Views:
The following categories contain descriptions of the types of evidence collected from Windows endpoints by the Incident Response Evidence Collection playbook, Collect Evidence task, and Trend Micro Incident Response Toolkit. These evidence types are displayed in columns after selecting an evidence category when examining an Evidence Report.
Attribute Description
File path
Absolute path of the file
File size
Size of the file in bytes
SHA1
SHA1-encrypted hash of the file contents
User account
Account name or security identifier associated with the file
User domain
Domain name of the security identifier associated with the file
File extension
Suffix indicating file format of the file
True file type
File type as determined by signatures in the file header
Catalog signed
Indication of whether the file contains a digital signature in the catalog file
Embedded signed
Indication of whether the signature on the embedded PE file is verified
Catalog signer
Signer of the digital signature in the catalog file
Embedded signer
Signer of the digital signature in the embedded PE file
Compiled timestamp
Time the PE file was compiled
Import table hash
 MD5 hash of the imported functions in the PE file
Linker version
Version number of the file linker
File version
File version number represented in four 16-bit integers
Debug paths
File paths of any debug information present
Sub system
Which Windows subsystem is required to run the image
Company name
Internal company name when the file was compiled
File description
Internal description of the file when the file was compiled
Internal name
Internal name for the file
Create time
Time the file was created in the file system
Modify time
Last time the file was modified in the file system
Access time
Last time the file was accessed in the file system
Evidence Type
Evidence Data
Description
System Information
Host name
DNS host name of the endpoint
UUID
System-generated globally unique identifier (GUID) string for the endpoint hardware profile
CPU type
The system processor architecture
CPU brand
Brand of the currently supported processor
CPU physical cores
Number of physical cores in the CPU
CPU logical cores
Number of logical cores in the CPU
CPU microcode
 Intermediary code acting as CPU firmware
Physical memory (KB)
Amount of physical memory displayed in KB
Hardware vendor
 Manufacturer of the system motherboard
Hardware model
 Device model of the endpoint
Hardware serial
 Serial number of the endpoint hardware's software component
Computer name
NetBIOS name of the endpoint
OS Version
Name
OS distribution or product name
Installation time
Date the OS was installed on the endpoint
Version
Primary OS version running on the endpoint
Major
Major release version of the current OS
Minor
 Minor release version of the current OS
Build
 Build-specific or variant OS version identifier
Platform
OS platform or ID
Platform like
Closely related platforms
Code name
 OS version code name
Arch
 OS architecture
Interface Detail
MAC
Media Access Control (MAC) address for the endpoint network adapter
Last modification time
 Time of last device modification
Network interface
Index of IPv4 interface associated with network IPv4 addresses
MTU
Maximum transmission unit (MTU) size in bytes
Metric
IPv4 interface metric for the network adapter address
Flags
 Flags specifying network adapter settings
Collisions
 Number of packet collisions detected
Friendly name
 User-friendly name for the network adapter
Description
Description of the network adapter
Manufacturer
Manufacturer of the network adapter
Connection ID
Name of the network connections as appearing in the Control Panel Network Connections section
Connection status
 State of the network adapter network connection
Enabled
Indication of whether or not the adapter is enabled
Physical adapter Indication of whether or not the adapter is physical
Speed
 Estimation of current bandwidth in bits per second or the nominal bandwidth when no estimation can be made
Service
Service name of the network adapter
DHCP enabled Indication of whether or not DHCP v4 is enabled
DHCP lease expires
 Expiration date and time of the leased IP address assigned to the endpoint bu the DHCP server
DHCP lease obtained
 Date and time the leased IP address was assigned to the endpoint through the DHCP server
DHCP server
IP address of the DHCP server
DNS domain
Domain name and suffix of the organization
DNS domain suffix search order
List of DNS domain suffixes to be applied at the end of the end of the host name when attempting domain name resolution
DNS host name
Name used to identify the endpoint for authentication
DNS server search order
List of server IP addresses used when querying for DNS servers
iPackets
 Number of unicast packets received by the interface
oPackets
 Number of octets of data sent through the interface
iBytes
Number of octets of data received by the interface
oBytes
Number of unicast packets sent through the interface
iErrors
Number of incoming packets discarded because of errors
oErrors
Number of outgoing packets discarded because of errors
iDrops
Number of incoming packets discarded despite not having errors
oDrops
Number of outgoing packets discarded despite not having errors
Interface Address
Network interface
Index of IPv4 interface associated with network IPv4 addresses
Address
Read-only user-friendly name for the address
Mask
IPv4 subnet mask
Type
 Origin of the IPv4 or IPv6 address suffix
Friendly Name
 User-friendly name for the network adapter
Volume Information
Path
 Current disk drive path
Name
 Name of the disk drive on the file system
System
 File system type, such as FAT or NTFS
Maximum component length
Maximum character length of file names supported by the file system
File system flags
Flags associated with the file system
Drive type
Value indicating disk drive type, such as removable, fixed, SSD, or CD-ROM
System Drive Environment
System root
Root Windows directory
System drive
The drive on which Windows is installed
Evidence Data
Description
Creation time ($FN)
 Time and date the file was created according to newer NTFS systems
Path
Absolute path of the file
Modification time ($FN)
Time and date the file was last modified according to newer NTFS systems
Access time ($FN)
Time and date the file was last accessed according to newer NTFS systems
Record time ($FN)
Time and date of the file's last status change according to newer NTFS systems
Directory
Directory in which the file is located
Filename
Name portion of the file path
Inode
Number of the file system index node
File ID
ID value of the file
UID
User ID of the file owner
Attributes
String defining attributes of the file
Symlink
Indication of whether not the file path is a symbolic link
Type
Current status of the file
Creation time ($STD)
Time and date the file was created according to older NTFS systems
Write time ($STD)
 Time and date the file was last modified according to older NTFS systems
Access time ($STD)
Time and date the file was last accessed according to older NTFS systems
Record time ($STD)
Time and date of the file's last status change according to older NTFS systems
Hard links
Number of hard links to the file
File version
Current version of the file
Size
 Size of the file in bytes
Evidence Data
Description
Process name
Name of the process
Process image
 Path of the image file for the process
PID
Process ID
Parent PID
 Process ID of the parent process
Process file SHA1
SHA1 hash of the process file
Catalog signature
Indicates whether the catalog file for the process is signed or unsigned
Embedded signature
Indicates whether the process contains an embedded signature
User name
Uer account that executed the process
Domain
Domain of the user that executed the process
Creation time
Time the process was created
Exit time
Exit time of the process
Kernel time
 Amount of time the process has executed in kernel mode
User time
 Amount of time the process has executed in user mode
Evidence Type
Evidence Data
Description
Autostart Entries
Source
Registry path pattern for the autorun entry
File system creation time
The time the entry was created in the file system
Name
Name of the file associated with the autorun entry in the registry
Registry path
Full registry path of the autorun entry
Entry name
Registry folder for or key name of the autorun entry
Execution command
 Registry value of the autorun entry, used to run the entry
Path
File path for the entry obtained from the registry
Registry modification time
Last time the registry key or associated entry values were modified
Scheduled Tasks
Name
Name of the registered task
Action
Executable action performed by the task
Path
Path to the executable file
Enabled
Indication of whether the task is currently enabled
State
Operational state of the registered task
Hidden
Indication of whether the task is visible on the user interface
Last run time
Time the registered task was last run
Next run time
Time the registered task is next scheduled to run
Last run message
Messages returned on the failure of the task's last execution
Last run code
Results returned on the success of the task's last execution
Evidence Type Evidence Data Description
AmCache
Record time
Program execution, installation, or data update time
Registry modification time
Last time the registry was modified
ShimCache
Record time
Last time the application file was modified
Last update time
Last time the registry was modified