SRUM (System Resource Usage Monitor)

DFIR Artifact for checking user running process if EDR is not present

SRUM usage

You can read about SRUM here https://isc.sans.edu/forums/diary/System+Resource+Utilization+Monitor/21927/, it will answer the question below

• What application was executed?

• How long the application ran for (execution time)?

• WHO or what SID was it running under?

How to access the SRUM

I can't find the SRUDB.dat on Windows Server 2016

Location: C:\Windows\System32\sru\SRUDB.dat but you must have a tool or software that can parse the information that is stored in that, most people will use this tool srum-dump (you have to download and move it to the machine that you want to investigate)

In the srum-dump repository on GitHub, you will also need to download the SRUM-DUMP template

The template

And then follow the instruction that is written in the repository after that you will dump the SRUM and excel file will look like this

The information that you dump from SRUDB.dat

You will have information like which application was run by whom (User SID) and the Time Creation and EndTime. Study Case:

• https://www.inversecos.com/2022/10/how-to-investigate-insider-threats.html
• https://isc.sans.edu/forums/diary/System+Resource+Utilization+Monitor/21927/

Refs

• https://www.youtube.com/watch?v=l6-83WU95Sw&ab_channel=SANSDigitalForensicsandIncidentResponse (the youtube talk about SRUM forensic