Enter the System Resource Usage Monitor (SRUM) — a treasure trove for digital forensic analysts.
The SRUM Database: A Wealth of Insights
The SRUM database serves as a goldmine of information for investigators, offering invaluable insights into user activities and system performance. Some of the most exciting pieces of information that SRUM can reveal include:
Applications Running: Details on what applications were active on the system during a specific hour.
User Account Information: Identification of the user account responsible for launching each application.
Network Bandwidth Usage: Insights into the amount of network bandwidth sent and received by each application.
Network Connections: Information on the networks the system was connected to, including dates, times, and connected networks.
***
Timing and Data Recording***
Understanding the timing of data recording in the SRUM database is crucial. Data is written to the SRUM database approximately every 60 minutes of system runtime or during proper system shutdown. When reviewing SRUM entries, analysts should note that the recorded date, time, and second represent when the data was recorded, not when the activity occurred.
Additionally, if the time period between entries is less than -60 minutes since the previous entry, it may indicate that entries were made due to the system being shut down improperly.
SRUM Database Integrity and Repair
Given that systems are often not cleanly shut down during incident response procedures, the SRUM database file may sometimes be in a "dirty" or corrupt state. Windows provides a built-in tool, esentutl, for diagnosing and repairing ESE databases. This tool can perform tasks like defragmentation, recovery, integrity checking, and repair of ESE databases. Additionally, deleted files from the SRUM database may be recoverable using a utility called "EseCarve.
To check the status of the SRUM database,
Windows\System32\sru\ directory:
esentutl /mh SRUDB.datSRUM Registry Keys and Subkeys
Performance data collected via SRUM is initially stored in the Windows registry and then transferred to the SRUM database.
The primary registry key is
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SRUM,
which contains three subkeys: Parameters, Telemetry, and Extensions. Each of these subkeys corresponds to tables in the SRUM database and contains temporary data.
Key Tables in the SRUM Database
Windows Network Data Usage Monitor: ({973F5D5C-1D90-4944-BE8E-24B94231Al 74}) Records information about networks, applications, user SIDs, and total bytes sent and received by each application.
WPN SRUM Provider: {dl0ca2fe-6fcf-4f6d-848e-b2e99266fa86} Captures Windows push notifications for Windows applications, user SIDs, and push notification payload sizes.
Application Resource Usage Provider: {dlOca2fe-6fcf-4 f6d-848e-b2e99266fa89} Records the drive, directory, and full path of active applications, user SIDs, CPU cycle times, and bytes read and written.
Windows Network Connectivity Usage Monitor: {DD6636C4-8929-4683-974E-22C046A43763} Identifies network connections, connection start times, connection durations, and interface types.
Energy Usage Provider: {fee4eI4f-02a9-4550-b5ce-5fa2da202e37} Provides battery charge level, design capacity, cycle count, and power source information.
Energy Estimation Provider (Windows 10): {97C2CE28-A37B-4920-B1E9-8B76CD341EC5} Offers a summary of historical battery status.
Conclusion
The SRUM database has revolutionized digital forensic investigations by offering a comprehensive view of system activities and performance metrics. As investigators continue to explore this rich data source, the potential for uncovering critical evidence and insights will only grow.
Akash Patel
Yorumlar