Manual Evidence Collection

Collect evidence from endpoints without an internet connection to support threat investigation and incident response by using the Trend Micro Incident Response Toolkit.

  • Evidence archives use the same folder structures as the SANS Institutes and CyLR tool.

  • This feature is not available in all regions.

  1. Download the Trend Micro Incident Response Toolkit
    1. In the Trend Vision One console, go to XDR Threat Investigation > Forensics and Analysis > Packages.
    2. Click Collect Package.
    3. Click Download TMIRT ().
  2. Deploy the toolkit to the endpoint where you want to collect evidence.
  3. Execute the toolkit.
    1. Open the command line.
    2. Navigate to the folder where the Trend Micro Incident Response Toolkit is located.
    3. Execute the following command:
      ./TMIRT- evidence --task_id <file prefix> <evidence type> --data_output_folder <location>

      The following table outlines the available arguments to execute the toolkit.



      <file prefix>

      Name prefix for the package the toolkit generates.

      <evidence type>

      Evidence types the toolkit can collect. Include at least one separated by spaces. Available evidence types:

      • --basicinfo

      • --accountinfo

      • --networkinfo

      • --sysexecutioninfo

      • --eventlog

      • --registry

      • --useractivity

      • --filetimeline

      • --processinfo

      • --serviceinfo


      Directory where the toolkit stores the zip file with the collected evidence.

  4. Upload the zip archive that the toolkit generates to the Forensics and Analysis app.

The Forensics and Analysis app begins processing the uploaded package.

  • Processing evidence packages can take up to 30 minutes.

  • Do not close the browser tab or refresh the screen until the process finishes.