Unpacking SRUM: The Digital Forensics Goldmine in Windows

Enter the System Resource Usage Monitor (SRUM) — a treasure trove for digital forensic analysts.

The SRUM Database: A Wealth of Insights

The SRUM database serves as a goldmine of information for investigators, offering invaluable insights into user activities and system performance. Some of the most exciting pieces of information that SRUM can reveal include:

• Applications Running: Details on what applications were active on the system during a specific hour.

• User Account Information: Identification of the user account responsible for launching each application.

• Network Bandwidth Usage: Insights into the amount of network bandwidth sent and received by each application.

• Network Connections: Information on the networks the system was connected to, including dates, times, and connected networks.
  

*****************************************************************************************************

SRUM Database in Windows: How It Works and What You Need to Know

When SRUM was first introduced in Windows 8, it stored performance data for desktop applications, system utilities, services, and Windows Store (Metro) apps.

Approximately every hour, or when the system was properly shut down or rebooted, this data was transferred to an Extensible Storage Engine (ESE) database file known as SRUDB.dat.

Now data is no longer temporarily stored in the Windows Registry before being written to SRUDB.dat.

Q2: When and How SRUM Data is Written

SRUM data is generally recorded every 60 minutes. However, testing has revealed that data is not always written on shutdown.

For example, if a system is shut down twice within 10 minutes, the SRUM database might not update until a later reboot where the system remains powered on past the standard 60-minute mark.

This delayed writing behavior can be misleading. When reviewing SRUM entries, you may find multiple records with the exact same timestamp. This does not mean the events occurred simultaneously; rather, it indicates that the system recorded them all at once when SRUM was last updated. The actual activities could have taken place at any point between two consecutive entries.

Q3: Analyzing SRUM Data for Patterns

To make sense of SRUM data, you can compare the timestamps of consecutive entries. If the interval between entries deviates significantly from the expected 60-minute period (with a margin of plus or minus 10 minutes), it might suggest that data was written due to a system shutdown rather than the usual scheduled update.

Q4: Recovering Historical SRUM Data

SRUM is often backed up in Volume Shadow Copies, meaning forensic analysts can potentially retrieve older SRUM database snapshots if shadow copies are available.

*****************************************************************************************************

SRUM Database Integrity and Repair

Given that systems are often not cleanly shut down during incident response procedures, the SRUM database file may sometimes be in a "dirty" or corrupt state. Windows provides a built-in tool, esentutl, for diagnosing and repairing ESE databases. This tool can perform tasks like defragmentation, recovery, integrity checking, and repair of ESE databases. Additionally, deleted files from the SRUM database may be recoverable using a utility called "EseCarve.

To check the status of the SRUM database,

Windows\System32\sru\ directory:

esentutl /mh SRUDB.dat

Repair corrupted SRUDB.dat:

esentutl /p SRUDB.dat

SRUM Registry Keys and Subkeys

Performance data collected via SRUM is initially stored in the Windows registry and then transferred to the SRUM database.

The primary registry key is

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SRUM,

which contains three subkeys: Parameters, Telemetry, and Extensions. Each of these subkeys corresponds to tables in the SRUM database and contains temporary data.

Key Tables in the SRUM Database

• Windows Network Data Usage Monitor: **** ({973F5D5C-1D90-4944-BE8E-24B94231Al 74}) Records information about networks, applications, user SIDs, and total bytes sent and received by each application.

• WPN SRUM Provider:  {dl0ca2fe-6fcf-4f6d-848e-b2e99266fa86} Captures Windows push notifications for Windows applications, user SIDs, and push notification payload sizes.

• Application Resource Usage Provider: ***** {dlOca2fe-6fcf-4 f6d-848e-b2e99266fa89} Records the drive, directory, and full path of active applications, user SIDs, CPU cycle times, and bytes read and written.

• Windows Network Connectivity Usage Monitor:***** {DD6636C4-8929-4683-974E-22C046A43763} Identifies network connections, connection start times, connection durations, and interface types.

• Energy Usage Provider:  **** {fee4eI4f-02a9-4550-b5ce-5fa2da202e37} Provides battery charge level, design capacity, cycle count, and power source information.

• Energy Estimation Provider (Windows 10): {97C2CE28-A37B-4920-B1E9-8B76CD341EC5}  Offers a summary of historical battery status.
  

-------------------------------------------------------------------------------------------------------------

Forensic Challenges with SRUM Data

1. Delayed Writes:

   • SRUM data is written approximately every 60 minutes.

   • Shutdowns may prevent immediate updates to SRUDB.dat.

   • Analysts should be cautious when interpreting timestamps.

2. Retention Period:

   • Most SRUM data is retained for 30–60 days. (In VSS)

   • The Energy Usage LT table can store data for years.

   • If a system is powered off for an extended period, older data may be purged on reboot.

3. Database Corruption:

   • If a system crashes or is not properly shut down, SRUDB.dat may be left in a "dirty" state.

   • Windows has a built-in tool, esentutl, for repairing SRUM databases.

-------------------------------------------------------------------------------------------------------------

Conclusion

The SRUM database has revolutionized digital forensic investigations by offering a comprehensive view of system activities and performance metrics. As investigators continue to explore this rich data source, the potential for uncovering critical evidence and insights will only grow.

-------------------------------------------------Dean--------------------------------------------------