SRUM

Show network byte usage and execution runtime

PreviousUserAssist NextLNK Files

Last updated 7 months ago

SRUM

Show network byte usage and execution runtime

Operating System Availability

Major Version

Support

Major Version

Support

Windows 11

✅

Server 2019

✅

Windows 10

✅

Server 2016

❌

Windows 8

✅

Server 2012

❌

Windows 7

❌

Server 2008

❌

Windows Vista

❌

Server 2003

❌

Windows XP

❌

File Location

C:\Windows\System32\SRU\SRUDB.dat
Registry: SOFTWARE\Microsoft\Windows NT\Current Version\SRUM\Extensions

Key

Provider

Description

{973F5D5C-1D90-4944-BE8E-24B94231A174}

Network Data Usage Monitor

The SRUM Network Usage tracks wired and wireless connections and the network SSID (when wireless) the asset was connected to.

{D10CA2FE-6FCF-4F6D-848E-B2E99266FA86}

Push Notification Provider

SRUM Push Notification Data reports on notification events displayed to the user. I’ve yet to find a practical forensic use for this data.

{D10CA2FE-6FCF-4F6D-848E-B2E99266FA89}

Application Resource Usage Provider

Tracks every .exe that’s executed on the system whether it still exists on disk or not. If it executed, it should be logged.

{DD6636C4-8929-4683-974E-22C046A43763}

Network Connectivity Usage Monitor

It will capture the connection start time and the interface type (ethernet or wireless), and the duration of the connection. This information could be coalesced with GPS data to support evidence of network activity at a time and place.

{FEE4E14F-02A9-4550-B5CE-5FA2DA202E37}

Energy Usage Provider

SRUM Energy Usage captures statistics related to the charge and power state of the device

Parsing Data

ESEDatabaseView
Registry Explorer
SrumECmd.exe

Since it is at use and grabbing the file will leave it in a dirty state, FTK imager is best option to extract.

Best paired with SYSTEM hive due to it containing SSID and other information that can be resolved.

#Used to grab SYSTEM hive and Srumb.dat
SrumECmd.exe -d F:\Tools\Investigation\logs --csv F:\Tools\Investigation\logs\log1

Considerations

SRU folder contains transactional logs for artifact.
Grabs data every 1 hour and saves to SRUM.
Can see how long a window was active or in the background.

What is SRUM?

This artifact is useful for identifying potential data exfiltration events from Windows systems, as it captures network utilization over time, providing insight into the magnitude of the data transfer. Note that this artifact provides an hourly, bucketed count of how many bytes were sent and received by an application, therefore, the first and last SRUM entry will not correspond exactly to the first and last execution time. This can, however, be used to provide a rough estimate of the timeline of execution for an application.

Data collected is written to the SRUM database on the filesystem once per hour to reflect what is stored in the registry, or during system shutdown/reboot events. In the event that a proper shutdown was not conducted, the SRUM filesystem database may need to be repaired using a utility such as esentutl.

AppTimelineProvider:

Useful in showing execution and user-context.

End Time = When program stopped
Exe Timestamp = When program was compiled
Timestamp = When program was populated in Srum db.

NetworkUsages:

Super powerful program that can prove network data usage of executables.

Bytes Received = Bytes Received
Bytes Sent = Bytes Sent

Anti-Forensics

Delete database.

PreviousUserAssist NextLNK Files

Last updated 7 months ago

System Resource Usage Monitor (SRUM)Windows Forensic Handbook

Operating System Availability

Major Version

Support

Major Version

Support

Windows 11

✅

Server 2019

✅

Windows 10

✅

Server 2016

❌

Windows 8

✅

Server 2012

❌

Windows 7

❌

Server 2008

❌

Windows Vista

❌

Server 2003

❌

Windows XP

❌

File Location

C:\Windows\System32\SRU\SRUDB.dat
Registry: SOFTWARE\Microsoft\Windows NT\Current Version\SRUM\Extensions

Key

Provider

Description

{973F5D5C-1D90-4944-BE8E-24B94231A174}

Network Data Usage Monitor

The SRUM Network Usage tracks wired and wireless connections and the network SSID (when wireless) the asset was connected to.

{D10CA2FE-6FCF-4F6D-848E-B2E99266FA86}

Push Notification Provider

SRUM Push Notification Data reports on notification events displayed to the user. I’ve yet to find a practical forensic use for this data.

{D10CA2FE-6FCF-4F6D-848E-B2E99266FA89}

Application Resource Usage Provider

Tracks every .exe that’s executed on the system whether it still exists on disk or not. If it executed, it should be logged.

{DD6636C4-8929-4683-974E-22C046A43763}

Network Connectivity Usage Monitor

{FEE4E14F-02A9-4550-B5CE-5FA2DA202E37}

Energy Usage Provider

SRUM Energy Usage captures statistics related to the charge and power state of the device

Parsing Data

ESEDatabaseView
Registry Explorer
SrumECmd.exe

Since it is at use and grabbing the file will leave it in a dirty state, FTK imager is best option to extract.

Best paired with SYSTEM hive due to it containing SSID and other information that can be resolved.

#Used to grab SYSTEM hive and Srumb.dat
SrumECmd.exe -d F:\Tools\Investigation\logs --csv F:\Tools\Investigation\logs\log1

Considerations

SRU folder contains transactional logs for artifact.
Grabs data every 1 hour and saves to SRUM.
Can see how long a window was active or in the background.

What is SRUM?

AppTimelineProvider:

Useful in showing execution and user-context.

End Time = When program stopped
Exe Timestamp = When program was compiled
Timestamp = When program was populated in Srum db.

NetworkUsages:

Super powerful program that can prove network data usage of executables.

Bytes Received = Bytes Received
Bytes Sent = Bytes Sent

Anti-Forensics

Delete database.