View data, metadata, and descriptions of evidence in the process information category collected from Linux endpoints.
The following tables contains descriptions of the evidence data and
metadata in the process information category that may be collected from Linux endpoints
by the
Collect Evidence task and Trend Micro Incident
Response Toolkit. These evidence types are displayed in columns after selecting an
evidence category when examining an Evidence
Report.
The following data consists of primary evidence collected on running processes.
|
Evidence Data
|
Description |
|
User name
|
The user names associated with the process
|
|
PID
|
The process ID
|
|
Command line
|
The command line used to execute the process
|
|
Creation time
|
The time the process was started
|
|
Parent PID
|
The process ID of the parent process
|
|
SHA1
|
The SHA1 of the associated file
|
|
Kernel time
|
The amount of time spent in kernel mode in ticks
|
|
User time
|
The amount of time spent in user mode in ticks
|
The following metadata is associated with individual processes and is displayed in
tabs within
the Evidence Report.
 |
NoteNot all listed metadata may be collected and displayed.
|
|
Metatadata Tab
|
Evidence Data
|
Description
|
|
File information
|
||
|
Socket connections
|
Local address
|
The associated local IP address
|
|
Local port
|
The associated local TCP/UDP port number
|
|
|
Protocol
|
The associated transmission control protocol
|
|
|
Remote address
|
The associated remote IP address
|
|
|
Remote port
|
The associated remote TCP/UDP port number
|
|
|
State
|
The state of the connection
|
|
|
Creator UID
|
The user ID of the socket creator
|
|
|
Associated threads
|
Thread ID
|
The process ID of the thread
|
|
Command line
|
The file name of the executable file or the command name associated with the
thread
|
|
|
Current state
|
The current state of the process expressed as a representative character
|
|
|
Parent PID
|
The process ID of the parent process
|
|
|
Process group ID
|
The group ID associated with the process
|
|
|
Session ID
|
The session ID of the process
|
|
|
Controlling terminal process group ID
|
The ID of the foreground process group in the controlling terminal
|
|
|
User time
|
The amount of time spent in user mode in ticks
|
|
|
Kernel time
|
The amount of time spent in kernel mode in ticks
|
|
|
Priority
|
The priority value of the process
|
|
|
Nice value
|
The value used to set the true process priority
|
|
|
Start time
|
The running time of the process in ticks
|
|
|
Virtual memory (bytes)
|
The amount of virtual memory used in bytes
|
|
|
Waiting channel
|
The kernel address of the process when sleeping
|
|
|
Real-time priority value
|
The priority value used for real-time processes
|
|
|
Exit code
|
The value representing the exit status of the thread
|
|
|
Environment variables
|
Name
|
The name of the process environment
|
|
Value
|
The representative value of the process environment
|
|
|
Accessible libraries
|
||
|
Opened files
|
||