The following table contains details about the types of evidence in the System Execution
category that the Incident Response Evidence Collection playbook, Collect Evidence task, and Trend Micro Incident Response Toolkit collect.
 |
NoteAmCache and ShimCache evidence types may also contain attribute data from complied PE files.
|
| Evidence Type | Evidence Data | Description |
|
AmCache
|
Record time
|
Program execution, installation, or data update time
|
|
Registry modification time
|
Last time the registry was modified
|
|
| ShimCache |
Record time
|
Last time the application file was modified
|
|
Last update time
|
Last time the registry was modified
|