Views:
The following table contains details about types of evidence in the System Execution category collected by the Incident Response Evidence Collection playbook, Collect Evidence task, and Trend Micro Incident Response Toolkit.
Note
Note
AmCache and ShimCache evidence types may also include may also contain attribute data from complied PE files.
Evidence Type Evidence Data Description
AmCache
Record time
Program execution, installation, or data update time
Registry modification time
Last time the registry was modified
ShimCache
Record time
Last time the application file was modified
Last update time
Last time the registry was modified