The article presents a software launch facts detecting process model used in an information security incidents investigation. The model is based on the mathematical apparatus of Petri nets, which have proven themselves in the description of complex systems in which synchronous and asynchronous, serial and parallel processes can be performed. The input data of the proposed model are tuples containing features related to the fact of launching the program: the name and full path to the file, the launch time and the source of information about the launch. The article briefly describes the main data arrays that contain the necessary information about starting the program. The proposed model can be expanded when new data arrays appear, and can also be used as the basis for creating a tool for automating information collection and analysis, which will allow a specialist conducting an information security incident investigation to speed up the process of identifying and eliminating the consequences of an incident.