SRUM-DUMP Version 3: Uncovering Malware Activity in Forensics

For digital forensics and incident response professionals, extracting precise evidence from Windows systems is critical to understanding and mitigating threats. I’m excited to introduce SRUM-DUMP Version 3, a powerful forensic tool I’ve developed to analyze the Windows System Resource Usage Monitor (SRUM) database. Available on GitHub at SRUM-DUMP Repository, this version offers significant improvements, including a user-friendly GUI and customizable output. In this post, I’ll guide you through using SRUM-DUMP v3’s GUI to investigate a scenario where malware (malware.exe) exfiltrates intellectual property over a wireless network. We’ll explore the 3-step wizard, customize the analysis to highlight malware.exe, and examine where it appears in the output spreadsheet and what each tab reveals about the incident.

What is SRUM-DUMP Version 3?

SRUM-DUMP v3 is designed to extract and analyze data from the SRUM database (C:\Windows\System32\sru\srudb.dat), which logs system resource usage for up to 30 days. This database is a treasure trove for incident response, capturing details about application executions and network activity. Key features of v3 include:

• 3-step Wizard for Rapid Analysis: Select the output directory, srudb.dat and SOFTWARE registry key and you’re off!
• Customizable Configuration: A short analysis generates a srum_dump_config.json file allowing you to highlight suspicious terms, map network interfaces, and format output.
• Automated Artifact Detection: Editing the srum_dump_config.json lets you tag suspect processes, users, and networks before the analysis begins.
• XLSX Analysis: All of the artifacts are tagged, colorized, calculated, filtered, and placed into an XLSX file for easy analysis.

Scenario: Malware Exfiltrating Intellectual Property

Imagine an attacker compromises a Windows workstation, deploying malware.exe to steal sensitive documents over a wireless network. The malware runs as an application, quietly exfiltrating data to a remote server. There is no EDR or application logging to be found but you must determine what was stolen and how. The incident response team acquires SRUDB.dat and the SOFTWARE registry hive (C:\Windows\System32\config\SOFTWARE) and uses SRUM-DUMP v3 to analyze the evidence.

Using SRUM-DUMP v3’s GUI: Step-by-Step

SRUM-DUMP v3’s GUI streamlines the analysis process through a 3-step wizard, followed by configuration customization and result generation.

Step 1: Launch the 3-Step Wizard  

1. Launch the Tool: Run the prebuilt executable, available from the Releases page.
2. Select an Output Directory: Choose an empty directory where the tool will save the Excel spreadsheet and configuration file.
3. Select the SRUDB.DAT File: Locate SRUDB.dat. Either from your forensics image or at C:\Windows\System32\sru\srudb.dat on a live system.
4. Select the SOFTWARE Registry Hive (Optional): Provide the SOFTWARE hive to enrich network data, such as mapping interface LUIDs to SSIDs (e.g., “CorporateWiFi”).

If you selected files that are locked by the OS on live systems, srum-dump will extract the locked files through the Volume Shadow Copies. The files are analyzed and a configuration file is built containing all of the users, network, and processes from the selected files.

Step 2: Customize the Configuration

• After selecting files, SRUM-DUMP processes the SRUM database and generates an srum_dump_config.json file.
• Click “EDIT” to open the configuration file.
• Modify the “dirty_words” section to highlight suspect processes ( malware.exe in this example )

{
    "dirty_words": {
        "malware.exe": "highlight-red"
    }
}
    

• This ensures any instance of malware.exe in the output is highlighted in red.
• Optionally, add additional tags to suspicious users, processes, and applications. For example, if we need to (markb) was a compromised user and "CorporateWifi" was a suspicious wifi network you could add tags to the tables in srum_dump_config.json file.

{
    "SRUDbIdMapTable": {
        "3": "S-1-5-21-1234567890-0987654321-1234567890-1001 (markb) - CompromisedUser"
    },
    "network_interfaces": {
        "268435498": "CorporateWiFi - SuspectWifi"
    }
}
    

• Save the configuration file and click “CONFIRM”.

Step 3: Generate and Review the Spreadsheet

• Click “CONTINUE” to run the analysis with the customized configuration.
• A progress dialog appears, and once complete, the tool saves an updated Excel spreadsheet in the output directory.
• Open the spreadsheet to examine the results.

Where Does malware.exe Appear?

The Excel spreadsheet contains multiple tabs, each corresponding to a SRUM database table. For this scenario, we will examine just two of the locations where malware.exe will appear:

Tab Name	Description	Relevance to malware.exe
Application Timeline	Logs application executions, including executable names, user SIDs, timestamps, and resource usage.	Directly lists malware.exe in the AppId column, highlighted if configured.
Network Data	Records network activity, including bytes sent/received, interface LUIDs, and timestamps.	Indirectly relevant by showing network activity during malware.exe’s execution.

Application Timeline Tab

• Content: Each row represents an application execution event over the past 30 days.
• Where malware.exe Appears: In the AppId column, rows containing malware.exe will be highlighted in red (based on the “dirty_words” configuration).
• Key Columns:
  • AppId: The application’s identifier (e.g., malware.exe).
  • UserSid: The security identifier of the user running the application, mappable to a username (e.g., “CompromisedUser”).
  • TimeStamp: The UTC date and time of execution (e.g., 2025-04-15 02:00:00).
  • CycleTime: CPU usage, indicating the malware’s processing intensity.
  • WorkingSetSize: Memory usage, which may reveal unusual patterns.
• Insights for the Incident:
  • Confirms malware.exe was executed, providing a timeline of its activity.
  • Identifies the user account involved, aiding in attribution.
  • Reveals resource consumption, suggesting whether the malware was performing tasks like data encryption or exfiltration.

Network Data Tab

• Content: Each row represents a network activity event, detailing data transfers across interfaces.
• Relation to malware.exe: While malware.exe isn’t listed directly, you can correlate timestamps with the Application Timeline tab to identify network activity during its execution.
• Key Columns:
  • InterfaceLuid: Identifies the network interface (e.g., wireless adapter). With the SOFTWARE hive, this may be mapped to an SSID like “CorporateWiFi.”
  • BytesSent and BytesRecvd: Quantities of data transferred (e.g., 500 MB sent).
  • TimeStamp: When the activity occurred (e.g., 2025-04-15 02:00:00).
• Insights for the Incident:
  • High BytesSent values during malware.exe’s execution suggest data exfiltration.
  • The SSID mapping confirms the use of a specific wireless network, aligning with the scenario.
  • Timestamps link network activity to the malware’s runtime, strengthening evidence of its role.

Correlating Evidence

To reconstruct the incident:

1. Identify malware.exe Activity: In the Application Timeline tab, note timestamps when malware.exe was active (e.g., 2025-04-15 02:00:00).
2. Check Network Activity: In the Network Data tab, look for high BytesSent on the wireless interface at matching timestamps.
3. Build the Timeline: Combine these findings to show that malware.exe executed and simultaneously sent large amounts of data, confirming intellectual property theft.

For example:

• Application Timeline: malware.exe ran at 2025-04-15 02:00:00 with high CycleTime.
• Network Data: 500 MB of BytesSent on “CorporateWiFi” at 2025-04-15 02:00:00.

This correlation provides compelling evidence of the malware’s actions.

Getting Started

Download the prebuilt executable from the Releases page and follow the GUI steps outlined above. For advanced configuration options, consult the Configuration File Documentation.

SRUM-DUMP v3 empowers you to tackle malware investigations, insider threats, and system anomalies with precision, making it an indispensable tool for modern incident response.

Learn More

• Learn more about SRUM Windows Forensics Analysis FOR500
• Let me teach you to automate Infosed with python! Automating Infosec With Python
• Or develop more advanced infosec tools with Python Advanced Infosec Automation
• How about an introduction to Linux! Linux Security for Infosec Professionals
• Mark Baggett's YouTube Channel
• Connect with me on LinkedIn

I'm teaching at the following events. Come check it out!

• SEC673 ADVANCED Python in Miami, FL June 2, 2025
• SEC573 at SANSFire in Baltimore, MD July 14, 2025
• SEC573 in Melbourne, VIC AU August 17, 2025
• SEC573 in Las Vegas, NV September 22, 2025