SRUM

Show network byte usage and execution runtime

SRUM Blog

SRUM: Forensic Analysis of System Resource Utilization MonitorMagnet Forensics

System Resource Usage Monitor (SRUM)Windows Forensic Handbook

Operating System Availability

Major Version	Support	Major Version	Support
Windows 11	✅	Server 2019	✅
Windows 10	✅	Server 2016	❌
Windows 8	✅	Server 2012	❌
Windows 7	❌	Server 2008	❌
Windows Vista	❌	Server 2003	❌
Windows XP	❌

File Location

• C:\Windows\System32\SRU\SRUDB.dat

• Registry: SOFTWARE\Microsoft\Windows NT\Current Version\SRUM\Extensions

Key	Provider	Description
{973F5D5C-1D90-4944-BE8E-24B94231A174}	Network Data Usage Monitor	The SRUM Network Usage tracks wired and wireless connections and the network SSID (when wireless) the asset was connected to.
{D10CA2FE-6FCF-4F6D-848E-B2E99266FA86}	Push Notification Provider	SRUM Push Notification Data reports on notification events displayed to the user. I’ve yet to find a practical forensic use for this data.
{D10CA2FE-6FCF-4F6D-848E-B2E99266FA89}	Application Resource Usage Provider	Tracks every .exe that’s executed on the system whether it still exists on disk or not. If it executed, it should be logged.
{DD6636C4-8929-4683-974E-22C046A43763}	Network Connectivity Usage Monitor	It will capture the connection start time and the interface type (ethernet or wireless), and the duration of the connection. This information could be coalesced with GPS data to support evidence of network activity at a time and place.
{FEE4E14F-02A9-4550-B5CE-5FA2DA202E37}	Energy Usage Provider	SRUM Energy Usage captures statistics related to the charge and power state of the device

Parsing Data

• Srum-Dump

• ESEDatabaseView

• Registry Explorer

• SrumECmd.exe

Since it is at use and grabbing the file will leave it in a dirty state, FTK imager is best option to extract.

Best paired with SYSTEM hive due to it containing SSID and other information that can be resolved.

#Used to grab SYSTEM hive and Srumb.dat
SrumECmd.exe -d F:\Tools\Investigation\logs --csv F:\Tools\Investigation\logs\log1

Considerations

• SRU folder contains transactional logs for artifact.

• Grabs data every 1 hour and saves to SRUM.

• Can see how long a window was active or in the background.

What is SRUM?

This artifact is useful for identifying potential data exfiltration events from Windows systems, as it captures network utilization over time, providing insight into the magnitude of the data transfer. Note that this artifact provides an hourly, bucketed count of how many bytes were sent and received by an application, therefore, the first and last SRUM entry will not correspond exactly to the first and last execution time. This can, however, be used to provide a rough estimate of the timeline of execution for an application.

Data collected is written to the SRUM database on the filesystem once per hour to reflect what is stored in the registry, or during system shutdown/reboot events. In the event that a proper shutdown was not conducted, the SRUM filesystem database may need to be repaired using a utility such as esentutl.

AppTimelineProvider:

Useful in showing execution and user-context.

• End Time = When program stopped

• Exe Timestamp = When program was compiled

• Timestamp = When program was populated in Srum db.

NetworkUsages:

Super powerful program that can prove network data usage of executables.

• Bytes Received = Bytes Received

• Bytes Sent = Bytes Sent

Anti-Forensics

• Delete database.