Blog

• Detecting data exfiltration with SRUM network usage

  A focused method for spotting outbound data theft using SRUM's Network Data Usage table — per-process bytes, user attribution, and network profile.

• How to fix a dirty SRUDB.dat (ESE database recovery)

  Why a copied SRUDB.dat is often in a dirty state, and how to replay the transaction logs with esentutl so a parser can read every row.

• How long does SRUM keep data? Retention and registry settings

  How far back SRUM history goes, what controls retention, and the registry keys that govern the short-term and long-term tables.

• SRUM vs Prefetch vs Amcache: which execution artifact to use

  A practical comparison of the three main Windows program-execution artifacts — what each proves, their time resolution, and when SRUM wins.

• The ESE database format that powers SRUDB.dat

  Understanding the Extensible Storage Engine — Windows' embedded database used by SRUM, Active Directory, Exchange, the Edge browser cache, and more.

• How to parse SRUDB.dat without installing anything

  Three ways to extract data from a Windows SRUM database — pick the one that fits your time, environment, and skill level.

• Using SRUM in a forensic investigation

  Real-world investigative questions that the SRUM database can answer — data exfiltration, malware activity, suspect timelines, insider threat.

• SRUM tables explained: AppResource, Network, Energy, Push

  A reference guide to the well-known tables inside SRUDB.dat — their GUID names, columns, and what each one tells a forensic analyst.

• Where is SRUDB.dat located on Windows?

  The exact filesystem path of the SRUM database on every supported Windows version, plus how to extract it safely from a live machine or forensic image.

• What is SRUM and why forensic analysts care

  Pillar guide to the Windows System Resource Usage Monitor: what it records, where to find it, and what investigators get from it.