Views:

Collect evidence from Windows endpoints manually using the Trend Micro Incident Response Toolkit or by executing a playbook to support threat investigation and incident response.

Important
Important
  • Evidence archives use the same folder structures as the SANS Institute and the CyLR tool.
  • You can automatically collect evidence from Windows endpoints with the Incident Response Evidence Collection playbook. This playbook currently only supports Windows endpoints.

Procedure

  1. In the Trend Vision One console, go to XDR Threat InvestigationForensicsPackages.
  2. Click Collect Evidence.
  3. Configure the following settings for manual collection.
    Setting
    Description
    Evidence types
    The types of evidence to collect.
    Note
    Note
    Archive location on endpoint
    Location of the evidence package on the local endpoint.
    Important
    Important
    • The local archive does not have encryption, and remains on the endpoint until deleted. This might allow access to sensitive information to anyone with access to the file system or reveal the presence of an ongoing investigation.
    • Evidence archives take up hard drive space and may impact endpoint performance.
  4. Click Download TMIRT (download_icon=5c7476c2-cf15-4572-b7cd-5fc67a57d22f.png) to download the Trend Micro Incident Response Toolkit.
  5. Deploy the toolkit to the endpoints on which you want to collect evidence.
  6. Execute the toolkit.
    1. Extract the contents of the zip archive.
    2. Execute TMIRT.ps1 as an administrator.
      Important
      Important
      If you cannot execute the TMIRT.ps1 command, the following command directly downloads and executes the toolkit based on your OS version and architecture:
      .\TMIRT.exe evidence --config_file .\config.json
  7. Upload the evidence packages the toolkit generates to the Forensics app.
    Tip
    Tip
    You can upload multiple files at once. Each file must not exceed 4 GB.
The Forensics app begins processing the uploaded evidence packages.
Important
Important
  • Processing one evidence package can take several minutes.
  • Do not close the browser tab or refresh the screen until the process finishes.