(EN) SRUM - Forensic Cheatsheet

## Introduction SRUM is an artifact known to have system resource usage and it is a abbreviated word from System Resource Utilization Monitor. SRUM is highly evaluated in these days where pandemic situations make people work in remote environments and also for malware since they download specific resources from external source using Remote Desktop services because we can check network resource usages with SRUM artifact. For example, there are timestamps left by programs that could be used as an evidence to prove that program was used at a certain period. Also by checking the network usage, certain IP address could be found. Since SRUM data is not considered as target of anti-forensic activity, there are a high chance that SRUM will be your last chance discovering a user action. > [!NOTE] > Since SRUM was introduced after Windows 8, other OS such as Windows 7 does not have SRM artifact. ## Path Because it is a windows artifact, there are informations either on local paths or on registry. SRUM also shares such characteristic so there are more practical informations in the local path and subsidiary informations in registry. **Local Path** ``` C:\Windows\System32\sru\* ``` **Registry Path** ``` 1) SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SRUM\Extensions 2) Local Settings\Software\Microsoft\Windows\Shell\MUICache ``` ## Data in this chapter we will find out what kind of informations are stored in log file and data file, when they are stored and how can we make a certain inference with such information. There are 4 category consisting SRUM data, each file contains information enumerated below. The important thing is `SRUdb.dat`file so let see what happens inside `SRUdb.dat`file. - dat : SRUM의 실질적인 데이터가 저장되는 파일 - log : SRUM 서비스에 대한 정보 (Errors, Warnings) - chk : SRUM 서비스가 실행중일 때 사용되는 임시 파일 - jrs : SRUM 이벤트 로그 파일 ![[Untitled 25.png]] **SRUDB.DAT** Every single data saved in SRUM is written on SRUdb.dat file. there are 4 types of information. which is…. - Live Process & Execution Command - Network Connection Info & IP Address - Power and Resource Management - Application Usage We need a tool to visualize the binary data. I prefer to use SrumECmd by Eric Zimmerman or srum-dump (The usage of the tool will not be dealt here!) Or some expensive commercial tools that analyzes everything such as Magnet AXIOM which I can’t use due to financial issues. The result will be written in the given path when you try to parse a SRUdb.dat file. every required fields should be given properly. little more informations when you fill the SOFTWARE hive. ![[%E1%84%89%E1%85%B3%E1%84%8F%E1%85%B3%E1%84%85%E1%85%B5%E1%86%AB%E1%84%89%E1%85%A3%E1%86%BA_2023-01-17_%E1%84%8B%E1%85%A9%E1%84%92%E1%85%AE_4.00.26.png]] ![[%E1%84%89%E1%85%B3%E1%84%8F%E1%85%B3%E1%84%85%E1%85%B5%E1%86%AB%E1%84%89%E1%85%A3%E1%86%BA_2023-01-17_%E1%84%8B%E1%85%A9%E1%84%92%E1%85%AE_4.04.43.png]] > [!Warning] **HOW SRUM handles Data** > > Because data is saved in a file format many people think that SRUM is a nonvolatile data. Of course the file data is nonvolatile, but the important thing is the time when SRUM data is written. Data of SRUM is originally written in the memory area, so the majority considers SRUM as the volatile data. > > Reminding of the words written above might question the reader. > To resolve the question we have to know how and when SRUM data is written. as mentioned before, SRUM data is originally saved in the memory area. Only when system shuts down and data in the memory section is exported data in the memory is written in the file which is kept nonvolatile. Therefore files in the local path is written because of there was one when system was shut down. > > Then would every kind of power-off process save data? > This is not true. > > Shut-downs due to lack of power and system crashes such as blue screen and hardware defaults that causes the power off also have less credibility of saving data. > > The main point of this callout is that SRUM data is volatile so when acquired live, it is recommended to export the data manually before imaging it. ## 결론 SRUM is the artifact that contains numerous unexpected data. Though SRUM is not used that often because of credibility issues thrown due to volatility it has. So it would be more useful when used with other artifacts as referencing factor, or when there is problem acquiring file execution, network connection log data due to anti-forensic activities ## Tools - srum-dump https://github.com/MarkBaggett/srum-dump - SrumECmd > [!info] Eric Zimmerman's tools > [https://ericzimmerman.github.io/#!index.md](https://ericzimmerman.github.io/#!index.md)