The following table contains details about the evidence data collected by the Incident Response Evidence Collection playbook, Collect Evidence task, and Trend Micro
Incident Response Toolkit included in the Running Process evidence type under the
Process Information category.
|
Evidence Data
|
Description
|
|
Process name
|
Name of the process
|
|
Process image
|
Path of the image file for the process |
|
PID
|
Process ID
|
|
Parent PID
|
Process ID of the parent process |
|
Process file SHA1
|
SHA1 hash of the process file
|
|
Catalog signature
|
Indicates whether the catalog file for the process is signed or unsigned
|
|
Embedded signature
|
Indicates whether the process contains an embedded signature
|
|
User name
|
Uer account that executed the process
|
|
Domain
|
Domain of the user that executed the process
|
|
Creation time
|
Time the process was created
|
|
Exit time
|
Exit time of the process
|
|
Kernel time
|
Amount of time the process has executed in kernel mode |
|
User time
|
Amount of time the process has executed in user mode |