Open in app

Sign in

Write

Sign in

SRUM Forensics #DFIR

ismail kaleem
3 min readJan 23, 2020

--

This is an important forensic artifact which is often missed during investigations.

This is a MUST go artifact when you are doing Incident Handling for an organization having a targeted attack suspecting data ex-filtration.

Incident Handling Cycle!

The mess is real when you are doing cyber security incident handling and response for an organization with no packet capture, no ids, no centralized log management or anything.

To make things worse; the attacker has patched the vulnerabilities, cleaned all the malware, wiped all events and connected to a compromised nearby WiFi for data ex-filtration bypassing the firewall logs.

I live in a tiny country where all these scenarios are possible as cyber security is often mistaken as a necessity only during when there is a breach.

What is SRUM?

  • First seen in Windows 8
  • Part of Diagnostic Policy Service
  • Technology that monitors desktop application programs, services, windows apps and network connections
  • Maintains database of historical activity!

If you open “Task Manager” in Windows 10; this is how it would look!

What all does SRUM database have?

1. Network Connectivity

SRUM tracks periods of network connectivity (since 8.1)

I have connected to WLAN SSID as shown from the logs
  • Interface Type & ID
  • Network Profile ID
  • Time connection established
  • Length of time connected

2. Network Data usage

Information available

  • Application/Service/App consuming data (User SID)
  • Bytes Uploaded & Downloaded
  • Interface Type & ID
  • Network Profile ID

NOT available

  • Endpoint info (IP addresses, Port numbers)
  • Specific data information (what was downloaded?)

3. Application Resource usage

Process Information

  • CPU cycles
  • Context switches S I/O bytes read/written
  • Number of read operations
  • Number of write operations
  • Number of Flushes

User Information

  • SID of user who launched program

NOT available

  • Memory, Threads, Handles, Cache or Kernel info

3. Windows push notifications

4. Energy usage

How to analyze SRUM artifact?

Download srum-dump by MarkBagget

MarkBaggett/srum-dump

SRUM Dump extracts information from the System Resource Utilization Management Database and creates a Excel…

github.com

Copy the database from C:\Windows\System32\sru\SRUDB.dat

You will also require to copy the “SOFTWARE” hive.

Go to command line and run the srum_dump2.exe

SRUM Forensic artifact would provide all the required resource information of the processes with network data (bytes) which can suggest whether there was a data-ex-filtration done on the system. It will be possible to narrow down through which Network Interface’s (VPN, WiFI, LAN etc.) the ex-filtration was performed as well.

After analyzing the data with Tableau it is observed that BITSADMIN is sending a lot of data!

Another clever trick would be to add a firewall advanced rule to deny “programs” access to the internet if you are in a workgroup computer.

I am learning and would be attempting my GIAC GCFA certification hopefully by end of February 2020! After that a Certified Forensic Analyst woohoo!

Dfir
Srum
Forensics

--

--

ismail kaleem
ismail kaleem

Written by ismail kaleem

37 Followers
14 Following

Follow me on Twitter https://twitter.com/@roketscientist

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams