The following table contains details about the attributes embedded within Portable
Executable (PE) files that the Incident Response Evidence Collection playbook, Collect Evidence task, and Trend Micro Incident Response Toolkit compiled. PE file attributes may appear in multiple evidence categories including
Service Information and System Execution Information.
Attribute | Description |
File path
Absolute path of the file
File size
Size of the file in bytes
SHA1-encrypted hash of the file contents
User account
Account name or security identifier associated with the file
User domain
Domain name of the security identifier associated with the file
File extension
Suffix indicating file format of the file
True file type
File type as determined by signatures in the file header
Catalog signed
Indication of whether the file contains a digital signature in the catalog
Embedded signed
Indication of whether the signature on the embedded PE file is verified
Catalog signer
Signer of the digital signature in the catalog file
Embedded signer
Signer of the digital signature in the embedded PE file
Compiled timestamp
Time the PE file was compiled
Import table hash
MD5 hash of the imported functions in the PE file |
Linker version
Version number of the file linker
File version
File version number represented in four 16-bit integers
Debug paths
File paths of any debug information present
Sub system
Which Windows subsystem is required to run the image
Company name
Internal company name when the file was compiled
File description
Internal description of the file when the file was compiled
Internal name
Internal name for the file
Create time
Time the file was created in the file system
Modify time
Last time the file was modified in the file system
Access time
Last time the file was accessed in the file system