Overview
SRUM-DUMP is a forensic tool that extracts and parses data from the Windows System Resource Usage Monitor (SRUM) database. SRUM is a Windows feature introduced in Windows 8 that tracks detailed application resource usage including network data sent/received per application, application execution history with timestamps, energy usage statistics, push notifications, and Windows Timeline activity. This data is stored in an ESE (Extensible Storage Engine) database at C:\Windows\System32\sru\SRUDB.dat and retains up to 30-60 days of historical data.
For digital forensics and incident response, SRUM is invaluable because it provides evidence of program execution, network activity per process, and data transfer volumes that persist even after the processes have terminated and event logs have rolled over. SRUM data can prove that a specific application ran at a particular time, how much data it transferred over the network, and which network interfaces were used — critical evidence for establishing timelines of attacker activity, data exfiltration, and malware execution. The SRUM database survives many anti-forensic techniques since it is managed by the operating system and not easily tampered with.
Installation
SRUM-DUMP (Python)
# Install SRUM-DUMP
pip install srum-dump
# Or clone from GitHub
git clone https://github.com/MarkBaggett/srum-dump.git
cd srum-dump
pip install -r requirements.txt
# Verify
python srum_dump.py --help
# Download SrumECmd from Eric Zimmerman's tools
# https://ericzimmerman.github.io/#!index.md
# Download via script
Invoke-WebRequest -Uri "https://f001.backblazeb2.com/file/EricZimmermanTools/net6/SrumECmd.zip" -OutFile SrumECmd.zip
Expand-Archive SrumECmd.zip -DestinationPath C:\Tools\SrumECmd
# Verify
C:\Tools\SrumECmd\SrumECmd.exe --help
Prerequisites
# SRUM-DUMP requires the SRUM database and SOFTWARE registry hive
# Live system locations:
# Database: C:\Windows\System32\sru\SRUDB.dat
# Registry: C:\Windows\System32\config\SOFTWARE
# For live extraction, stop the diagnostic service first:
net stop "Diagnostic Policy Service"
# Copy the database
copy C:\Windows\System32\sru\SRUDB.dat C:\Evidence\SRUDB.dat
copy C:\Windows\System32\config\SOFTWARE C:\Evidence\SOFTWARE
# Restart the service
net start "Diagnostic Policy Service"
Core Commands
SRUM-DUMP
# Basic extraction to Excel
python srum_dump.py -i SRUDB.dat -t SRUM_TEMPLATE2.xlsx -o output.xlsx
# With SOFTWARE hive for SID resolution
python srum_dump.py -i SRUDB.dat -t SRUM_TEMPLATE2.xlsx -r SOFTWARE -o output.xlsx
# Specify output directory
python srum_dump.py -i SRUDB.dat -t SRUM_TEMPLATE2.xlsx -o C:\Analysis\srum_output.xlsx
SrumECmd
# Parse SRUM database to CSV
SrumECmd.exe -f C:\Evidence\SRUDB.dat -r C:\Evidence\SOFTWARE --csv C:\Analysis\
# Parse with all output formats
SrumECmd.exe -f C:\Evidence\SRUDB.dat -r C:\Evidence\SOFTWARE --csv C:\Analysis\ --debug
# Parse from mounted image
SrumECmd.exe -f E:\Windows\System32\sru\SRUDB.dat -r E:\Windows\System32\config\SOFTWARE --csv C:\Analysis\
# Live system parsing (requires stopping DPS)
SrumECmd.exe -f C:\Windows\System32\sru\SRUDB.dat -r C:\Windows\System32\config\SOFTWARE --csv C:\Analysis\
SRUM Data Tables
Key Database Tables
| Table | GUID | Description |
|---|
| Application Resource Usage | {D10CA2FE-6FCF-4F6D-848E-B2E99266FA89} | App execution with CPU, memory, I/O |
| Network Data Usage | {973F5D5C-1D90-4944-BE8E-24B94231A174} | Network bytes sent/received per app |
| Network Connectivity | {DD6636C4-8929-4683-974E-22C046A43763} | Network interface connectivity data |
| Energy Usage | {FEE4E14F-02A9-4550-B5CE-5FA2DA202E37} | Application energy consumption |
| Windows Push Notifications | {D10CA2FE-6FCF-4F6D-848E-B2E99266FA86} | Push notification data |
| App Timeline Provider | {5C8CF1C7-7257-4F13-B223-970EF5939312} | Windows Timeline activity |
Application Resource Usage Fields
| Field | Description |
|---|
| TimeStamp | Hour-granularity timestamp |
| AppId | Application identifier (EXE path or SID) |
| UserId | User SID who ran the application |
| ForegroundCycleTime | CPU cycles in foreground |
| BackgroundCycleTime | CPU cycles in background |
| FaceTime | Time in foreground (100ns intervals) |
| ForegroundBytesRead | Disk bytes read in foreground |
| ForegroundBytesWritten | Disk bytes written in foreground |
| ForegroundNumReadOperations | Count of read operations |
| ForegroundNumWriteOperations | Count of write operations |
Network Data Usage Fields
| Field | Description |
|---|
| TimeStamp | Hour-granularity timestamp |
| AppId | Application identifier |
| UserId | User SID |
| InterfaceLuid | Network interface identifier |
| L2ProfileId | Network profile (connected network) |
| BytesSent | Bytes sent over network |
| BytesRecvd | Bytes received from network |
Analysis Techniques
Identifying Program Execution
# Parse SRUM output CSV for specific application
# After running SrumECmd:
Import-Csv "C:\Analysis\SrumECmd_AppResourceUsage.csv" |
Where-Object { $_.ExeInfo -match "powershell|cmd|wscript|cscript" } |
Sort-Object Timestamp |
Select-Object Timestamp, ExeInfo, UserId, ForegroundCycleTime |
Format-Table
# Find applications that transferred significant data
Import-Csv "C:\Analysis\SrumECmd_NetworkUsages.csv" |
Where-Object { [int64]$_.BytesSent -gt 10MB } |
Sort-Object { [int64]$_.BytesSent } -Descending |
Select-Object Timestamp, ExeInfo, BytesSent, BytesRecvd |
Format-Table
Detecting Data Exfiltration
# Find applications with high outbound data transfer
Import-Csv "C:\Analysis\SrumECmd_NetworkUsages.csv" |
Group-Object ExeInfo |
ForEach-Object {
$totalSent = ($_.Group | Measure-Object -Property BytesSent -Sum).Sum
$totalRecvd = ($_.Group | Measure-Object -Property BytesRecvd -Sum).Sum
[PSCustomObject]@{
Application = $_.Name
TotalSentMB = [math]::Round($totalSent / 1MB, 2)
TotalRecvdMB = [math]::Round($totalRecvd / 1MB, 2)
Ratio = if ($totalRecvd -gt 0) { [math]::Round($totalSent / $totalRecvd, 2) } else { "N/A" }
}
} |
Sort-Object TotalSentMB -Descending |
Format-Table
# Timeline of network activity for suspicious application
Import-Csv "C:\Analysis\SrumECmd_NetworkUsages.csv" |
Where-Object { $_.ExeInfo -match "suspicious_app" } |
Sort-Object Timestamp |
Select-Object Timestamp, BytesSent, BytesRecvd, InterfaceLuid |
Format-Table
Correlating with Other Artifacts
# Combine SRUM with Prefetch data
# SRUM shows WHEN and HOW MUCH data was transferred
# Prefetch shows execution count and files accessed
# Cross-reference SRUM app execution with event logs
$srumApps = Import-Csv "C:\Analysis\SrumECmd_AppResourceUsage.csv" |
Select-Object -ExpandProperty ExeInfo -Unique
$eventLogApps = Get-WinEvent -FilterHashtable @{
LogName='Microsoft-Windows-Sysmon/Operational'
Id=1
} | Select-Object -ExpandProperty Properties |
Select-Object -First 1 -ExpandProperty Value
# Find apps in SRUM but not in event logs (potential log evasion)
$srumApps | Where-Object { $_ -notin $eventLogApps }
Advanced Usage
Forensic Image Analysis
# Mount forensic image
# (Using Arsenal Image Mounter, FTK Imager, or similar)
# Extract SRUM from mounted image
$imageDrive = "E:"
$evidence = "C:\Evidence\Case001"
New-Item -ItemType Directory -Force -Path $evidence
Copy-Item "$imageDrive\Windows\System32\sru\SRUDB.dat" "$evidence\"
Copy-Item "$imageDrive\Windows\System32\config\SOFTWARE" "$evidence\"
# Parse with SrumECmd
SrumECmd.exe -f "$evidence\SRUDB.dat" -r "$evidence\SOFTWARE" --csv "$evidence\parsed\"
Automated Reporting
#!/usr/bin/env python3
"""Generate SRUM analysis report."""
import csv
import json
from collections import defaultdict
from datetime import datetime
def analyze_srum(network_csv, app_csv):
"""Analyze SRUM data for suspicious activity."""
findings = {
'high_data_transfer': [],
'unusual_hours': [],
'suspicious_apps': []
}
# Analyze network usage
with open(network_csv, 'r') as f:
reader = csv.DictReader(f)
app_totals = defaultdict(lambda: {'sent': 0, 'recv': 0})
for row in reader:
app = row.get('ExeInfo', 'Unknown')
sent = int(row.get('BytesSent', 0))
recv = int(row.get('BytesRecvd', 0))
app_totals[app]['sent'] += sent
app_totals[app]['recv'] += recv
# Flag high data transfer
for app, totals in app_totals.items():
if totals['sent'] > 100 * 1024 * 1024: # > 100MB sent
findings['high_data_transfer'].append({
'app': app,
'sent_mb': round(totals['sent'] / (1024*1024), 2),
'recv_mb': round(totals['recv'] / (1024*1024), 2)
})
return findings
results = analyze_srum('NetworkUsages.csv', 'AppResourceUsage.csv')
print(json.dumps(results, indent=2))
Timeline Generation
# Create unified timeline from SRUM data
Import-Csv "C:\Analysis\SrumECmd_AppResourceUsage.csv" |
Select-Object @{N='Timestamp';E={$_.Timestamp}},
@{N='Type';E={'AppExecution'}},
@{N='Detail';E={$_.ExeInfo}},
@{N='User';E={$_.UserId}} |
Export-Csv "C:\Analysis\srum_timeline.csv" -NoTypeInformation
Import-Csv "C:\Analysis\SrumECmd_NetworkUsages.csv" |
Select-Object @{N='Timestamp';E={$_.Timestamp}},
@{N='Type';E={'NetworkUsage'}},
@{N='Detail';E={"$($_.ExeInfo) - Sent: $($_.BytesSent) Recv: $($_.BytesRecvd)"}},
@{N='User';E={$_.UserId}} |
Export-Csv "C:\Analysis\srum_timeline.csv" -NoTypeInformation -Append
Troubleshooting
| Issue | Solution |
|---|
| Database locked | Stop “Diagnostic Policy Service” before copying SRUDB.dat |
| Corrupted database | Use esentutl /r sru /d to attempt recovery on a copy |
| Missing SOFTWARE hive | Tool still works but SIDs won’t resolve to usernames |
| Empty results | Verify SRUDB.dat is from Windows 8+ and contains data |
| Permission denied | Run as Administrator or extract from forensic image |
| Large output file | Filter by date range or specific applications during analysis |
| SID resolution fails | Ensure correct SOFTWARE hive matches the SRUM database source |
| Timestamp interpretation | SRUM timestamps are in UTC; convert to local time for analysis |
