search

SrumECmd

How to use SrumECmd to parse the Windows SRUM database in order to provide evidence of program execution and network connections during incident investigations.

SrumECmd is a command line tool developed by Eric Zimmerman, to process the SRUM Database on Windows operating systems, identifying items such as:

  • Executable filepaths

  • Timestamps of execution times

  • Byte read/write processed by an application

  • Power Consumption details

  • Network Connection details

  • Details of push notifications

Further Information the SRUM can be found on Darkcybe - Evidence of Executionarrow-up-right

Tool Name
Version
MITRE ATT&CK Tactic
MITRE ATT&CK Technique

SrumECmdarrow-up-right

V0.5.1.0

Executionarrow-up-right

hashtag
Instructions

hashtag
Parsing a Live or Copied SRUM.dat Database

The default location for the SRUM database is C:\Windows\System32\SRU\. The database can be interrogated on a live system or against a collected copy of the SRUM database.

SrumECmd.exe -f C:\Windows\System32\sru\SRUDB.dat --csv /path/to/output

hashtag
Output

SrumECmd will produce a number of .csv files on completion of the tools execution with differing objects of interest in each. Examples of the output of the tool for a number of the objects can be seen below.

App Resource Usage

SrumECmd Output - App Resource Usage

Network Connection

SrumECmd Output - Network Connection

Network Usage

SrumECmd Output - Network Usage

Unknown 312

SrumECmd Output - Unknown 312

Unknown D8F

SrumECmd Output - Unknown D8F
PreviousAppCompatCacheParserNextDFIR Toolkits

Last updated