SRUM Database (SRUDB.dat)

windowsExecution EvidenceDisk Image

Location

C:\Windows\System32\sru\SRUDB.dat

Description

System Resource Usage Monitor ESE database tracking per-application resource consumption over 30-60 days, including network bytes sent/received, CPU time, energy usage, and associated user SID.

Forensic Value

SRUM provides historical quantitative evidence of application network usage that no other artifact captures. It can prove that rclone.exe transferred 50GB outbound to a specific network profile, or that a cryptominer consumed excessive CPU over weeks. Network usage per-app records persist even after the application is deleted. The user SID attribution enables identifying which account was responsible for the data transfer.

Tools Required

KAPESrumECmd (Eric Zimmerman)srum-dumpESEDatabaseView (NirSoft)

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical