The following table contains details about the attributes embedded within Portable
Executable (PE) files compiled by the Incident Response Evidence Collection playbook, Collect Evidence task, and Trend Micro
Incident Response Toolkit. PE file attributes may appear in multiple evidence
categories, including Service Information and System Execution Information.
| Attribute | Description |
|
File path
|
Absolute path of the file
|
|
File size
|
Size of the file in bytes
|
|
SHA1
|
SHA1-encrypted hash of the file contents
|
|
User account
|
Account name or security identifier associated with the file
|
|
User domain
|
Domain name of the security identifier associated with the file
|
|
File extension
|
Suffix indicating file format of the file
|
|
True file type
|
File type as determined by signatures in the file header
|
|
Catalog signed
|
Indication of whether the file contains a digital signature in the catalog
file
|
|
Embedded signed
|
Indication of whether the signature on the embedded PE file is verified
|
|
Catalog signer
|
Signer of the digital signature in the catalog file
|
|
Embedded signer
|
Signer of the digital signature in the embedded PE file
|
|
Compiled timestamp
|
Time the PE file was compiled
|
|
Import table hash
|
MD5 hash of the imported functions in the PE file |
|
Linker version
|
Version number of the file linker
|
|
File version
|
File version number represented in four 16-bit integers
|
|
Debug paths
|
File paths of any debug information present
|
|
Sub system
|
Which Windows subsystem is required to run the image
|
|
Company name
|
Internal company name when the file was compiled
|
|
File description
|
Internal description of the file when the file was compiled
|
|
Internal name
|
Internal name for the file
|
|
Create time
|
Time the file was created in the file system
|
|
Modify time
|
Last time the file was modified in the file system
|
|
Access time
|
Last time the file was accessed in the file system
|