SrumECmd

How to use SrumECmd to parse the Windows SRUM database in order to provide evidence of program execution and network connections during incident investigations.

SrumECmd is a command line tool developed by Eric Zimmerman, to process the SRUM Database on Windows operating systems, identifying items such as:

Executable filepaths
Timestamps of execution times
Byte read/write processed by an application
Power Consumption details
Network Connection details
Details of push notifications

Further Information the SRUM can be found on Darkcybe - Evidence of Execution

Tool Name	Version	MITRE ATT&CK Tactic	MITRE ATT&CK Technique
SrumECmd	V0.5.1.0	Execution

Tool Name

Version

MITRE ATT&CK Tactic

MITRE ATT&CK Technique

SrumECmd

V0.5.1.0

Execution

Instructions

Parsing a Live or Copied SRUM.dat Database

The default location for the SRUM database is C:\Windows\System32\SRU\. The database can be interrogated on a live system or against a collected copy of the SRUM database.

SrumECmd.exe -f C:\Windows\System32\sru\SRUDB.dat --csv /path/to/output

Output

SrumECmd will produce a number of .csv files on completion of the tools execution with differing objects of interest in each. Examples of the output of the tool for a number of the objects can be seen below.

App Resource Usage

Network Connection

Network Usage

Unknown 312

Unknown D8F

PreviousAppCompatCacheParser NextDFIR Toolkits

Last updated 1 year ago