The following table contains details about the evidence data that the Incident Response Evidence Collection playbook, Collect Evidence task, and Trend Micro Incident Response Toolkit collect and are included in the Running Process evidence type under the Process Information
category.
|
Evidence Data
|
Description
|
|
Process name
|
Name of the process
|
|
Process image
|
Path of the image file for the process |
|
PID
|
Process ID
|
|
Parent PID
|
Process ID of the parent process |
|
Process file SHA1
|
SHA1 hash of the process file
|
|
Catalog signature
|
Indicates whether the catalog file for the process is signed or unsigned
|
|
Embedded signature
|
Indicates whether the process contains an embedded signature
|
|
User name
|
Uer account that executed the process
|
|
Domain
|
Domain of the user that executed the process
|
|
Creation time
|
Time the process was created
|
|
Exit time
|
Exit time of the process
|
|
Kernel time
|
Amount of time the process has executed in kernel mode |
|
User time
|
Amount of time the process has executed in user mode |