Views:
The following table contains details about types of evidence in the Service Information category collected by the Incident Response Evidence Collection playbook, Collect Evidence task, and Trend Micro Incident Response Toolkit.
Note
Note
Autostart and Scheduled Task evidence types may also contain attribute data from complied PE files.
Evidence Type
Evidence Data
Description
Autostart Entries
Source
Registry path pattern for the autorun entry
File system creation time
The time the entry was created in the file system
Name
Name of the file associated with the autorun entry in the registry
Registry path
Full registry path of the autorun entry
Entry name
Registry folder for or key name of the autorun entry
Execution command
Registry value of the autorun entry, used to run the entry
Path
File path for the entry obtained from the registry
Registry modification time
Last time the registry key or associated entry values were modified
Scheduled Tasks
Name
Name of the registered task
Action
Executable action performed by the task
Path
Path to the executable file
Enabled
Indication of whether the task is currently enabled
State
Operational state of the registered task
Hidden
Indication of whether the task is visible on the user interface
Last run time
Time the registered task was last run
Next run time
Time the registered task is next scheduled to run
Last run message
Messages returned on the failure of the task's last execution
Last run code
Results returned on the success of the task's last execution