SRUM Database (SRUDB.dat)

WindowsExecution EvidenceDisk Image

Location

C:\Windows\System32\sru\SRUDB.dat

Description

System Resource Usage Monitor ESE database tracking per-application resource consumption over 30-60 days, including network bytes sent/received, CPU time, energy usage, and associated user SID.

Forensic Value

SRUM provides historical quantitative evidence of application network usage that no other artifact captures. It can prove that rclone.exe transferred 50GB outbound to a specific network profile, or that a cryptominer consumed excessive CPU over weeks. Network usage per-app records persist even after the application is deleted. The user SID attribution enables identifying which account was responsible for the data transfer.

Tools Required

KAPESrumECmd (Eric Zimmerman)srum-dumpESEDatabaseView (NirSoft)

Collection Commands

KAPE

kape.exe --tsource C: --tdest C:\output --target SRUM

SrumECmd

SrumECmd.exe -f "C:\Windows\System32\sru\SRUDB.dat" -r C:\output\SOFTWARE --csv C:\output --csvf SRUM.csv

srum-dump

python3 srum_dump2.py -i "C:\Windows\System32\sru\SRUDB.dat" -t SRUM_TEMPLATE2.xlsx -o C:\output\srum_report.xlsx

PowerShell

Copy-Item "C:\Windows\System32\sru\SRUDB.dat" -Destination C:\output\

Collection Constraints

•Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.

MITRE ATT&CK Techniques

T1041T1048

References

Windows PowerShell Logging NTFS Change Journals Additional LSA Protection

Used in Procedures

Review Data Disclosure and Notification Decision Evidence

post-incident

Acquisition Methods

KAPE Triage Collection

windows — triage

FTK Imager Logical Image (AD1)

windows — logical

Velociraptor Remote Collection

windows — remote