SRUM
Overview
Section titled “Overview”Evidence: SRUM
Description: Collect SRUM and Parse
Category: System
Platform: windows
Short Name: srum
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”The System Resource Usage Monitor (SRUM) is a Windows feature introduced in Windows 8 that tracks application resource usage, network data consumption, and energy usage over time. The data is stored in an ESE database at C:\Windows\System32\SRU\SRUDB.dat.
SRUM provides historical information about application execution, network usage per application, and user activity patterns. This data persists for up to 60 days (configurable) and survives reboots.
Data Collected
Section titled “Data Collected”This collector gathers structured data about srum.
SRUM Data
Section titled “SRUM Data”| Field | Description | Example |
|---|---|---|
AutoInc | Auto-increment ID | 1 |
Timestamp | Time of the resource usage sample | 2023-10-15T14:30:00 |
ApplicationName | Path to application | C:\Program Files\Chrome\chrome.exe |
UserSID | User security identifier | S-1-5-21-… |
Username | Username | DOMAIN\user |
ForegroundCycleTime | CPU time in foreground | 12345678 |
BackgroundCycleTime | CPU time in background | 5678901 |
FaceTime | Time application was in focus | 3600000 |
ForegroundContextSwitches | Context switches while foreground | 1234 |
BackgroundContextSwitches | Context switches while background | 5678 |
ForegroundBytesRead | Bytes read in foreground | 1048576 |
ForegroundBytesWritten | Bytes written in foreground | 524288 |
ForegroundNumReadOperations | Read operations in foreground | 100 |
ForegroundNumWriteOperations | Write operations in foreground | 50 |
ForegroundNumberOfFlushes | Flush operations in foreground | 10 |
BackgroundBytesRead | Bytes read in background | 2097152 |
BackgroundBytesWritten | Bytes written in background | 1048576 |
BackgroundNumReadOperations | Read operations in background | 200 |
BackgroundNumWriteOperations | Write operations in background | 100 |
BackgroundNumberOfFlushes | Flush operations in background | 20 |
AutoInc | Auto-increment ID | 1 |
Timestamp | Time of the network usage sample | 2023-10-15T14:30:00 |
ApplicationName | Path to application | C:\Program Files\Chrome\chrome.exe |
UserSID | User security identifier | S-1-5-21-… |
Username | Username | DOMAIN\user |
InterfaceLuid | Network interface LUID | 123456789 |
ProfileID | Network profile identifier | 1 |
ProfileFlags | Profile flags | 0 |
BytesSent | Bytes sent over network | 10485760 |
BytesRecvd | Bytes received over network | 52428800 |
Collection Method
Section titled “Collection Method”This collector:
- Collects the SRUM database:
Windows\System32\SRU\SRUDB.dat - Uses the libesedb library to parse the ESE database format
- Extracts application resource usage records
- Extracts network data usage records
- Resolves SIDs to usernames
Forensic Value
Section titled “Forensic Value”SRUM provides unique historical visibility into application behavior and network usage patterns. Investigators use this data to establish application execution timelines (up to 60 days), identify data exfiltration volumes, track network usage per application, detect unauthorized application usage, correlate user activity with network traffic, identify resource-intensive malware, and establish baseline application behavior.