Evidence Types

The following table describes different types of evidence supported by the Incident Response Evidence Collection playbook.

Evidence Type

Description

Basic information

  • Hardware: System information (endpoint name, CPU, memory), network interfaces, volume information
  • Software: Operating system version, user information, group information

Account information

Accounts on this endpoint, including

  • Administrator accounts

  • User accounts

Network information

Network-related tables and configuration, including

  • Active connections from netstat command

  • ARP, TCP, UDP, and routing tables

  • DNS cache

  • Firewall rules

  • Network shares

System execution information

Executed process records, including

  • AmCache

  • Prefetch files

  • Recent file cache

  • ShimCache

  • System Resource Usage Monitor

Event log

Windows Event Log, including

  • PowerShell

  • RDP

  • Security

  • SMB

  • System

Registry

Endpoint registry hive

User activity

Endpoint user behavior log, including

  • Browser history

  • Shellbags

  • UserAssist registry keys

File timeline

Endpoint file system information, including the Master File Table (MFT)

Process information

Live processes currently running on endpoint

Service information

Applications executed in the foreground background, including

  • Autostart entries

  • Scheduled tasks

  • Services