{"componentChunkName":"component---src-templates-post-template-js","path":"/windows-srum-en","result":{"data":{"markdownRemark":{"id":"0ad66810-dbdf-5321-a4b9-57f4c66855ba","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/windows-srum\">original page</a>.</p>\n</blockquote>\n<p>The other day, when I attended a digital forensics study session, I learned about a Windows artifact called SRUM (System Resource Usage Monitor).</p>\n<p>This may be common knowledge in the forensics community, but I could find very little information even after searching Windows Internals material and official documentation, so I was very glad to have a chance to learn about it.</p>\n<p>From a forensic perspective, SRUM seems to be used to discover suspicious processes and network activity. This time, however, I want to summarize how to use SRUM information mainly from the perspective of performance-related troubleshooting.</p>\n<p>Reference: <a href=\"https://learn.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809#system-resource-usage-monitor-events\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Windows 10, version 1809 basic diagnostic events and fields (Windows 10) - Windows Privacy | Microsoft Learn</a></p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#what-is-srum\">What Is SRUM</a></li>\n<li><a href=\"#analyzing-the-srum-database\">Analyzing the SRUM Database</a></li>\n<li>\n<p><a href=\"#analysis-with-networkusageview\">Analysis with NetworkUsageView</a></p>\n<ul>\n<li><a href=\"#note-entries-with-an-empty-app-name\">Note: Entries with an Empty App Name</a></li>\n<li><a href=\"#note-building-libesedb\">Note: Building libesedb</a></li>\n</ul>\n</li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"what-is-srum\" style=\"position:relative;\"><a href=\"#what-is-srum\" aria-label=\"what is srum permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>What Is SRUM</h2>\n<p>SRUM (System Resource Usage Monitor) is a Windows feature that monitors how applications and services are used, and it appears to have been introduced in Windows 8.</p>\n<p>After SRUM collects data, it is temporarily stored inside the system and then transferred to <code class=\"language-text\">C:\\Windows\\System32\\sru\\SRUDB.dat</code> every hour or at shutdown.</p>\n<p>The following article says that information collected by SRUM is temporarily kept in the SOFTWARE registry until it is transferred to SRUDB.dat.</p>\n<p>Reference: <a href=\"https://jpn.nec.com/cybersecurity/blog/220722/index.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">フォレンジックにおけるSRUMの活用: NECセキュリティブログ | NEC</a></p>\n<p>However, the following source explains that in recent versions of Windows, information collected by SRUM is no longer stored in the SOFTWARE registry and is instead stored in memory.</p>\n<blockquote>\n<p>In recent versions of Windows, SRUM no longer uses the registry to store temporarily database records. Nowadays, SRUM relies on 2 types of storage:</p>\n<p>A Tier1 store, which is in memory and is updated every Tier1Period (60 seconds by default) with the data from the SRUM extensions.\nA Tier2 store, which is the SRUM database on disk and is updated every Tier2Period (1 hour by default) with the content of the Tier1 store.</p>\n</blockquote>\n<p>Reference: <a href=\"https://github.com/WithSecureLabs/chainsaw/wiki/SRUM-Analysis\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">SRUM Analysis · WithSecureLabs/chainsaw Wiki</a></p>\n<p>I could not find any officially published documentation describing SRUM behavior in detail, but either way, the point seems consistent that temporarily stored data is written to <code class=\"language-text\">C:\\Windows\\System32\\sru\\SRUDB.dat</code> about once an hour.</p>\n<p>SRUM records statistics about network data usage and application activity.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 919px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/d535a2636a112ea3603ade17c4f09c18/6295b/image-20250316130504584.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 63.74999999999999%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAACXElEQVQ4y3VTXU8aURDlV/epL03atJhGQCsqIlaFBdQUBD+gijY22BZrtUjkc3fdXUQwBVtgBWHhdPbGRaH2JpP7cGfOnDvnjAlPnH6/z26t18eZ8Aex4wr2T64hlJqDdyNn9JiMhN6jMJLjZ1VY/UmMu7/Bwh3DHsghIzfYW6/3dI3pqU56MgNMVeEI5WH1fMU7/zHmN0XklMZQzujPGMNmS6POTaTEOsq1O/bYutNwlKlhNiTgtTsNsyeNpaiErFwfgEmVFpJCHXxJRad7z7By08ZShIf9wzlmghnMhbKIJspY/VQkRhcMZPmjTCFhMXIBJ7EMx0sURUwH0pgJZNgdPFAYCVOS/42JtTSmVn5g0pfAWy6J584UA3q/LWBhi2dAejDwKIFuiHhmP8HYYhwTVGPjEpgkjHKtDVO7o+Hg5y9wuzJ8MQkz6yLsQR6eHRnjy3G8nI3A7NrHm/k9vLBvYMJ7BG/sEra1PJupLyazOMnfPKisn7raxW1bo6HXsbAtwrOrMCF0AJs3QUyOYCFxHMFzuHcUeIlAhRgZdQPbjHqqcduljgqm13lW6NktslsPjpjp85wKFBChOY8qPFDZANQtsbJfJJEuMObNwcxl4aJv6V9zbYlwhAW8WkrDuppnIwl+voQu6hDg463w7xVh852S7w5JpO8kVhaH5EWprEKuqNj8ckVGT8G5noIjkILFl6Qtuv4X0AA9pcE6w3myTo4slCUGytB8rqotEk/CXLhAeQW4oyJ5Uf3/l/VTa3RQuGxCuW6hq/Uf1uzezCo1EK9U2muVLcRo/V9+P58HZG1bJQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/d535a2636a112ea3603ade17c4f09c18/8ac56/image-20250316130504584.webp 240w,\n/static/d535a2636a112ea3603ade17c4f09c18/d3be9/image-20250316130504584.webp 480w,\n/static/d535a2636a112ea3603ade17c4f09c18/5041b/image-20250316130504584.webp 919w\"\n              sizes=\"(max-width: 919px) 100vw, 919px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/d535a2636a112ea3603ade17c4f09c18/8ff5a/image-20250316130504584.png 240w,\n/static/d535a2636a112ea3603ade17c4f09c18/e85cb/image-20250316130504584.png 480w,\n/static/d535a2636a112ea3603ade17c4f09c18/6295b/image-20250316130504584.png 919w\"\n            sizes=\"(max-width: 919px) 100vw, 919px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/d535a2636a112ea3603ade17c4f09c18/6295b/image-20250316130504584.png\"\n            alt=\"image-20250316130504584\"\n            title=\"image-20250316130504584\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Reference: <a href=\"https://deepsec.net/docs/Slides/2019/Beyond_Windows_Forensics_with_Built-in_Microsoft_Tooling_Thomas_Fischer.pdf\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Beyond Windows Forensics with Built-in Microsoft Tooling</a></p>\n<p>Reference: <a href=\"https://www.magnetforensics.com/blog/srum-forensic-analysis-of-windows-system-resource-utilization-monitor/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">SRUM: Forensic Analysis of System Resource Utilization Monitor</a></p>\n<p>Also, according to <a href=\"https://github.com/WithSecureLabs/chainsaw/wiki/SRUM-Analysis#forensic-insights-about-the-dlls-related-to-the-srum-extensions\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Forensic insights about the DLLs related to the SRUM extensions</a>, the information saved in the SRUM database is collected by several extensions.</p>\n<p>Information collection for network data depends on WFP, and the size of recorded communication data apparently includes the size of Layer 2 frames in the OSI model.</p>\n<p>Also, if a system’s network traffic goes through a VPN process, the size of the audited input and output data appears to be associated with that VPN process.</p>\n<p>This SRUDB is also stored in the Extensible Storage Engine (ESE) format, so it can be analyzed with libraries such as libesedb, as shown later.</p>\n<p>Reference: <a href=\"https://learn.microsoft.com/ja-jp/windows/win32/extensible-storage-engine/extensible-storage-engine\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">拡張可能なストレージ エンジン - Win32 apps | Microsoft Learn</a></p>\n<p>Reference: <a href=\"https://github.com/libyal/libesedb\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">libyal/libesedb: Library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format.</a></p>\n<h2 id=\"analyzing-the-srum-database\" style=\"position:relative;\"><a href=\"#analyzing-the-srum-database\" aria-label=\"analyzing the srum database permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Analyzing the SRUM Database</h2>\n<p>Information stored in <code class=\"language-text\">C:\\Windows\\System32\\sru\\SRUDB.dat</code> can be analyzed with tools such as srum-dump and NetworkUsageView.</p>\n<p>Reference: <a href=\"https://github.com/MarkBaggett/srum-dump\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">MarkBaggett/srum-dump: A forensics tool to convert the data in the Windows srum (System Resource Usage Monitor) database to an xlsx spreadsheet.</a></p>\n<p>Reference: <a href=\"https://www.nirsoft.net/utils/network_usage_view.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Displays network usage information stored in the SRUDB.dat database of Windows 10/8.</a></p>\n<p>When using NetworkUsageView, you can inspect network data from SRUMDB by starting the application, opening [Options] > [Advanced Options], and loading the SRUDB.dat collected from the device you want to examine.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 644px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/b9c4358443be0be57fa4482a3857a153/78274/image-20250315162817723.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 102.08333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAACXBIWXMAAAsTAAALEwEAmpwYAAACUElEQVQ4y5VU2XLiQAz0///ZhiQESHZjfILxBTb44Hhh6VXLjMtLkVSgqsuDPSO1Wq2xllGMtmlxOp1wPBxwPB1wufwFBJfLBY/+rPU6R5RlyPM1MkG0yJDEawSrBIf9Hsfj8SFYk+kUrx+/YX/amH38wfvYhvMZYGb7yLMUcRwjSZIfYbVawYpksdtusdlsUBSCsuhKxgXn8/khKMNEGFRVha0E3e128tyhLEt9V9f1t+CeW1gf7+94eX7B5O0No6cRXkbPmE6myFTX/C74jRUxAEkMYbmuA9dx4bkuHMeBM3fg+T7SNL0LBqNeDDxk+V/AMFzA93wEfiCBPSyXSywX8k4CO5LMdQkPnudp88IgVIkojUFTV2gFFg9xQ8+SDCW463TMmb1pGkVdN/36IJ4l6N12f8DMSzCyY1jOfK7MyFDZLTq2hnHH2u33BEGgSVm6aeZWSk3yQvxciG2iCG3bqh6avW66Llb1lVXdsxx2l2cMS66r3VYmroY1t23ViuX5wpB6Utx7lrjFbYe1KXR3T/0O7h26B5PA4mhxnmmFNM1UG9qj+5/2Y2VGkE/KlKWdfcpyq3KYoBYb4bmdNbjWbos92IAwDDWBARPQItQxWka6j3vi67RdfXgNpJaZK9xrAmprmBI8yAnhQQaay14GJeM+INkVBbNWUvpa6bdybZVFoRpmWa7lcTO/c0LMnDM4GQ/H0KLvzIzWEsx8GHbyqw7fdls1nMl9+PTrCePXsRr2thnD9RBDGQqppmcYCsPFFfTgd7fMVzePue4Y8B9w7NdPy4l6swAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/b9c4358443be0be57fa4482a3857a153/8ac56/image-20250315162817723.webp 240w,\n/static/b9c4358443be0be57fa4482a3857a153/d3be9/image-20250315162817723.webp 480w,\n/static/b9c4358443be0be57fa4482a3857a153/f847d/image-20250315162817723.webp 644w\"\n              sizes=\"(max-width: 644px) 100vw, 644px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/b9c4358443be0be57fa4482a3857a153/8ff5a/image-20250315162817723.png 240w,\n/static/b9c4358443be0be57fa4482a3857a153/e85cb/image-20250315162817723.png 480w,\n/static/b9c4358443be0be57fa4482a3857a153/78274/image-20250315162817723.png 644w\"\n            sizes=\"(max-width: 644px) 100vw, 644px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/b9c4358443be0be57fa4482a3857a153/78274/image-20250315162817723.png\"\n            alt=\"image-20250315162817723\"\n            title=\"image-20250315162817723\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>When I used srum-dump, I could easily dump not only network data but also application usage information, so if you want to inspect a wider range of data, srum-dump seems like the better option.</p>\n<p>By the way, copying <code class=\"language-text\">C:\\Windows\\System32\\sru\\SRUDB.dat</code> fails surprisingly often with an error like the following. (If you wait about one minute, it usually becomes copyable.)</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 556px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/68bb55e1bebdcc7ee6030524a9dcc80a/96638/image-20250315170250248.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 59.583333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAABZ0lEQVQoz41TiY6CQAzl///Na2NcSSRRkFOO4VCBGXjbdiNxXbNLk4Z00r6+vhYrKkt43hn+2UeSJKjrGnNsHMcfsdYaXdfBMoNB09QoCbiqKgFsmkb8fr/jdruhuV5R5DnyvJC45ryqpjhHTXkcVxRzE8sQchgGSNOUQBUlZSiUglLF1ESpEkHgI4piebvQJFmWIaaYQdP0IvVs1kAM27adKA/DIN++7+VNa4PZxgyZJnf1XBfH40m0tG17YhMEAYHrSbc/nRlyojGDFCRxjOVyCZfASxqbmT4vYY4LYNt24lEU4WOzwX5vw3EcYaiNkdF5qc+Fr00esQBy0UCBIlbO4SBj+/4ZURiS+DlUUWCcKaM19+Z4y4vFAuv1CsfT6Vt3z8V2u8Vu94mY5OKFWq8H+k4XTuSTCui8WBY+Fb7HgpgzEDuf1wTIJ8Idc0pgvQj2F+jcSaxRfpte/hDW8LHxd8n/OdsXUeKlX3uM1oEAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/68bb55e1bebdcc7ee6030524a9dcc80a/8ac56/image-20250315170250248.webp 240w,\n/static/68bb55e1bebdcc7ee6030524a9dcc80a/d3be9/image-20250315170250248.webp 480w,\n/static/68bb55e1bebdcc7ee6030524a9dcc80a/80afe/image-20250315170250248.webp 556w\"\n              sizes=\"(max-width: 556px) 100vw, 556px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/68bb55e1bebdcc7ee6030524a9dcc80a/8ff5a/image-20250315170250248.png 240w,\n/static/68bb55e1bebdcc7ee6030524a9dcc80a/e85cb/image-20250315170250248.png 480w,\n/static/68bb55e1bebdcc7ee6030524a9dcc80a/96638/image-20250315170250248.png 556w\"\n            sizes=\"(max-width: 556px) 100vw, 556px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/68bb55e1bebdcc7ee6030524a9dcc80a/96638/image-20250315170250248.png\"\n            alt=\"image-20250315170250248\"\n            title=\"image-20250315170250248\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>So, for example, I think it is a good idea to retry the copy operation with something like robocopy as shown below.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">robocopy <span class=\"token string\">\"C:\\Windows\\System32\\sru\"</span> <span class=\"token string\">\"C:\\Users\\Public\\Downloads\"</span> /B</code></pre></div>\n<h2 id=\"analysis-with-networkusageview\" style=\"position:relative;\"><a href=\"#analysis-with-networkusageview\" aria-label=\"analysis with networkusageview permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Analysis with NetworkUsageView</h2>\n<p>Below, I analyze the SRUMDB generated when a 1 GB file was uploaded from Microsoft Edge.</p>\n<p>First, upload a 1 GB file from Microsoft Edge to any upload site.</p>\n<p>Even in the packet-capture statistics collected with Wire Shark, you can confirm that exactly 1 GB of data was sent to an external address.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 905px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/4a92bdbdccedb4855077d96116086d00/65d79/image-20250316104500109.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 16.249999999999996%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAkElEQVQI1z2P2w7DIAxD+/8/WWkSKuUyCA23h9UjmboH5Fg5Vsz2sgmUE2qt6L1jjPHXOafOrTXwdYGZcS0VVmZR8bIvpWhmeweP47AaHitsjIG1Fm3BORNCCLqX8L7vOM9TmRijcs9zziGlhI2owHuvF6WNgESEua4x/5qIv+/POpDRFiNeWP1V69pOPFfGF/u75X4ciSqpAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/4a92bdbdccedb4855077d96116086d00/8ac56/image-20250316104500109.webp 240w,\n/static/4a92bdbdccedb4855077d96116086d00/d3be9/image-20250316104500109.webp 480w,\n/static/4a92bdbdccedb4855077d96116086d00/4d060/image-20250316104500109.webp 905w\"\n              sizes=\"(max-width: 905px) 100vw, 905px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/4a92bdbdccedb4855077d96116086d00/8ff5a/image-20250316104500109.png 240w,\n/static/4a92bdbdccedb4855077d96116086d00/e85cb/image-20250316104500109.png 480w,\n/static/4a92bdbdccedb4855077d96116086d00/65d79/image-20250316104500109.png 905w\"\n            sizes=\"(max-width: 905px) 100vw, 905px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/4a92bdbdccedb4855077d96116086d00/65d79/image-20250316104500109.png\"\n            alt=\"image-20250316104500109\"\n            title=\"image-20250316104500109\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>When you analyze the SRUMDB captured from the machine that actually performed this upload, you can see that roughly 1 GB of upload traffic is associated with the Microsoft Edge application.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/a46dbf24c30da9917f5e7def45524758/52576/image-20250316105112089.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 17.083333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAwElEQVQI1y3L20rDQBSF4bz/mxSVWvAA+gCKIhorigo2pDmZnSadaTKZ1DZ/p4MXH2svFjuY3C04e4iZ3EdMnwtOHlNOn3Jmr8LFS871mzjVfwpX85Kbj5rbT8V5KEzDillYcjkXL/hexLx//RAlBd2wJytXqM6SS02UFqzb3ms2xqu1QZsBsx0pG41y9zIXkt+KzP0EWZqQLGMqEWBEqzW7vy2ma2nqFYPtsb3xeuMc023H3rUt437HRivfB2s5AOjN3Rf5HOjqAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/a46dbf24c30da9917f5e7def45524758/8ac56/image-20250316105112089.webp 240w,\n/static/a46dbf24c30da9917f5e7def45524758/d3be9/image-20250316105112089.webp 480w,\n/static/a46dbf24c30da9917f5e7def45524758/e46b2/image-20250316105112089.webp 960w,\n/static/a46dbf24c30da9917f5e7def45524758/bd371/image-20250316105112089.webp 1412w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/a46dbf24c30da9917f5e7def45524758/8ff5a/image-20250316105112089.png 240w,\n/static/a46dbf24c30da9917f5e7def45524758/e85cb/image-20250316105112089.png 480w,\n/static/a46dbf24c30da9917f5e7def45524758/d9199/image-20250316105112089.png 960w,\n/static/a46dbf24c30da9917f5e7def45524758/52576/image-20250316105112089.png 1412w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/a46dbf24c30da9917f5e7def45524758/d9199/image-20250316105112089.png\"\n            alt=\"image-20250316105112089\"\n            title=\"image-20250316105112089\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>One important point is that the Timestamp value shown here is not the time when the communication actually occurred, but the time when the data was written to SRUMDB.</p>\n<p>Also, the communication-data size shown here corresponds to information recorded since the previous event transfer. (Data is transferred to SRUMDB about once an hour or when the machine shuts down.)</p>\n<p>The following article explains this area very clearly, and I found it helpful.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/d35ae526ade8e037951d3622f48f278e/0d98f/image-20250316123616251.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 37.083333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABmklEQVQoz12SS2/TQBSF8+tYsADxWCDUf8CaDVt+CqU8hGgoCpUqIaVp4yRqQxoLG7cxieMmdhvXqerY8dsfE0dBgiMdzZk7M2funTsVBIqiKBnHGUGYEd3cEjq3LIKULMuJ5h5L2yEvIBfz1d5VfOEnpc7z4q9HZSNK5BnjjwfYb6rYO18x3ta42T9ktnuAtf0FS8TTicUGwTLlf1RKH3HDxPLRLub0OmMu+lPOZZuuZKD17VJr/Qla7xJ94DK69BmMPM4UoU0fc7rAcRyRdbY2XEFW59Qlm3p7RudsRqP9myNhLp2OaZ6aSD8cWoLNkysaTZ3j9pCj1pCGpHPSs1AUlSgK14a+74tqI9IkJvA9XNfn3a7C++ovtj/9pN40/ilr/7su1lR2Pqt8qCp4i4h1L0TJcRyjaRqyLKOqGt1uh+OWwYNnNZ5s1bj3eI9Xr9vlgSTNy/HFy0PuP93j4fMaj7a+oY/u2DxdJUkSkWpUMhHmd57oqOMS6gaJfc3yfEggmIXrLPIkJRyaROaUaDwhUAdEM5fNb/kDIVv9dtu5e+EAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/d35ae526ade8e037951d3622f48f278e/8ac56/image-20250316123616251.webp 240w,\n/static/d35ae526ade8e037951d3622f48f278e/d3be9/image-20250316123616251.webp 480w,\n/static/d35ae526ade8e037951d3622f48f278e/e46b2/image-20250316123616251.webp 960w,\n/static/d35ae526ade8e037951d3622f48f278e/63399/image-20250316123616251.webp 1276w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/d35ae526ade8e037951d3622f48f278e/8ff5a/image-20250316123616251.png 240w,\n/static/d35ae526ade8e037951d3622f48f278e/e85cb/image-20250316123616251.png 480w,\n/static/d35ae526ade8e037951d3622f48f278e/d9199/image-20250316123616251.png 960w,\n/static/d35ae526ade8e037951d3622f48f278e/0d98f/image-20250316123616251.png 1276w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/d35ae526ade8e037951d3622f48f278e/d9199/image-20250316123616251.png\"\n            alt=\"image-20250316123616251\"\n            title=\"image-20250316123616251\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Reference: <a href=\"https://jpn.nec.com/cybersecurity/blog/220722/index.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">フォレンジックにおけるSRUMの活用: NECセキュリティブログ | NEC</a></p>\n<h3 id=\"note-entries-with-an-empty-app-name\" style=\"position:relative;\"><a href=\"#note-entries-with-an-empty-app-name\" aria-label=\"note entries with an empty app name permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Note: Entries with an Empty App Name</h3>\n<p>By the way, the entry at the very top, where App ID is 1 and App Name is empty, seems to indicate that the value in the <code class=\"language-text\">idBlob</code> column of the <code class=\"language-text\">SruDbIdMapTable</code> table in SRUMDB is empty.</p>\n<p>If you actually dump the <code class=\"language-text\">SruDbIdMapTable</code> table from SRUMDB with the following script using the libesedb library, you can confirm that when the App ID is 1, <code class=\"language-text\">idBlob</code> becomes <code class=\"language-text\">None</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># sudo apt-get install libesedb-utils libesedb-dev python3-libesedb</span>\n<span class=\"token keyword\">import</span> pyesedb\n\nesedb_file <span class=\"token operator\">=</span> <span class=\"token string\">\"SRUDB.dat\"</span>\nesedb <span class=\"token operator\">=</span> pyesedb<span class=\"token punctuation\">.</span><span class=\"token builtin\">file</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\nesedb<span class=\"token punctuation\">.</span><span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span>esedb_file<span class=\"token punctuation\">)</span>\n\ntable_names <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span>esedb<span class=\"token punctuation\">.</span>get_table<span class=\"token punctuation\">(</span>i<span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>get_name<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span>esedb<span class=\"token punctuation\">.</span>number_of_tables<span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>table_names<span class=\"token punctuation\">)</span>\n\ntable <span class=\"token operator\">=</span> esedb<span class=\"token punctuation\">.</span>get_table_by_name<span class=\"token punctuation\">(</span><span class=\"token string\">\"SruDbIdMapTable\"</span><span class=\"token punctuation\">)</span>\ncolumn_names <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span>table<span class=\"token punctuation\">.</span>get_column<span class=\"token punctuation\">(</span>i<span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>get_name<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span>table<span class=\"token punctuation\">.</span>number_of_columns<span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>column_names<span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">for</span> record_index <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span>table<span class=\"token punctuation\">.</span>number_of_records<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    record <span class=\"token operator\">=</span> table<span class=\"token punctuation\">.</span>get_record<span class=\"token punctuation\">(</span>record_index<span class=\"token punctuation\">)</span>\n    id_type <span class=\"token operator\">=</span> record<span class=\"token punctuation\">.</span>get_value_data_as_integer<span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n    id_index <span class=\"token operator\">=</span> record<span class=\"token punctuation\">.</span>get_value_data_as_integer<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span>\n\n    <span class=\"token keyword\">try</span><span class=\"token punctuation\">:</span>\n        id_blob <span class=\"token operator\">=</span> record<span class=\"token punctuation\">.</span>get_value_data<span class=\"token punctuation\">(</span><span class=\"token number\">2</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>decode<span class=\"token punctuation\">(</span><span class=\"token string\">\"utf-16le\"</span><span class=\"token punctuation\">,</span> errors<span class=\"token operator\">=</span><span class=\"token string\">\"ignore\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>strip<span class=\"token punctuation\">(</span><span class=\"token string\">\"\\x00\"</span><span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">if</span> id_type <span class=\"token operator\">==</span> <span class=\"token number\">0</span><span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"AppID: </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>id_index<span class=\"token punctuation\">}</span></span><span class=\"token string\">, AppName: </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>id_blob<span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span><span class=\"token punctuation\">)</span>\n\n    <span class=\"token keyword\">except</span><span class=\"token punctuation\">:</span>\n        <span class=\"token comment\"># AppID: 0 AppName: None</span>\n        <span class=\"token keyword\">if</span> id_type <span class=\"token operator\">==</span> <span class=\"token number\">0</span><span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"AppID: </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>id_index<span class=\"token punctuation\">}</span></span><span class=\"token string\">, AppName: </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>record<span class=\"token punctuation\">.</span>get_value_data<span class=\"token punctuation\">(</span><span class=\"token number\">2</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>In practice, I could not find any information explaining what this entry with App ID 1 actually refers to.</p>\n<p>However, based on ChatGPT’s answers and comments in threads like the one below, I found suggestions that it may be tracking system-wide I/O.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 764px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/86c66bbcebfb4d9548e658095b16c54d/f3c12/image-20250316124903461.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 102.91666666666669%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAVCAYAAABG1c6oAAAACXBIWXMAAAsTAAALEwEAmpwYAAAC1klEQVQ4y51V21biUAwtvUALvXBRRC5SoAUKiLgcnQfnA/yLedXlB/klft+e7LTFquOa5TxkneacnCQn2Ts10uEAv3/dYrPJsL864OftD4x2dzDcEIZhfEtM04QR1hu4sF34QYCW7yOK2qg3GmpQq9X+epH7X50ZQRRhulggXS4xmUyQpikWovM7jmeYTmORKS4uLjCnnZwnSaL23OMaxzGWqxXa7TaMbrebG6RL7HY7PaA+ny/U8UK+49msCJRgJefc2+/3ar/Zbo/3ms0WjHang6VEmUoUOp3P5+qIBlzX6/Uxw3WW6V6WbTAYDHBycqIShiHq9Xr+ZLvlwR/20UzGaIQ+mq6ntfQ8D67rotVqSeQmLMtSnfX15fzL5li2DVcuW44DW4SXHIlGB9/tsgpbXS8cWJYN26Y4qpfdpE2tZh71Y5e10282/DaYlSdPqkZhcXODXGdAV0pRhVIQhBrEKHTuMxHDlE3LdNQBszJNq8goz6C6VuVoI85Y59F4nCfWjbo4XF0jCCO0O12NzCZUM/yX3N7d4fH5GbvLS+rGfxW/yhaWjcjg64xMsPX49JQzQTA4Gk8wGpxiPD6FGZ2j4dhwnDpMKUdDIMNaUv+Sy/f393h5eVEgHw4HXa/2l1hmKWbLjQI5EZbMhC0U0o/BKQQ8CTGR7+ZbY3PvJY/JS1IrSVKsxTnZsRK2UPiCWBmVKruyzUaouNagZ2dneYYl7hhlJhcCTh3pmh/42qBIhofqUiMKMylX2voFqypPL97/gRmKsYpORr3Trfc62cbkDJL75uYGvV4P/X4fHYFOJwrQ6wYwvEgwah6xWTLpI6QUl8o0Serh4QGvr69gtw/X1zpJtpnUbpvgdLrCUKbKYHCuU4Xr+XCoQr35gWEqjmCIg7GcLkoz+Y6iDlqeq+hnDWlDBxSOK87RcmQxY0KqKEtZE+szpqrP+sSc4hdQ0JCJsSR/AGZ16Y5f+B7lAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/86c66bbcebfb4d9548e658095b16c54d/8ac56/image-20250316124903461.webp 240w,\n/static/86c66bbcebfb4d9548e658095b16c54d/d3be9/image-20250316124903461.webp 480w,\n/static/86c66bbcebfb4d9548e658095b16c54d/79237/image-20250316124903461.webp 764w\"\n              sizes=\"(max-width: 764px) 100vw, 764px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/86c66bbcebfb4d9548e658095b16c54d/8ff5a/image-20250316124903461.png 240w,\n/static/86c66bbcebfb4d9548e658095b16c54d/e85cb/image-20250316124903461.png 480w,\n/static/86c66bbcebfb4d9548e658095b16c54d/f3c12/image-20250316124903461.png 764w\"\n            sizes=\"(max-width: 764px) 100vw, 764px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/86c66bbcebfb4d9548e658095b16c54d/f3c12/image-20250316124903461.png\"\n            alt=\"image-20250316124903461\"\n            title=\"image-20250316124903461\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>When I actually uploaded a 1 GB file from Microsoft Edge, nearly the same amount of traffic was associated with the App ID 1 entry, so it seems reasonably plausible.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/a46dbf24c30da9917f5e7def45524758/52576/image-20250316105112089.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 17.083333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAwElEQVQI1y3L20rDQBSF4bz/mxSVWvAA+gCKIhorigo2pDmZnSadaTKZ1DZ/p4MXH2svFjuY3C04e4iZ3EdMnwtOHlNOn3Jmr8LFS871mzjVfwpX85Kbj5rbT8V5KEzDillYcjkXL/hexLx//RAlBd2wJytXqM6SS02UFqzb3ms2xqu1QZsBsx0pG41y9zIXkt+KzP0EWZqQLGMqEWBEqzW7vy2ma2nqFYPtsb3xeuMc023H3rUt437HRivfB2s5AOjN3Rf5HOjqAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/a46dbf24c30da9917f5e7def45524758/8ac56/image-20250316105112089.webp 240w,\n/static/a46dbf24c30da9917f5e7def45524758/d3be9/image-20250316105112089.webp 480w,\n/static/a46dbf24c30da9917f5e7def45524758/e46b2/image-20250316105112089.webp 960w,\n/static/a46dbf24c30da9917f5e7def45524758/bd371/image-20250316105112089.webp 1412w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/a46dbf24c30da9917f5e7def45524758/8ff5a/image-20250316105112089.png 240w,\n/static/a46dbf24c30da9917f5e7def45524758/e85cb/image-20250316105112089.png 480w,\n/static/a46dbf24c30da9917f5e7def45524758/d9199/image-20250316105112089.png 960w,\n/static/a46dbf24c30da9917f5e7def45524758/52576/image-20250316105112089.png 1412w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/a46dbf24c30da9917f5e7def45524758/d9199/image-20250316105112089.png\"\n            alt=\"image-20250316105112089\"\n            title=\"image-20250316105112089\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>If anyone knows the details here, I would really appreciate hearing about it.</p>\n<h3 id=\"note-building-libesedb\" style=\"position:relative;\"><a href=\"#note-building-libesedb\" aria-label=\"note building libesedb permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Note: Building libesedb</h3>\n<p>This time I installed libesedb with <code class=\"language-text\">apt</code>, but I was also able to build it from source with the following commands.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token function\">sudo</span> <span class=\"token function\">apt</span> <span class=\"token function\">install</span> <span class=\"token function\">git</span> autoconf automake autopoint libtool pkg-config\n\n<span class=\"token function\">wget</span> https://github.com/libyal/libesedb/releases/download/20240420/libesedb-experimental-20240420.tar.gz\ntargz  libesedb-experimental-20240420.tar.gz\n<span class=\"token builtin class-name\">cd</span> libesedb-20240420/\n\n./configure --enable-python\n<span class=\"token function\">make</span>\n<span class=\"token function\">sudo</span> <span class=\"token function\">make</span> <span class=\"token function\">install</span></code></pre></div>\n<p>Reference: <a href=\"https://github.com/libyal/libesedb/wiki/Building\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Building · libyal/libesdb Wiki</a></p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>SRUM seems to be used often for forensic purposes, but personally I also felt that it could be extremely useful for performance and network-related troubleshooting. (That is probably its original purpose.)</p>\n<p>Especially for intermittent performance issues and bandwidth-saturation problems, identifying the process that caused the spike is often the bottleneck in an investigation, but analyzing SRUM seems likely to make it possible to investigate these kinds of issues more smoothly.</p>","fields":{"slug":"/windows-srum-en","tagSlugs":["/tag/forensic/","/tag/english/"]},"frontmatter":{"date":"2025-03-16","description":"Notes on analyzing SRUM used in Windows forensics.","tags":["Forensic","English"],"title":"Notes on Analyzing SRUM Used in Windows Forensics","socialImage":{"publicURL":"/static/beee8f0e9df86d84b38788123464ecb2/windows-srum.png"}}}},"pageContext":{"slug":"/windows-srum-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}