Windows forensics 3 : System Resource Utilization Monitor
Info, Blue Teaming, 2023
Description :
Today we’re going to see how wen can retrieve a wealth of information about all the activities that occur on your machine.
What is SRUM:
- The Windows System Resource Usage Monitor (aka SRUM) is designed to track system resource utilization things like CPU cycles,network activity,power consumption.
File Location:
c:\Windows\System32\sru\SRUMDB.dat
How to copy the file in order to parse it:
- You can grab SRUMDB.dat using FTK Imager
How to parse the SRUMDB.dat file :
- SRUM Dump extracts information from the System Resource Utilization Management Database and creates a Excel spreadsheet.
How to use srum_dump:
srum_dump.exe -i SRUMDB.dat -o outfile.xlsx -t SRUM_TEMPLATE.xlsx -r SOFTWARE
- You can get user name from SID using this command
wmic useraccount get name,sid