Windows Forensics

Windows Forensics

windows Memory Forensics
Windows Registry Forensics
Windows Registry Forensics with RegRipper
Windows Powershell Forensics
Incident Response Eventhoods
Incident Response splunk filters
LNK Files (Shortcut Files) Forensics
Jump List Forensics
Prefetch Files Forensics
Living off the Land Binaries (LOLBins)
COM (Component Object Model)
Key Email Headers for SOC Analysts and DFIR
Distributed Component Object Model (DCOM)
legitimate Windows processes
UserAssist Keys
Application Compatibility Cache (Shim Cache)
CIDSizeMRU
Start Menu Run MRUs
MUI Cache
BAM (Background Activity Moderator)
SRUM (System Resource Usage Monitor)
Master File Table (MFT), NTFS, $LogFile, and $UsnJrnl: Forensics
🔹 Windows System Processes

Powered by GitBook

On this page

Overview:
Benefits for DFIR:
How It Works:
Tools:

SRUM (System Resource Usage Monitor)

Overview:

Purpose: Tracks system resource usage for applications and services, including CPU, disk, and network.
File Location:
- C:\Windows\System32\sru\SRUDB.dat
Data Stored:
- Detailed resource consumption metrics.

Benefits for DFIR:

Detailed Insights: Provides granular data about system usage patterns.
Network Activity: Tracks network utilization for specific applications.
Anomaly Detection: Identifies malicious processes consuming resources.

How It Works:

Logs data about resource usage, including:
- Application Names.
- Resource Usage: CPU, memory, disk, and network.
- Timestamps: Last usage.

Tools:

SRUM-DUMP: Extracts and decodes SRUM data.
Plaso: Framework for timeline generation that includes SRUM analysis.
SQLite Viewer: Manually views SRUDB.dat contents.

for example ;

PreviousBAM (Background Activity Moderator)NextMaster File Table (MFT), NTFS, $LogFile, and $UsnJrnl: Forensics

Last updated 5 months ago