarded despite not having errors
|
|
|
oDrops
|
Number of outgoing packets discarded despite not having errors
|
|
|
Interface Address
|
Network interface
|
Index of IPv4 interface associated with network IPv4 addresses
|
|
Address
|
Read-only user-friendly name for the address
|
|
|
Mask
|
IPv4 subnet mask
|
|
|
Type
|
Origin of the IPv4 or IPv6 address suffix | |
|
Friendly Name
|
User-friendly name for the network adapter | |
|
Volume Information
|
Path
|
Current disk drive path |
|
Name
|
Name of the disk drive on the file system | |
|
System
|
File system type, such as FAT or NTFS | |
|
Maximum component length
|
Maximum character length of file names supported by the file system
|
|
|
File system flags
|
Flags associated with the file system
|
|
|
Drive type
|
Value indicating disk drive type, such as removable, fixed, SSD, or CD-ROM
|
|
|
System Drive Environment
|
System root
|
Root Windows directory
|
|
System drive
|
The drive on which Windows is installed
|