Search Results

Incident response can be a daunting task, especially when it requires gathering a multitude of system details. To simplify this process, I've tried to developed a PowerShell script designed to perform an analysis of system and collect information, covering everything from basic system information to intricate details. Key Features This script offers a wide range of features that cover both basic and intricate details of your system: Memory Dump:  Captures the system's memory to help in forensic analysis. UsrClass.dat: User-specific registry settings. SRUDB.dat: System Resource Utilization Database. System Audit with WinAudit:  Performs a detailed audit of the system using the WinAudit tool. Activity Tracking:  Shows all the last activities using the LastActivityView tool. File Analysis:  Copies all link, DLL, and prefetch files and displays them in CSV format. Network and Security:  Captures firewall changes, network connections, and open files. Hashing: Script is designed to compute MD5 and SHA256 hashes for files in specific directories on a Windows machine. (Directories: - Start menu, System 32 directory, System temporary directory, user temporary directory) System Information , Network Configuration Information, Running Processes, Registry Key Analysis, Netstat Output, Firewall Changes. and Many more information................................................................ How It Works Download and Extract the Folder: First, download the complete folder from the resume page. Extract the folder to a desired location on your system. Inside, you will find multiple scripts and key folders ( tool and output ). ( Make sure not delete any folder) Folder Structure: tool:  Contains multiple tools that the script will invoke. output:  This is where the script will save all the collected data and analysis results. Running the Scr ipt: Kindl y run the (IR Script)  through powershell with admi nstrative privileges. The PowerShell script will execute and capture various system artifacts, saving the output in the output folder. It will also run tools from the tool folder  and integrate their output into the final results. Detailed Breakdown of Features Memory Dump The script includes a function to capture the system's memory. This is particularly useful for forensic analysis and debugging. System Audit with WinAudit Using the WinAudit tool, the script performs a thorough audit of the system, capturing detailed information about hardware, software, network settings, and more. Activity Tracking with LastActivityView The script leverages LastActivityView to display all recent activities on the system, helping in monitoring user actions and identifying potential security issues. File Analysis It copies essential system files such as links, DLLs, and prefetch files, and organizes them into CSV format for easy viewing and analysis. Network and Security Monitoring The script captures changes to the firewall, active network connections, and open files, providing a comprehensive overview of the system's security posture. and Much more capture by script.............................................................................. Sample Output Sections Extracted Prefetch Files: 2. Network connection with the process associated: 3. Running executable with hashes 4. WMI 5. Potential Dangerous Programs, Scripts, Shortcuts, Office Macros, PDF 6. Few Event IDs 7. Output directory 2. Network connection with the process associated: and many more................................................................................... Getting Started To get started, simply download the folder from the resume page, extract it, and run the main PowerShell script. Make sure you do not delete any folders as the script relies on the tools located in the tool folder. This script is designed to be user-friendly, but if you encounter any issues, feel free to reach out for support. Happy analyzing! ------------------------------------ Akash Patel -----------------------------------------------

Introduction Ever wondered what’s been happening on your computer when you weren’t looking? Whether you’re a curious user, a concerned parent, or a professional investigator, LastActivityView by NirSoft can give you a clear picture. This handy tool shows you all recent activities on your Windows computer. What is LastActivityView? LastActivityView is a free tool that collects and displays information about the recent activities on your Windows computer . It pulls data from various parts of the system to show you what’s been done, like which applications were opened, which files were accessed, and even when the computer was shut down or started up. Key Features Easy to Use : Simple interface that lists activities in order. Comprehensive Data : Shows a wide range of activities from different sources. No Installation Needed : It’s portable; just download and run. Export Options : Save the activity log in formats like CSV, XML, and HTML. Using LastActivityView Viewing Activities When you open LastActivityView, it immediately shows a list of recent activities. For each activity, you’ll see: Date/Time : When the activity happened. Description : What the activity was about. Filename/Process : The file or program involved. More Info : Additional details, if available. Full Path, Data source, extension Filtering and Sorting To find specific activities: Click on column headers to sort the list by that column. Use "Advanced Options" under the Options menu to filter by date or activity type. Exporting Data To save the activity log for later use: Select the entries you want to save (use Ctrl+A to select all). Go to the "File" menu and choose "Save Selected Items" (or press Ctrl+S). Choose a format (CSV, XML, HTML) and save it to your preferred location. Practical Uses Forensic Analysis For investigators , LastActivityView can help piece together what happened on a computer. You can see a timeline of user actions to understand events leading up to an incident. System Administration Admins can use LastActivityView to monitor employee computer usage . It helps ensure that company resources are used appropriately and can spot unusual activities. Conclusion LastActivityView by NirSoft is a simple yet powerful tool to see what’s been happening on your Windows computer. It’s great for anyone who wants to monitor and understand user activity, whether for personal, professional, or investigative purposes. Akash Patel

Introduction In the world of digital forensics and incident response, determining if a computer’s drive is encrypted is a crucial step. Magnet Encrypted Disk Detector (EDDv310) is a powerful tool designed to quickly and non-intrusively check for encrypted volumes on a system. What is EDDv310? EDDv310, or Encrypted Disk Detector, is a command-line tool developed by Magnet Forensics. It helps you identify encrypted volumes on a computer, including those encrypted with TrueCrypt, PGP, VeraCrypt, Check Point, SafeBoot, and BitLocker. This tool is particularly useful during incident response, allowing you to decide whether a live acquisition is necessary to preserve evidence. Key Features Quick and Non-Intrusive: Scans for encrypted volumes without modifying the system. Supports Multiple Encryption Types: Detects TrueCrypt, PGP, VeraCrypt, Check Point, SafeBoot, and BitLocker encrypted volumes. Command-Line Interface: Simple and straightforward to use. Detailed Output: Provides information on the encryption status of drives, including OEM ID and volume labels where applicable. How to Use EDDv310 Download and Extract the Tool and double click it and wait for output :) Understanding the Output Once you run EDDv310, it will check the physical and logical drives on the system for encryption. The output will look similar to this: Interpreting the Results Physical Drive Check: EDDv310 first checks the physical drives for encryption. In the example above, it checks PhysicalDrive0 and reports its status. Logical Volume Check: The tool then checks the logical volumes (partitions) on the physical drives. Here, it lists details of Drive C: and Drive D:. Secondary Checks: EDDv310 performs additional checks for BitLocker and running processes related to encryption. Summary: Finally, the tool provides a summary, indicating whether any encrypted volumes were detected. Practical Uses Forensic Investigations EDDv310 helps forensic investigators quickly determine if a drive is encrypted, which is critical for deciding how to proceed with data acquisition and analysis. Incident Response During an incident response, knowing if a drive is encrypted can help responders take appropriate actions to secure and preserve evidence. Conclusion Magnet Encrypted Disk Detector (EDDv310) is an essential tool for anyone involved in digital forensics, incident response, or data security. Its ability to quickly and non-intrusively check for encrypted volumes makes it invaluable for ensuring that sensitive data is identified and handled appropriately. Akash Patel

Introduction DB Browser, also known as SQLite Database Browser, is a powerful tool initially designed to create, search, and modify SQLite databases. Freely available, it has become a favorite not only for database administrators but also for forensic analysts. This blog will walk you through the process of extracting and analyzing browser artifacts using tools like Kape and DB Browser, focusing on popular browsers like Google Chrome, Firefox, and Internet Explorer. Extracting Browser Artifacts When conducting a forensic analysis, browser artifacts can provide invaluable insights. These artifacts include browsing history, cookies, cache, and other user activity data. One of the most efficient ways to extract these artifacts is by using Kape (Kroll Artifact Parser and Extractor), a robust tool favored by forensic analysts. Using Kape to Extract Artifacts To extract browser artifacts with Kape, follow these steps: Download and Install Kape: Ensure you have Kape installed on your system. Run Kape with the Following kape.exe --tsource C: --target WebBrowsers --tdest C:\Kape\Kapeoutput\ --vhdx output --tsource C:: The source drive (usually the C: drive). --target WebBrowsers: The target artifacts to extract, in this case, web browsers. --tdest C:\Kape\Kapeoutput\: The destination folder for the extracted artifacts. --vhdx output: Output in virtual hard disk format. Review the Output: Kape will generate an output containing browser artifacts in a drive format. Analyzing Artifacts with DB Browser Once you have extracted the artifacts, the next step is to analyze them using DB Browser. Steps to Analyze with DB Browser Install DB Browser: If you haven't already, download and install DB Browser from here. Open Artifacts in DB Browser: Navigate to the extracted artifacts. Right-click on the artifact file (usually a .sqlite file) and select "Open with DB Browser." 3. Explore the Data: Use the DB Browser interface to navigate through tables and records. 4. Convert Timestamps: Note that timestamps in browser artifacts are often in Unix epoch format. Use an epoch converter to transform these timestamps into readable date-time formats. For convenience, you can use online tools like Epoch Converter. Practical Tips for Forensic Analysis Identify Key Tables: Focus on tables that store user activity data such as history, cookies, and downloads. Use SQL Queries: Write custom SQL queries to extract specific information quickly. Correlate Data: Cross-reference data between different tables and artifacts to build a comprehensive timeline of user activity. Conclusion DB Browser, combined with Kape, provides a powerful toolkit for forensic analysis of browser artifacts. By following the steps outlined above, you can extract, analyze, and interpret data from popular web browsers, turning raw data into meaningful insights. Whether you're investigating a security incident or performing routine checks, these tools can significantly enhance your forensic capabilities. Akash Patel

MetaDiver is a powerful forensic tool designed to analyze and extract metadata from various file types. Overview of MetaDivera MetaDiver is a forensic analysis software that focuses on metadata extraction from digital files. It is particularly useful in digital forensics for uncovering hidden details about files, such as creation and modification dates, author information, and other metadata that can provide critical insights during investigations. Key Features and Functionalities Metadata Extraction: MetaDiver can extract a wide range of metadata from various file types, including documents, emails, images, and more. This metadata includes information such as file creation and modification dates, authorship, file paths, and more. Support for Multiple File Types: MetaDiver supports a diverse array of file formats, including but not limited to .DAT, .TXT, .PST, and .EML. This versatility makes it an invaluable tool for forensic analysts dealing with different types of data. Filtering and Search Capabilities: The software allows users to filter extensions and include subdirectories, making it easier to manage and locate relevant files within a case. The search functionality is robust, enabling analysts to quickly find specific metadata fields. Detailed Metadata View: MetaDiver provides a detailed view of all metadata fields associated with a file. This includes standard fields like file size and extension, as well as more specific fields such as email headers and binary strings. User-Friendly Interface: The software features an intuitive interface that guides users through the process of adding evidence, processing files, and reviewing metadata. The interface includes a work queue for managing multiple files and a review pane for detailed metadata analysis. Front Page: Types of Metadata Extracted MetaDiver can extract and display various types of metadata, as illustrated in the provided screenshots. Here are some examples: File Information: Basic details such as file extension, file size, and file paths. Date and Time Stamps: Metadata related to file creation, modification, and access dates. Authorship and Ownership: Information about the creator or author of the file. Email Metadata: For email files (.eml, .pst), MetaDiver can extract details such as sender and recipient addresses, subject lines, and email headers. Custom Metadata Fields: Specific metadata fields that might be unique to certain file types or generated by specific software. Detailed Analysis Example In the screenshots provided, MetaDiver processes and extracts metadata from several files: NTUSER.DAT: This file typically contains registry information and user activity data. ACTION NEEDED Email: Metadata for this .eml file includes the sender (akash patel), recipient (Axel Jeannot), and various email headers. This can be crucial in tracing communication patterns and verifying email authenticity. Sample .pst Files: These contain multiple email messages, with metadata such as file size, creation and modification dates, and subject lines of the emails. The extracted metadata provides forensic analysts with a wealth of information that can be used to build timelines, verify document authenticity, and uncover hidden details that might be crucial to an investigation. Conclusion MetaDiver is a versatile and robust tool for forensic analysis, offering comprehensive metadata extraction capabilities across a wide range of file types. Its user-friendly interface and powerful filtering and search functionalities make it an essential tool for digital forensic investigations. By uncovering and analyzing metadata, MetaDiver helps analysts piece together digital evidence, making it easier to solve cases and verify the authenticity of digital documents. Akash Patel

After numerous requests, I've compiled a comprehensive list of practical use cases for KAPE (Kroll Artifact Parser and Extractor). This powerful tool can significantly enhance your investigative capabilities. Below are some everyday scenarios where KAPE can be invaluable: 1. Check UserAssist for Executed Programs 2. Check Amcache and ShimCache for Executed Programs 3. Check LNK Files for Opened Files 4. Check JumpLists (Automatic Destinations) for Opened Files 5. Check $MFT for File Creation Dates of Illicit Images, Videos, etc. 6. Check $MFT and USN Journal for File Knowledge 7. Check $l and $R Files in the Recycle Bin for Evidence of File Deletion 8. Check Volume Shadow Copies for Evidence of Files That May Not Exist on the Current Image 9. Check Prefetch Files for Executed Applications and Their Frequency 10. Check ShellBags for Accessed Folders and Their Timestamps 11. Check Windows Event Logs for Login Attempts, System Errors, and Security Events 12. Check Browser History and Cache for User Internet Activity 13. Check Windows Registry for Startup Programs and Persistence Mechanisms 14. Check Scheduled Tasks for Unauthorized or Suspicious Tasks 15. Check RecentDocs for Recently Accessed Documents 16. Check Network Logs and DNS Cache for Evidence of Suspicious Network Activity 17. Check System Restore Points for Deleted or Altered Files 18. Check Email Clients' Databases for Evidence of Communication 19. Check Installed Software Logs for Traces of Malicious Applications 20. Check Pagefile and Hibernation File for Residual Data of Active Sessions The pagefile and hibernation file can contain remnants of data from active sessions, potentially revealing important forensic artifacts. By integrating KAPE into your digital forensic and incident response workflows, you can streamline your investigations and enhance your ability to uncover critical evidence. Whether you are dealing with user activity, file access, or system anomalies. Akash Patel

Hey there, tech detectives! If you're digging into USB devices on Windows 7 to 10, here's a handy guide to help you gather all the important details. Let's get started! 1. Vendor, Product, Version Path: SYSTEM\CurrentControlSet\Enum\USBSTOR Vendor: Product: Version: 2. USB Unique Serial Number ID Path: SYSTEM\CurrentControlSet\Enum\USB USB Unique Serial Number ID: 3. Vendor-ID (VID) and Product-ID (PID) Path: SYSTEM\CurrentControlSet\Enum\USB --> Perform search for UB S/N VID: PID: 4. Volume GUIDs Path: SYSTEM\MountedDevices -->Search Serial Number in drive letter VolumeGUID: 5. Drive Letter Path: SYSTEM\MountedDevices --> Search for Volume GUID in drive letter Drive Letter: Or NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Explorer\RecentDocs -> Perform Search for Volume Name Or Perform Shortcut (LNK) file analysis-> Perform Search for Volume Name Drive Letter= 6. Volume Name Path: SOFTWARE\Microsoft\Windows Portable Devices\Devices --> Search USB serial number an match with volume name Volume Name: Drive Letter (VISTA ONLY): 7. Volume Serial Number Path: SOFTWARE\Microsoft\WindowsNT\CurrentVersion\EMDMgmt --> Search volume name/Serial Number. Convert Serial number to hex value for link analysis. Volume Serial Number (HEX): 8. User of USB Device Path: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 -->Search for GUID User: 9. First Time Device Connected Path: C:\Windows\inf\setupapi.dev.log -->Search unique serial number Time/Timezone: SYSTEM\CurrentControlSet\Enum\USBSTOR\ Ven Prod_ Version\USB iSerial #\Properties\ {83da6326-97a6-4088-9453-a1923f573b29} \0064 ->Value= Windows 64-Bit Hex Value timestamp - Use DCodeDate 10. Last Time Device Connected Path: SYSTEM\CurrentControlSet\Enum\USB\VID_XXXX&PID_YYYY -->Search serial number Time/Timezone: or NTUSER//Software/Microsoft/Windows/CurrentVersion/Explorer/MountPoints2/{GUID} -> Perform search for Device { GUID} Time/Timezone = SYSTEM\CurrentControlSet\Enum\USBSTOR\ Ven_Prod_ Version\USB iSerial #\Properties\ {83da6326-97a6-4088-9453-a1923f573b29}\0066 ->Value= Windows 64-Bit Hex Value timestamp - Use DCodeDate 11. Time Device Removed SYSTEM\CurrentControlSet\Enum\USBSTOR\ Ven Prod_ Version\USB iSerial #\Properties\ {83da6326-97a6-4088-9453-a1923f573b29}\0067 ->Value= Windows 64-Bit Hex Value timestamp - Use DCodeDate Tips for Timestamps For Windows 64-bit Hex Value timestamps, use DCodeDate to decode them. There you go! Keep this guide handy, and you'll be a USB forensics whiz in no time. Happy investigating! Akash Patel

In the realm of digital forensics, collecting and analyzing artifacts from various system paths is crucial for uncovering valuable information. Here, A pdf related comprehensive list of paths where key artifacts can be collected from Windows systems. These artifacts can provide insights into user activities, system events, and potential security incidents. Click Me for file: These paths and artifacts are critical for digital forensics professionals when investigating user activities, system events, and potential security incidents on Windows systems. By collecting and analyzing data from these locations, investigators can uncover a wealth of information to support their investigations. Akash Patel

In the realm of cybersecurity, incident response (IR) is a critical function that helps organizations detect, mitigate, and recover from security incidents. A robust incident response strategy requires access to various logs and data sources, which provide insights into potentially malicious activities. Key Logs for Incident Response When responding to an incident, one of the first steps is to gather logs for egress connections. These logs are vital because they serve as filter points for all traffic leaving the environment, helping to identify command and control (C2) points and compromised internal systems. The primary sources of egress connection logs include: Firewall Logs: These logs capture all outbound connections, providing a comprehensive view of egress traffic. Firewalls are configured to monitor and control the flow of network traffic based on predetermined security rules. DNS Logs: DNS logs are powerful tools for detecting malicious traffic. They can reveal domains and IP addresses associated with known malware and botnets. Comparing DNS logs with known bad domain lists can quickly highlight potential threats. Web-Filtering Device Logs: Web proxies and content filters restrict access to objectionable content and can detect malicious outbound traffic. These logs help identify access to known bad domains and suspiciously long URLs used by malware for C2 or payload delivery. The Power of DNS Data DNS data can be instrumental in detecting malicious activities within an environment. Traditional antivirus solutions may fail to detect certain well-known malicious programs, but DNS logs can still reveal their presence. Here are some reasons why DNS data is so valuable: Static Domains: Many botnets and C2 channels use relatively static domains, making it easier to track them through DNS logs. Comparison with Blacklists: Tools like dns-blacklists.py allow responders to compare DNS server caches with lists of known malicious IPs and domains, such as those provided by Malware Domain List. This helps quickly identify compromised systems. Utilizing Web Proxy Content Filters Most enterprises deploy web proxy content filters to manage and restrict employee access to various websites. These devices are not only useful for enforcing internet usage policies but also serve as potent tools during incident response. Here’s how: Identifying Known Bad Actors: Web proxy logs can be checked against updated blacklists to identify access to known malicious IPs and domains. Analyzing URL Lengths: Malware often uses long, encoded URLs for C2 communication or payload delivery. While legitimate sites also use long URLs, combining this indicator with other signs of compromise can be effective. Reviewing User Agent Strings: Anomalies in user agent strings, such as outdated versions or unexpected operating systems, can indicate the presence of malware. Detecting Beaconing Activity Modern malware often uses intermittent beaconing to communicate with C2 servers, rather than maintaining a persistent connection. Detecting this type of activity requires analyzing connection logs from egress firewalls that perform Network Address Translation (NAT). Regular or irregular intervals in outbound connections can indicate beaconing behavior. Pulling Data from Multiple Systems In an enterprise environment, gathering data from multiple systems simultaneously is crucial for a comprehensive incident response. The Windows Management Instrumentation Command-line (WMIC) tool can be used to collect software inventory across multiple systems efficiently. Here’s an example command: C:\> wmic /node:@systems.txt product get name, version, vendor /format:csv > SoftwareInventory.txt This command retrieves the software inventory from all systems listed in systems.txt, providing a detailed overview of installed software, which is essential for identifying vulnerable or unauthorized applications. Conclusion Effective incident response relies on leveraging various data sources to detect and mitigate threats. By utilizing firewall logs, DNS logs, and web-filtering device logs, responders can gain critical insights into malicious activities. Akash Patel

In the realm of cybersecurity, responding to incidents promptly and effectively is crucial. This detailed guide covers best practices in incident response, focusing on identification, containment, and eradication. Failure to Take Complete Notes: The most common error incident handlers make is failing to take comprehensive notes. Detailed documentation is essential for understanding the incident and for legal purposes. Forensics Imaging: Critical Importance: A good forensic image is crucial. Without it, you risk the data's integrity and admissibility in court. System Backups: Often, systems haven't been backed up in years, making forensic imaging vital for preserving irreplaceable data. Tools: Use tools like dd for bit-by-bit imaging on UNIX and Windows. Tools like Google Rekall and Volatility Framework are excellent for memory analysis. Cryptographic Hashes: These validate that the evidence remains unchanged since collection. Write Blockers: Usage: Prevent write operations to disks, preserving the state of evidence. Available in hardware and software forms. Practicality: Not always feasible, especially for live systems. Drive Duplicators: Advantages: Faster imaging and on-the-fly hash calculation. Ideal for frequent imaging tasks. Disk Size Consideration: Storage Needs: The storage drive should be at least 10% larger than the original to account for file system overhead and metadata. Short-term Containment Goals: Stop Attack Progress: Prevent further damage without altering the impacted system. Keep Drive Image Intact: Until a backup is made. Methods: Network Isolation: Disconnect network access or power to the impacted system. Switch Port Isolation: Control switch infrastructure to isolate the impacted machine. VLAN Isolation: Place the system on an isolated VLAN for continued communication without infection spread. DNS Alteration:*********************Important and useful method*************************** Redirect Traffic: Change DNS records to point to a secure machine, mitigating attack based on IP address. Long-term Containment Actions: Patching: Apply patches to the system and neighboring systems. Intrusion Prevention: Insert IPS or in-line Snort/Suricata. Routing Changes: Null routing and firewall rules. Account Management: Remove attacker accounts and shut down backdoors. Eradication Preparation: Temporary Solutions: Implement solutions to maintain production while preparing for eradication. Eradication Protection Techniques: Firewall/Router Filters: Apply appropriate filters. System Relocation: Move the system to a new name/IP address.******Very useful********** DNS Changes: Change DNS names to avoid further attacks.******Very useful********** Vulnerability Analysis: System and Network Analysis: Perform detailed vulnerability assessments. Port Scanning: Use tools like Nmap for network scanning. Vulnerability Scanners: Tools like Nessus, OpenVAS, Rapid7 NeXpose, and Qualys help identify vulnerabilities. Attack Patterns: Multiple Machines: Attackers often exploit multiple machines using the same methods. Search for related vulnerabilities across the environment. Conclusion Effective incident response involves strategic containment, and thorough eradication. By adhering to these best practices, organizations can significantly enhance their resilience against cyber threats and ensure a swift recovery from incidents. Akash Patel

The landscape of digital forensics is ever-changing, with tools and techniques continually evolving to meet the demands of modern investigations. One such recent addition to the arsenal of SRUM analysis tools is NirSoft's Network Usage View (NUV). Link:- https://www.nirsoft.net/utils/network_usage_view.html Introduction to NUV NUV, like many of NirSoft's offerings, is both free and user-friendly, designed to assist investigators in their triage efforts. Upon launching the tool, it defaults to displaying the host system information. However, it's versatile enough to be pointed to a mounted image for deeper analysis. Loading SRUM Data with NUV To load SRUM data from a specific image, such as the Donald Blake image, follow these steps: Access Advanced Options: From the menu bar, select "Options" and then choose "Advanced Options." Select External SRUMDB.dat: Under the "Load network usage data from:" dropdown menu, choose "External SRUMDB.dat database." Navigate to SRUM Database: Click the "..." button and browse to the location of the SRUM database on the mounted image. Analyzing SRUM Data with NUV Once the target SRUM database is loaded, NUV provides a snapshot of applications running each hour, the user responsible for each application, and the inbound and outbound network traffic per application, per hour. This data can be invaluable for understanding user activity and network behavior. What's Missing in NUV? While NUV offers a comprehensive view of network usage data, one notable omission is the network name to which the system was connected at a given time. However, this gap can be easily filled using additional tools like as per my preference esedatabaseview (And I have created a blog) Link Below:- https://www.cyberengage.org/post/examining-srum-with-esedatabaseview Conclusion NUV by NirSoft is a valuable addition to the toolkit of digital forensic analysts, streamlining SRUM analysis and providing quick access to essential network usage data. While it may not offer a complete picture on its own, when combined with other tools and techniques, it becomes a powerful asset in the quest for digital evidence. Akash Patel

In today's digital age, the significance of digital evidence in criminal investigations cannot be overstated. As technology evolves, so do the methods employed by criminals to cover their tracks. Enter the System Resource Usage Monitor (SRUM), a powerful tool that has become a game-changer in digital forensic investigations. Real-world Applications of SRUM. Corporate Espionage Investigations: Imagine a scenario where a corporate system is compromised. SRUM data can be instrumental in identifying applications covertly exfiltrating sensitive data to competitors or foreign entities, providing invaluable leads to investigators. Insider Threats: In cases involving employee misconduct, SRUM can document suspicious activities such as large-scale data transfers from the corporate network to personal devices. This data can pinpoint when and where data was accessed, aiding in establishing a timeline of events. Refuting Baseless Claims: SRUM has also proven its worth in the courtroom. In one case, SRUM data conclusively refuted claims that evidence had been planted on a seized computer, demonstrating that no unauthorized access had occurred post-seizure. Understanding SRUM What is SRUM? SRUM is an integral part of the Windows Diagnostic Policy Service (DPS), tracking various system performance metrics. Introduced with Windows 8, SRUM is enabled by default across all Windows versions, including Enterprise. Accessing and Managing SRUM Data Task Manager Insights: Users can get a glimpse of SRUM data through the Task Manager's "App history" and "Details" tabs, showcasing performance statistics and approximately 30 days of historical data. However, a mere click on "Delete usage history" doesn't erase SRUM data immediately, requiring further investigation into data retention and purging policies. Data Retention: While SRUM retains data for approximately 30 days, additional testing reveals that extended periods of system inactivity can lead to purging of older data. It's not uncommon to find up to 60 days of historical performance data in SRUM, making it a valuable resource for investigators. Key Takeaways SRUM offers a treasure trove of information to digital forensic analysts, including: Applications running at specific times User accounts associated with each application Network bandwidth usage per application Network connections, including dates, times, and connected networks Final Thoughts SRUM has revolutionized the way digital forensic investigations are conducted, offering a deeper insight into user activities and system performance. As technology continues to evolve, so will the tools and methods employed by both investigators and criminals. However, with tools like SRUM in their arsenal, investigators are better equipped than ever to uncover the truth and bring justice to those who seek to undermine it. Akash Patel