The following table contains details about types of evidence in the System Execution
category collected by the Incident Response Evidence Collection playbook, Collect Evidence task, and Trend Micro
Incident Response Toolkit.
 |
NoteAmCache and ShimCache evidence types may also include may also contain attribute data from complied PE files.
|
| Evidence Type | Evidence Data | Description |
|
AmCache
|
Record time
|
Program execution, installation, or data update time
|
|
Registry modification time
|
Last time the registry was modified
|
|
| ShimCache |
Record time
|
Last time the application file was modified
|
|
Last update time
|
Last time the registry was modified
|