System Resource Usage Monitor (SRUM)
Purpose and Function
The System Resource Usage Monitor (SRUM) is a feature in Windows (present from Windows 8 onwards) that provides detailed historical data on system resource consumption. Its primary purpose for the operating system is to track which applications and services are using resources like the CPU, network, and disk, which is valuable for power management and understanding application behavior over time.
For DFIR analysts, SRUM is often referred to as a "forensic goldmine". It maintains a rolling historical database (typically for 30-60 days) of process and network activity, making it an incredibly robust artifact that often retains evidence long after more volatile traces have been overwritten or deliberately cleared.
Location and Structure
SRUM data is stored in an Extensible Storage Engine (ESE) database, a type of database format also used by Microsoft Exchange and Active Directory.
Location:
C:\Windows\System32\sru\SRUDB.dat
The SRUDB.dat file is a complex, multi-table database that is typically locked by the system while Windows is running. Analysis requires specialized forensic tools capable of parsing ESE databases.
Stored Metadata
The SRUM database logs a wide array of detailed metrics for applications and services. The most forensically relevant information includes:
Process Execution History: It records which processes have run, including their full paths and the user context (SID) under which they were executed. This provides a longer-term execution history than artifacts like Prefetch or BAM.
Network Activity: This is a key feature. SRUM monitors network connectivity on a per-application basis, logging:
Bytes Sent and Received: The total amount of data transferred over both wired and wireless interfaces.
Network Interface: The specific network adapter used for the connection.
Connection Timestamps: When the application was connected to the network.
Resource Consumption: It logs metrics such as CPU time (distinguishing between foreground and background usage), disk I/O (reads and writes), and other performance counters for each application.
Application Uptime and Focus: Through tables like
AppTimelineProvider, SRUM can track how long an application was in focus (i.e., the active foreground window), providing context on user interaction.
Forensic Value
The historical depth and breadth of data in the SRUM database make it an exceptionally powerful tool for an investigation.
Long-Term Historical Record: SRUM's ability to retain data for 30-60 days means it can provide evidence of activity that occurred long before an investigation began, often surviving multiple reboots and cleanup attempts.
Detecting Network-Aware Malware: The network monitoring capability is invaluable for identifying unauthorized applications that communicate over the network. It can prove that a specific process (e.g., a cheat loader) connected to the internet, which can be correlated with download or command-and-control (C2) activity.
Resilience to Tampering: While the
SRUDB.datfile can be deleted, its absence is a highly suspicious indicator of anti-forensic activity. Unlike clearing individual Prefetch files or registry keys, wiping the entire SRUM database is a much more drastic and noticeable action.Correlating User and System Activity: By combining process execution data with user SIDs and timestamps, SRUM helps analysts attribute specific activities to specific users and build a comprehensive timeline of events.
Due to its complexity, command-line forensic tools like Eric Zimmerman's SrumECmd are the standard for parsing the database and exporting its tables into a human-readable format (like CSV) for analysis.
Last updated