Learn about the types of evidence in the process information category that the Incident Response Evidence Collection playbook, Collect Evidence task, and Trend Micro Incident Response Toolkit collect.
|
Evidence Data
|
Description
|
|
Process name
|
The name of the process.
|
|
Process image
|
The path of the image file for the process. |
|
PID
|
The Process ID.
|
|
Parent PID
|
The Process ID of the parent process.
|
|
Process file SHA1
|
The SHA1 hash of the process file.
|
|
Catalog signature
|
An indicator of whether the catalog file for the process is signed or unsigned.
|
|
Embedded signature
|
An indicator of whether the process contains an embedded signature.
|
|
User name
|
The user account that executed the process.
|
|
Domain
|
The domain of the user that executed the process.
|
|
Creation time
|
The time the process was created.
|
|
Exit time
|
The exit time of the process.
|
|
Kernel time
|
The amount of time the process has executed in kernel mode.
|
|
User time
|
The amount of time the process has executed in user mode.
|