The following table contains details about the evidence data collected by the Incident Response Evidence Collection playbook, Collect Evidence task, and Trend Micro
Incident Response Toolkit included in the Files evidence type under the File
Timeline category.
|
Evidence Data
|
Description
|
|
Creation time ($FN)
|
Time and date the file was created according to newer NTFS systems |
|
Path
|
Absolute path of the file
|
|
Modification time ($FN)
|
Time and date the file was last modified according to newer NTFS systems
|
|
Access time ($FN)
|
Time and date the file was last accessed according to newer NTFS systems
|
|
Record time ($FN)
|
Time and date of the file's last status change according to newer NTFS
systems
|
|
Directory
|
Directory in which the file is located
|
|
Filename
|
Name portion of the file path
|
|
Inode
|
Number of the file system index node
|
| File ID |
ID value of the file
|
|
UID
|
User ID of the file owner
|
|
Attributes
|
String defining attributes of the file
|
|
Symlink
|
Indication of whether not the file path is a symbolic link
|
|
Type
|
Current status of the file
|
|
Creation time ($STD)
|
Time and date the file was created according to older NTFS systems
|
|
Write time ($STD)
|
Time and date the file was last modified according to older NTFS systems |
|
Access time ($STD)
|
Time and date the file was last accessed according to older NTFS systems
|
|
Record time ($STD)
|
Time and date of the file's last status change according to older NTFS
systems
|
|
Hard links
|
Number of hard links to the file
|
|
File version
|
Current version of the file
|
|
Size
|
Size of the file in bytes |