SRUM – Another Windows Time Machine

In standard forensics investigations, sooner or later arises the need to find and extract evidence of program execution on the victim system.

We are looking for traces of malware that has been running on the system, or for indication that a benign application could have been misused for adversary purposes.

SRUM - Another Windows Time Machine extract evidence of program execution on the victim system
There are plenty of ways to answer these questions: Prefetch files, ShimCache and Amcache, user registry keys storing lists of last executed programs. However, in multiple recent investigations we faced issues with gathering more information about activities of specific programs. More precisely, we needed to determine if the executables communicated over the network or if any data were transmitted, indicating data exfiltration. These questions can be easily solved if network traffic captures are in your possession, or if you have been able to perform live analysis of the investigated environment. What if no such information is available? We need to rely on evidence present on “dead” system. Fortunately, SRUM, which stands for System Resource Usage Monitor, can give some of the answers.



System Resource Usage Monitor was first spotted on Windows 8 operating system. It is a component of Diagnostic Policy Service – DPS, which enables problem detection, troubleshooting, and resolution for components in the Windows operating system. SRUM monitors services, desktop application programs, windows applications, and network connections on the host – and stores collected information in a database…

Download “SRUM – Another Windows Time Machine” Technical Guide to learn more.


Relevant resources: