Windows evidence types

The following categories contain descriptions of the types of evidence collected from Windows endpoints by the Incident Response Evidence Collection playbook, Collect Evidence task, and Trend Micro Incident Response Toolkit. These evidence types are displayed in columns after selecting an evidence category when examining an Evidence Report.

• Basic Information
• File Timeline
• Process Information
• Service Information
• System Execution Information
• Portable Executable (PE) File Attributes

  Note PE file attributes may be embedded into multiple evidence categories.