You can download tool from link below:
Opening SRUM Database with NirSoft
Using NirSoft's utilities, you can open the SRUDB.dat ESE database to access its tables. In a typical Windows 10 setup, you'll find around 13 tables. By default, the MSysObjects table is displayed, sorted by the first column.
We're focusing on the Windows Network Data Usage Monitor table, identified by the unique identifier {973F5D5C-1D90-4944-BE8E-24B94231Al74}, which is consistent across Windows 8.1 and Windows 10.
Examining the Windows Network Data Usage Monitor Table
Once you've selected the Windows Network Data Usage Monitor table, you'll find entries detailing the system's network connections. Each entry features an "AppID," identifying the application using the network during that time period. The AppID corresponds to the "Idlndex" field in the SruDbIdMapTable.
This table also reveals the drive and full path of the application executable via the "IdBlob" for each "Idlndex." Additionally, you'll find the "Userld," network interface (lnterfaceLuid), network profile index (L2Profileld), and bytes sent and received for each application during that time period.
Mapping Network Profiles
To map a network profile, start by identifying a network with a profile identifier(l2Profileld), such as 268435461. Navigate to the SOFTWARE registry hive to find the corresponding network name.
Here's how:
Navigate to \Microsoft\WlanSvc\lnterfaces\{8DE3771B-64C5-4F1A-B37B-7B7A9917E10E}}\Profiles key.
2. Look for profile identifiers and check the Profilelndex key value to find the matching identifier.
3. Expand the matching profile identifier key and select the "MetaData" subkey.
4. Check the "Channel Hints" key value to reveal the network name corresponding to the Profilelndex 268435461.
By following these steps, you can gain valuable insights into the network connections made by a system, the applications involved, and even the network names. This information can be pivotal in forensic investigations, shedding light on user activities and potentially uncovering malicious intent.
Conclusion
The SRUM database, when explored using NirSoft's utilities, offers a comprehensive view of network usage data on a Windows system. By understanding how to navigate and interpret this data, digital forensic analysts can uncover critical insights that may be instrumental in their investigations.
Akash Patel
Comments