Views:
The following table contains details about the evidence data collected by the Incident Response Evidence Collection playbook, Collect Evidence task, and Trend Micro Incident Response Toolkit included in the Running Process evidence type under the Process Information category.
Evidence Data
Description
Process name
Name of the process
Process image
Path of the image file for the process
PID
Process ID
Parent PID
Process ID of the parent process
Process file SHA1
SHA1 hash of the process file
Catalog signature
Indicates whether the catalog file for the process is signed or unsigned
Embedded signature
Indicates whether the process contains an embedded signature
User name
Uer account that executed the process
Domain
Domain of the user that executed the process
Creation time
Time the process was created
Exit time
Exit time of the process
Kernel time
Amount of time the process has executed in kernel mode
User time
Amount of time the process has executed in user mode