SRUM Database

Overview

The System Resource Usage Monitor (SRUM) database is a vital resource in digital forensics. It tracks system activities such as application executions, network usage, and resource consumption. This data persists even after the source files or programs have been deleted, making SRUM invaluable for investigations. In this lesson, we’ll focus on two key categories: SRUM Application Resource Usage and SRUM Network Usage, both of which provide crucial insights for forensic analysis.

Location of the SRUM Database

The SRUM artifacts are stored at the following location: C:\Windows\System32\SRU\SRUDB.dat

  • Database Format: SRUM uses the Extensible Storage Engine (ESE) format.

  • Structure: Contains multiple tables that log different types of system resource usage.

Using SrumECmd for SRUM Analysis

Tool Overview

We will leverage SrumECmd, a tool by Eric Zimmerman, to parse and convert SRUM data into easy-to-analyze CSV files.

Command to Parse SRUM Database

SrumECmd.exe -f "C:\Users\LetsDefend\Desktop\srum\C\Windows\System32\SRU\SRUDB.dat" 
             -r "C:\Users\LetsDefend\Desktop\srum\C\Windows\System32\config\SOFTWARE" 
             --csv "C:\Users\LetsDefend\Desktop\results"

  • -f: Path to the SRUM database (SRUDB.dat).

  • -r: Path to the Software hive (used for the latest data before SRUM refresh).

  • --csv: Output directory for the generated CSV files.

Key Categories for Analysis

1. Application Resource Usage

Tracks every executable run on the system, capturing the following details:

  • Executable Path: Full path of the executed file.

  • Timestamps: Indicates when the application was executed.

  • Username: The account that initiated the execution.

  • Resource Usage:

    • Bytes read/written.

    • CPU cycles consumed.

    • Number of read-write operations.

Use Case: If an alert indicates that Anydesk was used by an attacker, this category can help:

  • Determine the exact time Anydesk.exe was executed.

  • Identify the user account involved.

  • Analyze high read/write activity, suggesting suspicious operations like file transfers.

Example Analysis:

  • Timestamps: Pinpoint execution times.

  • Resource usage spikes: Detect anomalous behavior, e.g., data transfers.

2. Network Usage

Monitors application-level network activity over both wired and wireless connections:

  • Application: Logs network activity associated with specific executables.

  • SSID: Captures SSID details for wireless connections.

  • Bytes Sent/Received: Measures actual network traffic.

  • Executable Path: Full path of the application responsible.

  • Username: Links activity to specific user accounts.

Use Case: In a suspected data exfiltration scenario, this category can:

  • Identify applications responsible for significant data transfers.

  • Reveal anomalies, such as notepad.exe transmitting large volumes of data, potentially indicating a process injection attack.

Example Analysis:

  • High network traffic: Detect unauthorized data transfers.

  • Application anomalies: Flag unexpected network usage by typically benign programs.

Advantages of SRUM Data

  1. Application Execution: Tracks all program executions, even if the executable is later deleted.

  2. Data Exfiltration Detection: Identifies abnormal data transfers by any application.

  3. Resource Monitoring: Monitors CPU and memory usage, aiding in the detection of malicious activities such as crypto mining or infostealing.

Tools for Analysis

To streamline SRUM data analysis, use Timeline Explorer:

  • Provides an intuitive, detailed interface.

  • Facilitates forensic timeline construction from CSV files.

Key Points

  • SRUM Application Resource Usage: Helps verify the execution of suspicious programs.

  • SRUM Network Usage: Provides insights into network activity, aiding in the detection of data exfiltration.

These artifacts empower investigators to reconstruct attacker activity and pinpoint system anomalies, making SRUM an indispensable tool in forensic investigations.

PreviousWindows Disk ForensicsNextJumplists

Last updated