Learn about the types of evidence in the service information category that the Incident Response Evidence Collection playbook, Collect Evidence task, and Trend Micro Incident Response Toolkit collect.
 |
NoteThe evidence types in this category might also contain attribute data from complied PE files.
|
Autostart entries
|
Evidence Data
|
Description
|
|
Source
|
The registry path pattern for the autorun entry.
|
|
File system creation time
|
The time the file system created the entry.
|
|
Name
|
The name of the file associated with the autorun entry in the registry.
|
|
Registry path
|
The full registry path of the autorun entry.
|
|
Entry name
|
The registry folder or key name of the autorun entry.
|
|
Execution command
|
The registry value of the autorun entry, used to run the entry.
|
|
Path
|
The file path for the entry obtained from the registry.
|
|
Registry modification time
|
The last time the registry key or associated entry values were modified.
|
Scheduled tasks
|
Evidence Data
|
Description
|
|
Name
|
The name of the registered task.
|
|
Action
|
The executable action performed by the task.
|
|
Path
|
The path to the executable file.
|
|
Enabled
|
An indication of whether the task is currently enabled.
|
|
State
|
The operational state of the registered task.
|
|
Hidden
|
An indication of whether the task is visible on the user interface.
|
|
Last run time
|
The time the registered task was last run.
|
|
Next run time
|
The time the registered task is next scheduled to run.
|
|
Last run message
|
The messages returned on the failure of the task's last execution.
|
|
Last run code
|
The results returned on the success of the task's last execution.
|