SRUM (System Resource Usage Monitor)
Overview:
Purpose: Tracks system resource usage for applications and services, including CPU, disk, and network.
File Location:
C:\Windows\System32\sru\SRUDB.dat
Data Stored:
Detailed resource consumption metrics.
Benefits for DFIR:
Detailed Insights: Provides granular data about system usage patterns.
Network Activity: Tracks network utilization for specific applications.
Anomaly Detection: Identifies malicious processes consuming resources.
How It Works:
Logs data about resource usage, including:
Application Names.
Resource Usage: CPU, memory, disk, and network.
Timestamps: Last usage.
Tools:
SRUM-DUMP: Extracts and decodes SRUM data.
Plaso: Framework for timeline generation that includes SRUM analysis.
SQLite Viewer: Manually views SRUDB.dat contents.
for example ;
PreviousBAM (Background Activity Moderator)NextMaster File Table (MFT), NTFS, $LogFile, and $UsnJrnl: Forensics
Last updated