search

SRUM (System Resource Usage Monitor)

hashtag
Overview:

  • Purpose: Tracks system resource usage for applications and services, including CPU, disk, and network.

  • File Location:

    • C:\Windows\System32\sru\SRUDB.dat

  • Data Stored:

    • Detailed resource consumption metrics.

hashtag
Benefits for DFIR:

  • Detailed Insights: Provides granular data about system usage patterns.

  • Network Activity: Tracks network utilization for specific applications.

  • Anomaly Detection: Identifies malicious processes consuming resources.

hashtag
How It Works:

  • Logs data about resource usage, including:

    • Application Names.

    • Resource Usage: CPU, memory, disk, and network.

    • Timestamps: Last usage.

hashtag
Tools:

  • SRUM-DUMP: Extracts and decodes SRUM data.

  • Plaso: Framework for timeline generation that includes SRUM analysis.

  • SQLite Viewer: Manually views SRUDB.dat contents.

for example ;

PreviousBAM (Background Activity Moderator)NextMaster File Table (MFT), NTFS, $LogFile, and $UsnJrnl: Forensics

Last updated