SrumECmd
How to use SrumECmd to parse the Windows SRUM database in order to provide evidence of program execution and network connections during incident investigations.
SrumECmd is a command line tool developed by Eric Zimmerman, to process the SRUM Database on Windows operating systems, identifying items such as:
Executable filepaths
Timestamps of execution times
Byte read/write processed by an application
Power Consumption details
Network Connection details
Details of push notifications
Further Information the SRUM can be found on Darkcybe - Evidence of Execution
Instructions
Parsing a Live or Copied SRUM.dat Database
The default location for the SRUM database is C:\Windows\System32\SRU\
. The database can be interrogated on a live system or against a collected copy of the SRUM database.
SrumECmd.exe -f C:\Windows\System32\sru\SRUDB.dat --csv /path/to/output
Output
SrumECmd will produce a number of .csv files on completion of the tools execution with differing objects of interest in each. Examples of the output of the tool for a number of the objects can be seen below.
App Resource Usage

Network Connection

Network Usage

Unknown 312

Unknown D8F

Last updated