Collect evidence from Windows endpoints manually using the Trend Micro Incident Response Toolkit or by executing a playbook to support threat investigation and incident response.
![]() |
Important
|
Procedure
- Select .
- Click Collect Evidence.
- Configure the following settings for manual collection.SettingDescriptionEvidence typesThe types of evidence to collect.For Windows endpoints, you need basic information.Archive location on endpointLocation of the evidence package on the local endpoint.
Important
-
The local archive does not have encryption and remains on the endpoint until deleted. This might allow anyone with access to the file system to access sensitive information or reveal the presence of an ongoing investigation.
-
Evidence archives take up hard drive space which may impact endpoint performance.
-
- Click
to download the Trend Micro Incident Response Toolkit.
- Deploy the toolkit to the endpoints on which you want to collect evidence.
- Execute the toolkit.
- Extract the contents of the .zip archive.
- Execute
TMIRT.ps1
as an administrator.If you cannot execute theTMIRT.ps1
command, the following command directly downloads and executes the toolkit based on your operating system (OS) version and architecture:.\TMIRT.exe evidence --config_file .\config.json
- Upload the evidence packages that the toolkit generates to Forensics. You can upload multiple files at once. Each file must not exceed 4 GB.
Forensics begins processing the uploaded evidence packages.
![]() |
Important
|