SRUM (System Resource Usage Monitor) Analysis

Often referred to as a "forensic goldmine," the System Resource Usage Monitor (SRUM) provides extensive historical data on process and network activity. Active on Windows 8 and later, SRUM utilizes an Extensible Storage Engine (ESE) database file named SRUDB.dat, located at C:\Windows\System32\sru\. This database logs detailed resource usage metrics over a rolling period, typically retaining data for approximately 30 to 60 days.

SRUM tracks a wealth of information highly relevant to investigations, including:

• Process Execution History: Records processes that have run, including their executable names, paths, and the user context (SID) under which they ran. This provides a longer-term execution history than Prefetch or BAM might offer for specific instances.

• Network Activity: Monitors network data (bytes sent and received) on a per-application and per-network-interface basis. It also tracks network connection durations. This is invaluable for identifying applications communicating over the network, potentially revealing connections made by cheats, loaders, or C2 frameworks.

• Resource Consumption: Logs CPU time (distinguishing between foreground and background usage), disk I/O operations (reads/writes), and other resource metrics per application.

• Push Notifications: The PushNotifications table within the database records details about application push notifications, including the AppID responsible and timestamps, which can sometimes help attribute activity to specific applications like cheat launchers.

• Application Uptime: The AppTimelineProvider data tracks application focus time (Foreground Time), useful for correlating application usage with user activity periods.

Due to the richness and historical depth of the data, SRUM analysis can often uncover evidence of execution, network communication, or user activity patterns that persist long after other volatile artifacts have been cleared or overwritten. The standard tool for parsing the SRUDB.dat ESE database is SrumECmd (Eric Zimmerman). This command-line tool exports the various tables within the database into CSV format, which can then be effectively analyzed using Timeline Explorer to filter, sort, and correlate data by time, user, application, network details, etc. Note that some timestamps within SRUM output might be in Epoch format and require conversion using online or offline epoch converter tools for human-readable analysis.