Manual evidence collection for Linux endpoints

Procedure

1. Select XDR Threat Investigation → Forensics → Packages.
2. Click Collect Evidence.
3. Configure the following settings for manual collection.

   Setting	Description
   Evidence types	The types of evidence to collect. For Linux endpoints, you need the following information: Basic information Process information Service information Network information Account information User activity
   Archive location on endpoint	Location of the evidence package on the local endpoint. Important The local archive does not have encryption and remains on the endpoint until deleted. This might allow anyone with access to the file system to access sensitive information or reveal the presence of an ongoing investigation. Evidence archives take up hard drive space which may impact endpoint performance.

4. Click to download the Trend Micro Incident Response Toolkit.
5. Deploy the toolkit to the endpoints on which you want to collect evidence.
6. Execute the toolkit.
   1. Extract the contents of the .zip archive.
   2. Execute TMIRT.sh as the root user.
7. If you do not have privileges for executing scripts, execute the following commands.
   1. Identify the endpoint operating system (OS) architecture by executing the uname -m command.
      • For AArch64 or ARM64 architecture, use the TMIRT-arm64.tgz toolkit.
      • For i386 or i686 architecture, use the TMIRT-x86.tgz toolkit.
      • For AMD64 or x86_64 architecture, use the TMIRT-x64.tgz toolkit.
   2. To extract the toolkit from the .tgz file, execute the ./tar -xf command with the correct version of the Trend Micro Incident Response Toolkit based on your OS architecture.
   3. To begin collecting evidence, execute ./TMIRT evidence --config_file ./config.json.
8. Upload the evidence packages that the toolkit generates to Forensics. You can upload multiple files at once. Each file must not exceed 4 GB.