SRUM

Show network byte usage and execution runtime

LogoSRUM Blog
LogoSRUM: Forensic Analysis of System Resource Utilization MonitorMagnet Forensics
LogoSystem Resource Usage Monitor (SRUM)Windows Forensic Handbook

Operating System Availability

Major VersionSupportMajor VersionSupport

Windows 11

Server 2019

Windows 10

Server 2016

Windows 8

Server 2012

Windows 7

Server 2008

Windows Vista

Server 2003

Windows XP

File Location

  • C:\Windows\System32\SRU\SRUDB.dat

  • Registry: SOFTWARE\Microsoft\Windows NT\Current Version\SRUM\Extensions

KeyProviderDescription

{973F5D5C-1D90-4944-BE8E-24B94231A174}

Network Data Usage Monitor

The SRUM Network Usage tracks wired and wireless connections and the network SSID (when wireless) the asset was connected to.

{D10CA2FE-6FCF-4F6D-848E-B2E99266FA86}

Push Notification Provider

SRUM Push Notification Data reports on notification events displayed to the user. I’ve yet to find a practical forensic use for this data.

{D10CA2FE-6FCF-4F6D-848E-B2E99266FA89}

Application Resource Usage Provider

Tracks every .exe that’s executed on the system whether it still exists on disk or not. If it executed, it should be logged.

{DD6636C4-8929-4683-974E-22C046A43763}

Network Connectivity Usage Monitor

It will capture the connection start time and the interface type (ethernet or wireless), and the duration of the connection. This information could be coalesced with GPS data to support evidence of network activity at a time and place.

{FEE4E14F-02A9-4550-B5CE-5FA2DA202E37}

Energy Usage Provider

SRUM Energy Usage captures statistics related to the charge and power state of the device

Parsing Data

  • Srum-Dump

  • ESEDatabaseView

  • Registry Explorer

  • SrumECmd.exe

Since it is at use and grabbing the file will leave it in a dirty state, FTK imager is best option to extract.

Best paired with SYSTEM hive due to it containing SSID and other information that can be resolved.

#Used to grab SYSTEM hive and Srumb.dat
SrumECmd.exe -d F:\Tools\Investigation\logs --csv F:\Tools\Investigation\logs\log1

Considerations

  • SRU folder contains transactional logs for artifact.

  • Grabs data every 1 hour and saves to SRUM.

  • Can see how long a window was active or in the background.

What is SRUM?

This artifact is useful for identifying potential data exfiltration events from Windows systems, as it captures network utilization over time, providing insight into the magnitude of the data transfer. Note that this artifact provides an hourly, bucketed count of how many bytes were sent and received by an application, therefore, the first and last SRUM entry will not correspond exactly to the first and last execution time. This can, however, be used to provide a rough estimate of the timeline of execution for an application.

Data collected is written to the SRUM database on the filesystem once per hour to reflect what is stored in the registry, or during system shutdown/reboot events. In the event that a proper shutdown was not conducted, the SRUM filesystem database may need to be repaired using a utility such as esentutl.

AppTimelineProvider:

Useful in showing execution and user-context.

  • End Time = When program stopped

  • Exe Timestamp = When program was compiled

  • Timestamp = When program was populated in Srum db.

NetworkUsages:

Super powerful program that can prove network data usage of executables.

  • Bytes Received = Bytes Received

  • Bytes Sent = Bytes Sent

Anti-Forensics

  • Delete database.

PreviousUserAssistNextLNK Files

Last updated