Background Context Switches - Indicates the number of background context switches.Background Bytes Written - Number of background bytes written.Background Bytes Read - Number of background bytes read.Application Full Path - The full path to the application.
This artifact contains information related to the application's resource usage. Below is a detailed description of SRUM artifacts in ArtiFast software. Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. For demonstration purposes, all the artifacts have been chosen but you have the option to select only one or more artifacts. This section will discuss how to use ArtiFast Windows to extract SRUM artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifacts.Īfter you have created your case and added evidence for the investigation, at the Artifact Parser Selection Phase, you can select SRUM artifacts:ĪrtiFast can analyze SRUM Application Resource Usage, Energy Usage, Energy Usage (Long Term), Network Connections, Network Usage, and Push Notification Data. This database file contains multiple tables recoding all the activities that occurred on a particular system.Īnalyzing SRUM Artifacts with ArtiFast Windows SRUM artifacts are stored in an Extensible Storage Engine (ESE) database format. SRUM artifacts are stored in a file named SRUDB.dat at C:\Windows\System32\SRU\SRUDB.dat This type of information enables the examiner to gain insights into the previous activities and events on the system. SRUM tracks and records program executions, power consumption, network activities, and much more information that can be retrieved even if the source has been deleted. SRUM is considered a gold mine of forensic information, as it contains all the activities that occur on a particular Windows system. Some of the data collected is available to the user on Windows 8 and later versions through the “App history” tab on the Task Manager however, the database associated with SRUM contains a wealth of information that is not visible to the end user.ĭigital Forensics Value of SRUM Artifacts This feature is enabled by default and configured to start automatically upon system startup.
SRUM tracks 30 to 60 days of system resource usage, particularly application's resource usage, energy usage, Windows push notifications and network connectivity, and data usage. The Windows System Resource Usage Monitor (SRUM) was first introduced in Windows 8. Investigating Windows System Resource Usage Monitor (SRUM) Friday
0 kommentar(er)
