Artifact Analysis: SRUM (System Resource Usage Monitor)

Note

Executive Summary: Introduced in Windows 8 and highly refined in Windows 10/11, the System Resource Usage Monitor (SRUM) acts as the system’s “black box” for process telemetry. While designed to provide energy management and usage statistics to the Task Manager, for DFIR analysts, SRUM is an exceptionally rich forensic database. It provides historical records (30 to 60 days) of process execution linked directly to network utilization (Bytes Sent/Received) and specific User SIDs.

1. Technical Overview

The core philosophy of SRUM is continuous telemetry collection for resource optimization. The Windows Diagnostic Policy Service (DPS) continuously monitors running processes, capturing metrics regarding CPU cycles, disk I/O, battery consumption, and network usage.

To minimize disk writes and system overhead, this data is temporarily held in memory and only committed to the physical database under two conditions:

1. Every 60 minutes during standard operation.
2. During a graceful system shutdown.

2. Artifact Location & Structure

SRUM data is not stored in standard text logs or the Windows Registry; it relies on Microsoft’s internal database engine.

• File Path: C:\Windows\System32\sru\SRUDB.dat
• Format: Extensible Storage Engine (ESE). This is the same robust, transactional database format utilized by Active Directory (ntds.dit) and Microsoft Exchange.

Because it is an actively locked system file, acquiring SRUDB.dat during a live response requires raw disk access tools or volume shadow copy (VSS) extraction.

3. Data Structure: The Network Telemetry Grail

Parsing the ESE database reveals several tables ({Network Data}, {Application Resource Usage}, etc.). The correlation of these tables provides the ultimate forensic timeline.

Key metrics extracted from SRUM include:

• Application Path: The absolute path of the executed binary.
• User SID: The Security Identifier of the account that initiated the process, providing highly reliable attribution.
• Network Bytes Sent / Received: The exact volume of traffic generated by the process over specific network interfaces (Wi-Fi, Ethernet).
• Duration: The total active foreground and background time of the application.

4. Forensic Value in Incident Response

SRUM is often the decisive artifact in investigations where standard network logging (e.g., proxy logs, PCAP) has rolled over or was intentionally blinded by threat actors.

A. Proving Data Exfiltration

When investigating insider threats or ransomware operations, proving data theft is critical. If Prefetch (.pf) Files show that an archiving tool (7z.exe) and an FTP client (ftp.exe) were executed sequentially, SRUM provides the missing link. It will reveal that 7z.exe had zero network activity, but ftp.exe sent exactly 750 MB of data outbound shortly after.

B. Detecting “Low and Slow” C2 Beacons

Advanced Persistent Threats (APTs) often utilize legitimate binaries (like powershell.exe or msbuild.exe) to establish Command and Control (C2) channels. Even if the traffic is TLS-encrypted, SRUM will persistently record the small, rhythmic outbound byte counts associated with beaconing behavior over a 60-day rolling window.

C. Identifying Process Injection

SRUM inherently links a process execution to a User SID. If an analyst observes network activity originating from svchost.exe (which normally operates under the SYSTEM, LOCAL SERVICE, or NETWORK SERVICE accounts), but SRUM attributes this specific execution to a standard user’s SID, it is a high-fidelity indicator of Process Hollowing or malicious thread injection.

5. The Execution Correlation Workflow

To build an irrefutable timeline of malicious activity, DFIR analysts combine SRUM telemetry with other execution artifacts.

1. Execution Timeline (Prefetch): Identify the precise execution time of a suspicious binary.
2. Payload Identification (Amcache): Extract the SHA1 hash of the binary to cross-reference with Threat Intelligence platforms.
3. Network Attribution (SRUM): Query the SRUM database at the exact Prefetch timestamp to measure the volume of data exfiltrated or received by that specific process hash.

6. Recommended Tooling

Due to the ESE database format, manual parsing is impossible. Specialized forensic parsers are required to reconstruct the tables into human-readable formats.

SrumECmd

Part of Eric Zimmerman’s Tools. SrumECmd.exe is the definitive command-line utility for parsing SRUDB.dat. It automatically resolves SIDs and outputs highly detailed, categorized CSV files.

KAPE (Kroll Artifact Parser and Extractor)

Utilize KAPE’s SRUM targets and modules to automatically acquire the locked file via VSS and parse it seamlessly during mass endpoint triage.

---

References & Further Reading

• SANS Institute: Windows Forensic Analysis
• Eric Zimmerman’s Tools: SrumECmd GitHub Repository
• Related Artifact: BAM (Background Activity Moderator)