Learn about the attributes embedded within Portable Executable (PE) files the Incident Response Evidence Collection playbook, Collect Evidence task, and Trend Micro Incident Response Toolkit collect.
 |
NotePE file attributes might appear in multiple evidence categories, including Service Information and System Execution Information.
|
| Attribute | Description |
|
File path
|
The absolute path of the file.
|
|
File size
|
The size of the file in bytes.
|
|
SHA1
|
The SHA1 hash of the file contents.
|
|
User account
|
The account name or security identifier associated with the file.
|
|
User domain
|
The domain name of the security identifier associated with the file.
|
|
File extension
|
The suffix indicating the file format of the file.
|
|
True file type
|
The file type as determined by signatures in the file header.
|
|
Catalog signed
|
An indication of whether the file contains a digital signature in the catalog file.
|
|
Embedded signed
|
An indication of whether the signature on the embedded PE file is verified.
|
|
Catalog signer
|
The signer of the digital signature in the catalog file.
|
|
Embedded signer
|
The signer of the digital signature in the embedded PE file.
|
|
Compiled timestamp
|
The time the PE file was compiled.
|
|
Import table hash
|
The MD5 hash of the imported functions in the PE file.
|
|
Linker version
|
The version number of the file linker.
|
|
File version
|
The file version number represented in four 16-bit integers.
|
|
Debug paths
|
The file paths of any debug information present.
|
|
Sub system
|
The Windows subsystem required to run the image.
|
|
Company name
|
The internal company name when the file was compiled.
|
|
File description
|
The internal description of the file when the file was compiled.
|
|
Internal name
|
The internal name for the file.
|
|
Create time
|
The time the file was created in the file system.
|
|
Modify time
|
The last time the file was modified in the file system.
|
|
Access time
|
The last time the file was accessed in the file system.
|