SRUM
🧠 The Most Underrated Artifact in Windows Forensics? SRUM.
Tucked deep within every modern Windows system lies a built-in forensic goldmine: System Resource Usage Monitor (SRUM), an ESE database that silently and reliably logs 30–60 days of system activity.
📍 Path:
C:\Windows\System32\sru\SRUDB.dat
This database updates hourly and records: • App execution + runtime • Network bytes per binary • User session context (SIDs) • Foreground vs background use • Energy/power usage
📖 Key Reference – SANS ISC (Mark Baggett, April 2025 ): “SRUM-DUMP Version 3: Uncovering Malware Activity in Forensics”, a compelling breakdown of why SRUM is so valuable in DFIR investigations: https://lnkd.in/em2vNb9e
🎯 Why SRUM Belongs in Every DFIR Toolkit
🔹 User Attribution Map which user (by SID) ran a binary and for how long, even if other logs are missing.
🔹 Covert Network Visibility NetworkUsage reveals app ↔ IP connections and volume, without EDR or PCAP.
🔹 Survives Anti‑Forensics SRUM is often untouched when attackers delete event logs, prefetch, or AmCache. ➡️ Verified by Magnet Forensics
🔹 Detects Short‑Lived Payloads Ideal for capturing ransomware loaders, memory-resident tools, or fileless malware.
🛠️ Tools to Analyze SRUM • SRUMECmd → Eric Zimmerman https://lnkd.in/ehdWt5uc • ESEDatabaseView → NirSoft https://lnkd.in/ewkctUXS • SRUM-DUMP v3 (SANS ISC) → https://lnkd.in/em2vNb9e
🧪 Forensic Use Cases • ✅ Tie execution of malware back to user session • 🌐 Confirm data exfil via renamed or stealth binaries • 🔍 Fill critical timeline gaps when logs are wiped • 🕵️♂️ Detect short-lived adversary activity
📚 All References • SANS Institute ISC Diary → https://lnkd.in/em2vNb9e • Magnet Forensics → https://lnkd.in/eAHByG3F • SRUMECmd → https://lnkd.in/entwCfnJ • NirSoft ESE Viewer → https://lnkd.in/ewkctUXS • ForenSafe → https://lnkd.in/eRmZMqFd
💡 If you’ve ever asked: • “Who actually ran that?” • “Did that binary call home?” • “Why is this machine clean but feels off?”
….SRUM probably has the answer.
#DFIR #DigitalForensics #SRUM #WindowsForensics #IncidentResponse #BlueTeam #ThreatHunting #DetectionEngineering #SecurityOperations #MalwareAnalysis #ForensicTimeline
Last updated