Linux evidence types

The following categories contain descriptions of the types of evidence collected from Linux endpoints by the Collect Evidence task and Trend Micro Incident Response Toolkit. These evidence types are displayed in columns after selecting an evidence category when examining an Evidence Report.

• Basic Information
• Process Information
• Service Information
• Network Information
• Account Information
• User Activity
• Shared File Info Objects

When collecting evidence from Linux endpoints, you may also select to collect available logs. Download the raw log file from the evidence report menu by going to Logs → Logs and clicking Download Raw Data. Copy the provided password for the archive file and click Download.