Overview
SrumECmd is a command line tool developed by Eric Zimmerman, to process the SRUM Database on Windows operating systems, identifying items such as:
- Executable filepaths
- Timestamps of execution times
- Byte read/write processed by an application
- Power Consumption details
- Network Connection details
- Details of push notifications
Further Information the SRUM can be found on Darkcybe - Evidence of Execution
Instructions
Parsing a Live or Copied SRUM.dat Database
The default location for the SRUM database is C:\Windows\System32\SRU\. The database can be interrogated on a live system or against a collected copy of the SRUM database.
1
SrumECmd.exe -f C:\Windows\System32\sru\SRUDB.dat --csv /path/to/output
Output
SrumECmd will produce a number of .csv files on completion of the tools execution with differing objects of interest in each. Examples of the output of the tool for a number of the objects can be seen below.
App Resource Usage
![SrumECmd - App Resource Usage]( "SrumECmd - App Resource Usage")
Network Connection
![SrumECmd - Network Connection]( "SrumECmd - Network Connection")
Network Usage
![SrumECmd - Network Usage]( "SrumECmd - Network Usage")
Unknown 312
![SrumECmd - Unknown 312]( "SrumECmd - Unknown 312")
Unknown D8F
![SrumECmd - Unknown D8F]( "SrumECmd - Unknown D8F")
