Learn about the types of evidence in the basic information category that the Incident Response Evidence Collection playbook, Collect Evidence task, and Trend Micro Incident Response Toolkit collect.
System information
|
Evidence Data
|
Description
|
|
Host name
|
The Domain Name System (DNS) host name of the endpoint.
|
|
UUID
|
The system-generated universally unique identifier (UUID) string for the endpoint
hardware profile.
|
|
CPU type
|
The system central processing unit (CPU) architecture.
|
|
CPU brand
|
The brand of the currently supported processor.
|
|
CPU physical cores
|
The number of physical cores in the CPU.
|
|
CPU logical cores
|
The number of logical cores in the CPU.
|
|
CPU microcode
|
An intermediary code acting as CPU firmware.
|
|
Physical memory (KB)
|
The amount of physical memory displayed in kilobytes (KB).
|
|
Hardware vendor
|
The manufacturer of the system motherboard.
|
|
Hardware model
|
The device model of the endpoint.
|
|
Hardware serial
|
The serial number of the endpoint hardware's software component.
|
|
Computer name
|
The Network Basic Input/Output System (NetBIOS) name of the endpoint.
|
OS version
|
Evidence Data
|
Description
|
|
Name
|
The Operating System (OS) distribution or product name.
|
|
Installation time
|
The date the OS was installed on the endpoint.
|
|
Version
|
The primary OS version running on the endpoint.
|
|
Major
|
The major release version of the current OS.
|
|
Minor
|
The minor release version of the current OS.
|
|
Build
|
A build-specific or variant OS version identifier.
|
|
Platform
|
The OS platform or ID.
|
|
Platform like
|
The closely related platforms.
|
|
Code name
|
The OS version code name.
|
|
Arch
|
The OS architecture.
|
Interface detail
|
Evidence Data
|
Description
|
|
MAC
|
The Media Access Control (MAC) address for the endpoint network adapter.
|
|
Last modification time
|
The time of the last device modification.
|
|
Network interface
|
The index of the Internet Protocol version 4 (IPv4) interface associated with network
IPv4 addresses.
|
|
MTU
|
The maximum transmission unit (MTU) size in bytes.
|
|
Metric
|
The IPv4 interface metric for the network adapter address.
|
|
Flags
|
The flags specifying network adapter settings.
|
|
Collisions
|
The number of packet collisions detected.
|
|
Friendly name
|
A user-friendly name for the network adapter.
|
|
Description
|
A description of the network adapter.
|
|
Manufacturer
|
The manufacturer of the network adapter.
|
|
Connection ID
|
The name of the network connections as appearing in the Control Panel Network Connections
section.
|
|
Connection status
|
The state of the network adapter network connection.
|
|
Enabled
|
An indication of whether the adapter is enabled.
|
|
Physical adapter
|
An indication of whether the adapter is physical.
|
|
Speed
|
An estimation of current bandwidth in bits per second or the nominal bandwidth when
no estimation can be made.
|
|
Service
|
The service name of the network adapter.
|
|
DHCP enabled
|
An indication of whether Dynamic Host Configuration Protocol version 4 (DHCPv4) is
enabled.
|
|
DHCP lease expires
|
The expiration date and time of the leased Internet Protocol (IP) address that the
DHCP server assigned to the endpoint.
|
|
DHCP lease obtained
|
The date and time the leased IP address was assigned to the endpoint through the DHCP
server.
|
|
DHCP server
|
The IP address of the DHCP server.
|
|
DNS domain
|
The domain name and suffix of the organization.
|
|
DNS domain suffix search order
|
A list of DNS domain suffixes to be applied at the end of the host name when attempting
domain name resolution.
|
|
DNS host name
|
The name used to identify the endpoint for authentication.
|
|
DNS server search order
|
A list of server IP addresses used when querying for DNS servers.
|
|
iPackets
|
The number of unicast packets received by the interface.
|
|
oPackets
|
The number of octets of data sent through the interface.
|
|
iBytes
|
The number of octets of data received by the interface.
|
|
oBytes
|
The number of unicast packets sent through the interface.
|
|
iErrors
|
The number of incoming packets discarded because of errors.
|
|
oErrors
|
The number of outgoing packets discarded because of errors.
|
|
iDrops
|
The number of incoming packets discarded despite not having errors.
|
|
oDrops
|
The number of outgoing packets discarded despite not having errors.
|
Interface address
|
Evidence Data
|
Description
|
|
Network interface
|
The index of the IPv4 interface associated with network IPv4 addresses.
|
|
Address
|
A read-only user-friendly name for the address.
|
|
Mask
|
The IPv4 subnet mask.
|
|
Type
|
The origin of the IPv4 or Internet Protocol version 6 (IPv6) address suffix.
|
|
Friendly Name
|
A user-friendly name for the network adapter.
|
Volume information
|
Evidence Data
|
Description
|
|
Path
|
The current disk drive path.
|
|
Name
|
The name of the disk drive on the file system.
|
|
System
|
The file system type, such as File Allocation Table (FAT) or New Technology File System
(NTFS).
|
|
Maximum component length
|
The maximum character length of file names supported by the file system.
|
|
File system flags
|
The flags associated with the file system.
|
|
Drive type
|
A value indicating disk drive type, such as removable, fixed, solid-state drive (SSD),
or hard disk drive (HDD).
|
System drive environment
|
Evidence Data
|
Description
|
|
System root
|
The root Windows directory.
|
|
System drive
|
The drive on which Windows is installed.
|