Making Sense of SRUM Data with SRUM_DUMP Tool

If you're digging into Windows forensic artifacts, SRUM (System Resource Usage Monitor) data is a goldmine.

That’s a nightmare. Thankfully, Mark Baggett’s free tool, SRUM_DUMP, does all the heavy lifting for us.

-------------------------------------------------------------------------------------------------------------

What is SRUM_DUMP?

SRUM_DUMP processes the SRUDB.dat database and generates an Excel spreadsheet with separate tabs for each table in the database. It also correlates some fields from the Windows Registry, making it easier to identify network connections, system usage, and even user activities.

-----------------------------------------------------------------------------------------------------------

How to Use SRUM_DUMP

Let’s get straight to the process. After extracting your forensic image or pulling out the SRUDB.dat file and the SOFTWARE registry hive, follow these steps:

1. Launch SRUM_DUMP and click the Browse button to select the SRUDB.dat file.

   
   

   • If you're analyzing a mounted image, you’ll likely find it in:

     E:\Windows\System32\SRU\SRUDB.dat

     
     

2. Choose an output folder where the processed Excel sheet will be saved.

3. Stick with the default Excel template (unless you have a specific need to change it, which is rare).

4. Provide the SOFTWARE registry hive to allow SRUM_DUMP to cross-reference network and user names.

   
   

   • Since incident response often deals with systems that weren’t properly shut down, the registry hive might be in a dirty state. Ideally, use a cleaned-up version for accuracy.

   
   

5. Click OK, and within seconds, you'll have a neatly structured Excel file ready for analysis.

-----------------------------------------------------------------------------------------------------------

-----------------------------------------------------------------------------------------------------------

Understanding SRUM Data

Now, let’s break down what kind of forensic insights we can extract from SRUM data.

1. Network Connectivity Usage Table

This table logs when and where a system connected to a network. Here’s what you’ll see:

• Column B – Timestamp of when the connection was recorded.

• Column E – Network interface used (e.g., Wi-Fi, Ethernet).

• Column F – Network name (SSID of Wi-Fi connections).

• Column G – Duration of the connection.

• Column H – Start time of the connection.

  
  

In some cases, overlapping connections suggest a system went into sleep or hibernate mode between sessions. Investigators can use this data to establish movement patterns or even detect suspicious activities.

-------------------------------------------------------------------------------------------------------------

2. Windows Network Data Usage Table

This table shows:

• The application name using the network.

• The total bytes sent and received.

• The user SID associated with the activity.

  
  

-------------------------------------------------------------------------------------------------------------

3. Application Resource Usage Table

Unlike the Network Data Usage table, this one logs all running applications, whether they used the network or not.

• It records file paths, execution times, and CPU/memory usage.

• It can indicate whether a user was running resource-heavy software or simply had it open in the background.

• Foreground/Background bytes read/written can help determine if large amounts of data were copied (e.g., to an external USB device).

-------------------------------------------------------------------------------------------------------------

Final Thoughts

SRUM data is an incredibly powerful forensic resource, but making sense of it manually is next to impossible. With SRUM_DUMP, analysts can quickly extract and analyze network activity, application usage, and potential signs of data exfiltration.

---------------------------------------------------Dean--------------------------------------------------