Extract Windows SRUM Data to Excel: A Forensics Tool Guide

Discover how to use srum-dump, a powerful forensics tool, to analyze Windows System Resource Usage Monitor (SRUM) data. Learn how to extract valuable information about application usage and network activity, converting it into an organized Excel spreadsheet for incident investigations. This guide will walk you through installation, usage, and key features.

What is SRUM and Why is it Important for Forensics?

The System Resource Usage Monitor (SRUM) is a vital component of Windows operating systems. It meticulously tracks application resource usage, network connectivity, and more. This data provides invaluable insights for:

• Identifying suspicious application behavior.
• Tracking network usage patterns.
• Pinpointing the applications involved in specific incidents.

Analyzing this data can be time-consuming without the right tools. That's where srum-dump comes in.

Introducing srum-dump: Your SRUM Analysis Solution

srum-dump is a free and open-source forensics tool designed to simplify the analysis of Windows SRUM data by converting the SRUM database into an easy-to-read Excel spreadsheet. Developed by Mark Baggett, this tool streamlines incident investigations and helps you quickly identify critical information.

Key Benefits of Using srum-dump

• Easy Data Conversion: Effortlessly convert the SRUM database (srudb.dat) into an Excel (.xlsx) spreadsheet.
• Comprehensive Analysis: Uncover application execution details, network usage, and more.
• Incident Response: Quickly identify applications involved in security incidents.
• User-Friendly Interface: The GUI provides an intuitive way to select files and run the analysis.
• Live Acquisition: Run the tool with administrator privileges for live system acquisition.

Getting Started: Installation and Setup

Here’s how to get srum-dump up and running on your system:

1. Download: Download both the srum_dump2.exe executable and the SRUM_TEMPLATE2.XLSX template file.
2. Placement: Place both files in the same directory.
3. Execution: Double-click srum_dump2.exe to launch the tool.

If you intend to analyze the system where srum-dump is running (Live Acquisition), ensure you run it as an administrator.

Running from Source Code

For running srum-dump from the source code instead of the executable, follow these steps:

1. Clone the Repository:

   git clone --branch srum_dump2 http://github.com/markbaggett/srum-dump
   cd srum-dump
   

   Copy

2. Install Dependencies:

   sudo -H python3 -m pip install -r requirements.txt
   

   Copy

Understanding the essential SRUM template for smooth Excel conversions

The srum_template2.xlsx file is crucial for defining field names and formats within the output Excel file. It facilitates the proper interpretation and formatting of data extracted from the SRUM database.

Consider using the BLANK_TEMPLATE.XLSX to see the raw output of SRUM data which helps in understanding how the template works and in turn how to target specific tables.

Key Features of srum-dump Explained

• GUI and command-line usage: You can provide all the options from the command line. If the name of a SRUM file is not passed then the GUI will launch.
• Live System Acquisition: When run as administrator, the tool can acquire a live copy of the srudb.dat file.
• Improved Speed: Enhanced processing speed compared to earlier versions.
• Dump All Fields: Allows the tool to dump all fields tables including those not defined in the template XLSX.

Live Acquisition: Obtaining the SRUM Database

The SRUM database (c:\\Windows\\system32\\sru\\srudb.dat) is typically locked by the operating system. To address this, srum-dump can automatically extract a copy of the file if run with administrator privileges.

Upon selecting the locked srudb.dat file, a dialog box will appear, offering the option to download and utilize FGET, which you can download from the repository. As an administrator, you can click "AUTO EXTRACT" to automatically download FGET, acquire the SRUDB.DAT file and the associated SOFTWARE registry hive. The GUI will then automatically point to the acquired copies in a temporary directory.

Windows Installation Details

While using the pre-built executable is straightforward, running from source requires additional steps, particularly installing libesedb-python.

1. Install Visual Studio Build Tools:

   • Download the standalone version of Microsoft Visual C++ build tools, or install it as part of Visual Studio. Alternatively, precompiled versions are available from the log2timeline project (https://github.com/log2timeline/l2tbinaries).

2. Install Python:

   • Install Python 3.9.6 or later, selecting all options including precompiled libraries and debug symbols.

3. Update pip and Install Dependencies:

   pip install --upgrade pip
   pip install --upgrade setuptools pip
   pip install -r requirements.txt
   

   Copy

Unleash the Power of SRUM Analysis with srum-dump

srum-dump provides an efficient and effective way to analyze Windows SRUM data. By following this guide, you can quickly set up the tool, extract valuable information, and enhance your incident investigation capabilities.