The following table contains details about types of evidence in the Service Information
category collected by the Incident Response Evidence Collection playbook, Collect Evidence task, and Trend Micro
Incident Response Toolkit.
 |
NoteAutostart and Scheduled Task evidence types may also contain attribute data from complied PE files.
|
|
Evidence Type
|
Evidence Data
|
Description
|
|
Autostart Entries
|
Source
|
Registry path pattern for the autorun entry
|
|
File system creation time
|
The time the entry was created in the file system
|
|
|
Name
|
Name of the file associated with the autorun entry in the registry
|
|
|
Registry path
|
Full registry path of the autorun entry
|
|
|
Entry name
|
Registry folder for or key name of the autorun entry
|
|
|
Execution command
|
Registry value of the autorun entry, used to run the entry | |
|
Path
|
File path for the entry obtained from the registry
|
|
|
Registry modification time
|
Last time the registry key or associated entry values were modified
|
|
|
Scheduled Tasks
|
Name
|
Name of the registered task
|
|
Action
|
Executable action performed by the task
|
|
|
Path
|
Path to the executable file
|
|
|
Enabled
|
Indication of whether the task is currently enabled
|
|
|
State
|
Operational state of the registered task
|
|
|
Hidden
|
Indication of whether the task is visible on the user interface
|
|
|
Last run time
|
Time the registered task was last run
|
|
|
Next run time
|
Time the registered task is next scheduled to run
|
|
|
Last run message
|
Messages returned on the failure of the task's last execution
|
|
|
Last run code
|
Results returned on the success of the task's last execution
|