Learn about the types of evidence in the system execution category that the Incident Response Evidence Collection playbook, Collect Evidence task, and TrendAI™ Incident Response Toolkit collect.
 |
NoteThe evidence types in this category might also contain attribute data from complied PE files.
|
AmCache
|
Evidence Data
|
Description
|
|
Record time
|
The program execution, installation, or data update time
|
|
Registry modification time
|
The last time the registry was modified
|
ShimCache
|
Evidence Data
|
Description
|
|
Record time
|
The last time the program file was modified
|
|
Last update time
|
The last time the registry was modified
|