Windows SRUM Forensics
Вставка
- Опубліковано 25 лип 2024
- As a continuation of the "Introduction to Windows Forensics" series, this video introduces the System Resource Utilization Monitor (SRUM). This artifact is often left unmentioned by many forensics books and online resources. SRUM was first introduced in Windows 8, and was a new feature designed to track system resource utilization such as CPU cycles, network activity, power consumption, etc. We can use the data collected by SRUM to paint a picture of a user’s activity, and even correlate that activity with network-related events, data transfer, processes, and more.
Introduction to Windows Forensics:
• Introduction to Window...
System Resource Utilization Monitor:
isc.sans.edu/forums/diary/Sys...
srum-dump:
github.com/MarkBaggett/srum-dump
SRUM Forensics (Yogesh Khatri, Champlain College):
www.sans.org/summit-archives/...
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics - Наука та технологія
Thanks Richard for another great video. This is an artefact I wasn't actually familiar with so your explanations are very helpful! I will definitely take your advice and do some further research, thanks for the links
Thank you for greate SRUM tutorial
It was very useful. Excellent. Any video on Windows Sandbox Forensics
Not yet - but that's on my suggestion list.
OK video for general procedure. I have to say, though, that I can't see what is being typed in those dark screens with small fonts, and I'm on a desktop too -- not mobile device. I know I can just review the tools command line, but if you're going to be making demo videos and you have a high resolution screen, you might want to zoom in or make cmd window large enough to see. Just a suggestion.
This is a very old episode. You'll find that the production quality has greatly increased for newer ones.
Change video res to HD and this issue is fixed.
how did you manage to put these files like "SAM" or "SYSTEM"
please
FTK Imager
Nice one, quick question how do we identify to which IP or Domain name the nc.exe moved the data ?
You'd have to grab that information from netstat, and match up the PID of the nc.exe process (assuming it's active at the time). Or, you could potentially extract that information from a memory capture of the machine with a Volatility plugin like netscan.
Hi I use Windows 10, can you Explain to me why in all sheets my User SID are NONE?
How do you convert the BytesOutBound to more readable format. e.g. Mb, Gb ?
You could apply an Excel formula to divide the bytes by 1,048,576. This would convert it to MB, as that's the exact number of bytes in a megabyte.
In my case i can simply copy paste the file (tested in Windows 10&11)
Any idea what foreground CPU time is in? Is that seconds ?!?
It's milliseconds (ms), as I recall.
Nerd alert if you laughed out loud (1/2 point if you snorted,) at this spot.
ua-cam.com/video/Uw8n4_o-ETM/v-deo.html
Ok. Ok. Guilty.
its very bad quality and not handy for study
It's 2.5K QHD resolution with clear audio. Admittedly, the text isn't nearly big enough, but that was an earlier video and I was still learning the process. But, hey, thanks for the feedback!
V
Change the quality using the cog icon numbnuts; don't blame this guy for making free content.
i simply used ROBOCOPY to copy the file with the /B specified .
Interesting -- I had not tried that. Thanks for sharing!