Learn about the types of evidence in the process information category that Forensics might collect from Linux endpoints.
Primary evidence collected on running processes
Forensics displays primary process information a table after selecting Running Processes in the evidence report.
|
Evidence Data
|
Description |
|
User name
|
The user names associated with the process
|
|
PID
|
The process ID
|
|
Command line
|
The command line used to execute the process
|
|
Creation time
|
The time the process was started
|
|
Parent PID
|
The process ID of the parent process
|
|
SHA1
|
The secure hash algorithm 1 (SHA-1) of the associated file
|
|
Kernel time
|
The amount of time spent in kernel mode in ticks
|
|
User time
|
The amount of time spent in user mode in ticks
|
Detailed process information
 |
ImportantYour system might not collect and display all listed metadata.
|
Primary evidence collected on running processes
Forensics displays detailed process information in columns after selecting an evidence
category when examining an Evidence Report.
|
Evidence Data
|
Description |
|
User name
|
The user names associated with the process
|
|
PID
|
The process ID
|
|
Command line
|
The command line used to execute the process
|
|
Creation time
|
The time the process was started
|
|
Parent PID
|
The process ID of the parent process
|
|
SHA1
|
The secure hash algorithm 1 (SHA-1) of the associated file
|
|
Kernel time
|
The amount of time spent in kernel mode in ticks
|
|
User time
|
The amount of time spent in user mode in ticks
|
File information
Socket connections
|
Evidence Data
|
Description
|
|
Local address
|
The associated local internet protocol (IP) address
|
|
Local port
|
The associated local transmission control protocol / user datagram protocol (TCP)/(UDP)
port number
|
|
Protocol
|
The associated transmission control protocol
|
|
Remote address
|
The associated remote IP address
|
|
Remote port
|
The associated remote TCP/UDP port number
|
|
State
|
The state of the connection
|
|
Creator UID
|
The user ID of the socket creator
|
Associated threads
|
Evidence Data
|
Description
|
|
Thread ID
|
The process ID of the thread
|
|
Command line
|
The file name of the executable file or the command name associated with the thread
|
|
Current state
|
The current state of the process expressed as a representative character
|
|
Parent PID
|
The process ID of the parent process
|
|
Process group ID
|
The group ID associated with the process
|
|
Session ID
|
The session ID of the process
|
|
Controlling terminal process group ID
|
The ID of the foreground process group in the controlling terminal
|
|
User time
|
The amount of time spent in user mode in ticks
|
|
Kernel time
|
The amount of time spent in kernel mode in ticks
|
|
Priority
|
The priority value of the process
|
|
Nice value
|
The value used to set the true process priority
|
|
Start time
|
The running time of the process in ticks
|
|
Virtual memory (bytes)
|
The amount of virtual memory used in bytes
|
|
Waiting channel
|
The kernel address of the process when sleeping
|
|
Real-time priority value
|
The priority value used for real-time processes
|
|
Exit code
|
The value representing the exit status of the thread
|