The following is a lightly anonymised account of a real digital forensics engagement conducted under legal privilege. All individual identifiers have been altered. Technical findings and artifact details are presented as they occurred. We are publishing this case because SRUM.db remains among the most powerful and least known forensic artifacts in Windows environments — a record of application-level network activity that persists long after the applications themselves are gone.
| Parameter | Detail |
|---|---|
| Case Type | Digital Forensics — Corporate Data Exfiltration, Civil Litigation Support |
| Industry | Pharmaceutical (Mid-size specialty pharma company, ~320 employees) |
| Artifact | SRUM.db — System Resource Usage Monitor database (Windows 8+) |
| Duration | 8 days forensic analysis, testimony in subsequent civil proceedings |
| Year | Year 6 of operations |
| Notoriety | The one where a database most forensicators had never heard of broke the entire case |
Background — What SRUM Is and Why Nobody Knows About It
The System Resource Usage Monitor (SRUM) is a Windows diagnostic subsystem introduced in Windows 8 and present in every version since. It was designed to support Windows’ battery and power usage diagnostics — the kind of detail that lets your laptop tell you ‘Google Chrome is using 23% of your battery.’ To do this, Windows tracks how much CPU time, memory, and network bandwidth each application consumes, in hourly buckets, continuously, in the background.
The data is stored in an Extensible Storage Engine (ESE) database at C:\Windows\System32\sru\SRUM.db. This file exists on every Windows 8, 10, and 11 machine. It retains data for approximately 30 to 60 days, rolling. It records network bytes sent and received per application, per hour. It includes the application’s full executable path. And — this is the part that matters forensically — it continues to retain historical entries for an application even after that application has been completely uninstalled. The database tracks what happened; it does not audit whether the application currently exists.
Most Windows users have never heard of SRUM. Most IT professionals have never heard of SRUM. In our experience, a significant fraction of practising digital forensic examiners had not added SRUM to their standard collection workflow at the time of this engagement. The suspect in this case had certainly never heard of SRUM. This was his significant misfortune.
He had uninstalled the tool. He had deleted the files. He had cleared his browser history. He had done everything a person does when they want to make something disappear. Windows had been taking notes the entire time.
The Engagement
How We Were Called In
The company’s legal counsel engaged us after the departure of their VP of Sales, Marcus, to a direct competitor. The circumstances were suspicious: Marcus had given two weeks’ notice, been placed on garden leave immediately as per company policy, and the competitor had launched a remarkably targeted sales campaign against the company’s top forty accounts within six weeks of Marcus’s start date. Those forty accounts corresponded almost exactly to the company’s internal ‘Priority Tier 1’ customer list — a document that was not publicly available and existed only in the company’s CRM and a handful of internal reports.
Marcus, when contacted by legal counsel, had denied taking any company data. He had returned his company laptop voluntarily before being placed on garden leave. The laptop had since been wiped and re-imaged for a new employee. What remained was a forensic image of the drive taken before the wipe — a standard IT practice at this company for all departing executives — and a BitLocker recovery key in the company’s Active Directory.
The image was 512GB. We had it on a drive in our lab by end of that week.
Finding 1: The Absence of Expected Evidence
Path: C:\Windows\Prefetch\ | AppData\...\Chrome\User Data\Default\History | NTUSER.DAT
- Prefetch retains last 8 execution timestamps and file references per binary
- Browser History: SQLite DB — downloads table, urls table, visits table
- Registry MRU (Most Recently Used):
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs - Their absence or sanitisation is itself evidence — but not enough for litigation without positive proof
Standard forensic triage of the image produced results that were notable for what was absent. The Prefetch directory had been cleared — a telling indicator, as Prefetch does not clear itself and Windows does not offer a user-facing option to do so. Browser download history had been cleared. The most recently used file lists in the registry showed only files accessed in the first two weeks of employment and a gap of almost nothing for the final three weeks.
Marcus had been careful. Not careful enough, as it happened, but careful. He had cleared the artifacts most people know about. What he had not done — what almost no one thinks to do — was clear SRUM.db.
SRUM.db is not in any widely distributed ‘anti-forensics’ checklist. It does not appear in the CCleaner interface. It is a system file, locked by the operating system while Windows is running, located in a directory that requires elevated privileges to access. The tooling to parse it barely existed outside specialist forensic communities at the time of this engagement.
Standard Artifacts Sanitised — Prefetch Cleared, Browser History Wiped, MRU Lists Sparse
Forensic triage identified deliberate anti-forensics activity: Prefetch directory contained zero entries for the 18 days preceding laptop return (Prefetch does not self-clear). Browser download history was empty. Registry MRU lists showed a 22-day gap covering the period of suspected exfiltration. No Prefetch entries for known file-transfer tools (rclone, WinSCP, FileZilla, Cyberduck) were present. The absence of Prefetch across 18 days is not consistent with normal use — it is consistent with deliberate clearance. This established motive to conceal but provided no positive evidence of what was concealed. SRUM.db had not been touched.
Finding 2: SRUM.db — What the Database Contained
Path: C:\Windows\System32\sru\SRUM.db (live system: locked — acquire via VSS shadow copy or offline mount)
- Format: Extensible Storage Engine (ESE / JET Blue) database — same format as Exchange and Active Directory
- Key table:
{973F5D5C-1D90-11D3-AEC2-00805FC297D7}= Network Data Usage (bytes sent/received per app per hour) - Also contains:
{D10CA2FE-6FCF-4F6D-848E-B2E99266FA89}= Application Resource Usage (CPU, memory, runtime) - Retention: ~30–60 days rolling window — entries older than the window are purged automatically
ExeInfofield: full path of the executable at time of execution (persists after uninstall)- Parse with:
srum-dump(Python), SRUM-DUMP (Excel plugin), or Arsenal Recon’s SRUM Expert
# SRUM.db acquisition and parsing from forensic image — offline mount, srum-dump + SOFTWARE hive cp /mnt/evidence/Windows/System32/sru/SRUM.db /analysis/srum/SRUM.db cp /mnt/evidence/Windows/System32/config/SOFTWARE /analysis/srum/SOFTWARE # SOFTWARE hive maps AppID integers to executable paths — required for meaningful output # Parse with srum-dump (Python) pip install srum-dump --break-system-packages -q srum_dump.py --SRUM_INFILE /analysis/srum/SRUM.db \ --REG_HIVE /analysis/srum/SOFTWARE \ --XLSX_OUTFILE /analysis/srum/srum_output.xlsx # Table of interest: {973F5D5C-1D90-11D3-AEC2-00805FC297D7} (Network Data Usage) # Columns: AutoIncId, TimeStamp, AppId, UserId, BytesSent, BytesRecvd, ConnectCount
# Filter SRUM Network Data Usage for significant outbound transfers import pandas as pd df = pd.read_csv('/analysis/srum/network_data_usage.csv') # Filter: outbound bytes > 1MB in any single hour, sorted by date significant = df[df['BytesSent'] > 1_000_000].copy() significant['Timestamp'] = pd.to_datetime(significant['Timestamp']) significant = significant.sort_values('Timestamp') print(significant[['Timestamp','ExeInfo','UserId','BytesSent','BytesRecvd']].to_string()) # OUTPUT (condensed — rows above 1MB outbound threshold): # Timestamp ExeInfo BytesSent BytesRecvd # 2024-██-██ 09:00 UTC C:\Chrome\Application\chrome.exe 1,247,344 28,441,203 ← normal # ... # 2024-██-██ 19:00 UTC C:\Users\marcus\AppData\Local\Temp\rc.exe 841,209,344 12,441 ← !! # 2024-██-██ 20:00 UTC C:\Users\marcus\AppData\Local\Temp\rc.exe 2,947,301,112 8,204 ← !! # 2024-██-██ 21:00 UTC C:\Users\marcus\AppData\Local\Temp\rc.exe 1,984,441,203 4,122 ← !! # 2024-██-██ 22:00 UTC C:\Users\marcus\AppData\Local\Temp\rc.exe 1,187,203,441 3,841 ← !! # 2024-██-██ 09:00 UTC C:\Users\marcus\AppData\Local\Temp\rc.exe 441,203,847 2,104 ← day 2 # 2024-██-██ 10:00 UTC C:\Users\marcus\AppData\Local\Temp\rc.exe 1,102,847,203 1,844 ← day 2 # rc.exe: total BytesSent = 8,503,406,250 bytes = ~8.5 GB outbound # BytesRecvd: negligible (32,556 bytes total) — one-way upload, not a sync # Executable path: AppData\Local\Temp\rc.exe — non-standard location, disguised name
The name rc.exe told us immediately what we were looking at. Rclone — the open-source cloud synchronisation tool used in data exfiltration operations — is commonly renamed and placed in temporary directories specifically to avoid detection by name-based EDR rules. The binary had been named rc.exe and placed in Marcus’s AppData\Local\Temp directory. It had transmitted 8.5 gigabytes of data outbound across two evenings. It had received 32,556 bytes in return — consistent with rclone’s acknowledgement traffic when uploading to a remote destination.
The binary was gone. The Prefetch entry was gone. The registry keys were gone. Every trace Marcus had been able to reach had been erased. SRUM had recorded each hour of operation regardless, because SRUM does not care whether an application exists. It cares whether it ran. rc.exe had run. SRUM had written it down.
rc.exe (Rclone Renamed) Recorded in SRUM — 8.5 GB Outbound Across Two Evenings, Binary Subsequently Deleted
SRUM Network Data Usage table contained 6 hourly entries for C:\Users\marcus\AppData\Local\Temp\rc.exe across two consecutive evenings, recording a combined 8,503,406,250 bytes outbound (BytesSent) and 32,556 bytes inbound (BytesRecvd). The outbound/inbound ratio is consistent with rclone upload operations. The binary was not present on the filesystem at time of forensic acquisition — it had been deleted. No Prefetch, no MFT entry, no registry trace remained. SRUM retained the complete per-hour network usage record because it operates independently of the application lifecycle.
Finding 3: Identifying the Destination — VSS Shadow Copy Recovery
Path: VSS snapshots | %APPDATA%\rclone\rclone.conf (deleted from live filesystem, survived in shadow copy)
- Volume Shadow Copies created automatically by System Restore and Windows Update
- Rclone config file: specifies remote type, account email, and obfuscated password
- Rclone ‘obscured’ passwords are trivially reversible:
rclone reveal [obfuscated_string] - DNS cache: volatile, lost on reboot — not available in dead-disk images
Knowing that 8.5 GB had been transmitted was significant. Knowing where it had gone was essential for the civil case. The forensic image contained three VSS shadow copies created by Windows Update and System Restore operations. We mounted each one and searched for rclone configuration files.
# VSS shadow copy search — rclone.conf recovered from shadow 3 days before laptop return # Search all shadow copies for rclone config: for shadow in /mnt/shadow1 /mnt/shadow2 /mnt/shadow3; do find $shadow -name 'rclone.conf' -o -name '.rclone.conf' 2>/dev/null find $shadow -path '*/rclone/*' 2>/dev/null done # RESULT — shadow copy #2 (dated 3 days before laptop return): # /mnt/shadow2/Users/marcus/AppData/Roaming/rclone/rclone.conf ← FOUND cat /mnt/shadow2/Users/marcus/AppData/Roaming/rclone/rclone.conf # Content: [remote] type = mega user = ████████████████@proton.me pass = ████████████████████████████ # rclone-obscured password (not plaintext but reversible) # Destination: MEGA cloud storage # Account email: Proton Mail address (anonymous registration — no KYC) # rclone obscured passwords are trivially reversible: # rclone reveal ████████████████████████████ # Output: [plaintext password — not reproduced here]
The configuration file had survived in a shadow copy. The destination was MEGA — a cloud storage provider popular in exfiltration cases for its free 20 GB tier, end-to-end encryption, and permissive terms of service. The account was registered to a Proton Mail address that Marcus had not used for any other identifiable purpose. We did not attempt to access the MEGA account — that is a matter for law enforcement with appropriate process.
Rclone Configuration File Recovered from VSS Shadow Copy — MEGA Destination, Proton Mail Account
A VSS shadow copy created 3 days before laptop return contained rclone.conf in Marcus’s AppData\Roaming\rclone\ directory. The configuration specified MEGA cloud storage as the destination and a Proton Mail address as the account identifier. The rclone password field used rclone’s built-in obfuscation (XOR, not encryption) and was reversible. The primary rclone config and binary had been deleted from the live filesystem — the shadow copy was the sole surviving artifact. Without VSS enumeration, this destination would have remained unknown.
Finding 4: Correlating Upload Windows with Company Data Access
Path: SRUM: timestamp buckets (UTC) | CRM: web server access log | %APPDATA%\Microsoft\Windows\Recent\
- SRUM timestamps are hour-bucket starts in UTC — convert to local time using SYSTEM hive timezone data
- CRM access log: correlate Marcus’s authenticated sessions with SRUM upload window
- LNK files: timestamped shortcuts created when files are opened, recording full UNC path for network shares
- LNK files are frequently overlooked in anti-forensics cleaning — not cleared by most commercial tools
# CRM access log + LNK files — 40-account Priority Tier 1 browse, report export, then rclone upload 37 min later # SRUM upload window 1: 2024-██-██ 19:00-22:00 UTC = 15:00-18:00 Eastern # CRM access log (filtered for marcus@company.com, same date): # Time (Eastern) Action Record Accessed # 13:44:02 VIEW Contact Priority Tier 1 — [Account A] # 13:44:48 VIEW Contact Priority Tier 1 — [Account B] # 13:45:19 VIEW Contact Priority Tier 1 — [Account C] # ... (40 consecutive Contact views, all Priority Tier 1 accounts, 13:44-14:22) # 14:22:41 RUN Report 'My Accounts — Full Export with Contact Details' # 14:23:04 DOWNLOAD Report Result my_accounts_export_20240██.csv (2.3 MB) # [15:00 Eastern = 19:00 UTC — rclone upload begins in SRUM] # Time elapsed between CRM report download and rclone upload start: 37 minutes # LNK file analysis (Windows Recent items — not all cleared): # C:\Users\marcus\AppData\Roaming\Microsoft\Windows\Recent\ # Surviving LNK files: # 2024-██-██ 14:01 → D:\Shared\Sales\████ Pharma\Customer_Analysis_FY2024.xlsx (14.2 MB) # 2024-██-██ 14:08 → D:\Shared\Sales\Strategic\Pricing_Model_Confidential_v4.xlsm (8.8 MB) # 2024-██-██ 14:15 → D:\Shared\Sales\████ Pharma\Pipeline_Q4_2024_Internal.pptx (44.1 MB) # [14 additional LNK files, all network share paths, all within 90-minute window]
The LNK files were the unexpected bonus. Marcus had cleared the Prefetch and the browser history, but he had not cleared his Windows Recent items — the shortcut files that Windows creates automatically whenever a file is opened, and which record the full path of the target file including network share paths. Fourteen LNK files survived, all pointing to network share locations, all timestamped within a 90-minute window immediately preceding the rclone upload.
The picture the evidence painted was complete. CRM access for 40 Priority Tier 1 accounts, followed by a full export of contact details, followed by opening 14 large sales and pricing files from the network share, followed by 8.5 GB of outbound transfer via a renamed rclone binary to a MEGA account registered to a Proton Mail address. Then the cleanup. Then the laptop return two weeks later.
CRM Report Export + 14 LNK Files for Network Share Documents Immediately Preceded SRUM Upload Window
CRM vendor logs confirmed Marcus accessed all 40 Priority Tier 1 customer accounts sequentially and downloaded a full contact export at 14:23 on the day of the first rclone upload. LNK files in Windows Recent Items (not cleared during anti-forensics activity) recorded 14 additional file accesses on the same network share — pricing models, pipeline reports, and customer analysis files — between 14:01 and 15:00. SRUM upload began at 15:00 (19:00 UTC). The 37-minute gap between last LNK timestamp and first rclone byte is consistent with file collection and rclone configuration. LNK target metadata preserved file sizes confirming the accessed files as a credible subset of the uploaded volume.
Reconstructed Timeline
| Timestamp | Artifact Source | Event |
|---|---|---|
Day -14, 13:44 | CRM access log | Marcus begins sequential access of all 40 Priority Tier 1 customer accounts. 40 individual contact views over 38 minutes. |
Day -14, 14:22 | CRM access log | Marcus runs ‘My Accounts — Full Export with Contact Details’ report. Downloads CSV (2.3 MB) at 14:23. |
Day -14, 14:01–15:00 | LNK files (Windows Recent) | 14 network share files opened: Customer_Analysis_FY2024.xlsx, Pricing_Model_Confidential_v4.xlsm, Pipeline_Q4_2024.pptx, and 11 additional sales documents. |
Day -14, 19:00–22:00 UTC | SRUM.db (Network Data Usage) | rc.exe (rclone renamed) transmits 5,975,754,100 bytes (5.6 GB) outbound. 3 consecutive hourly SRUM entries. |
Day -13, 09:00–10:00 UTC | SRUM.db (Network Data Usage) | rc.exe transmits remaining 2,527,652,150 bytes (2.4 GB) outbound. Upload complete. Total: 8,503,406,250 bytes (~8.5 GB) to MEGA. |
Day -13 (estimated) | Filesystem (absence) | rc.exe deleted from AppData\Local\Temp\. Prefetch entries cleared. Browser history cleared. AppData\Roaming\rclone\ deleted from live filesystem. |
Day -3 (VSS) | VSS shadow copy #2 | Windows creates shadow copy for System Restore. rclone.conf preserved: MEGA destination, Proton Mail account, rclone-obscured password. |
Day 0 | Chain of custody | Marcus returns company laptop. Standard IT forensic image taken before wipe (company policy for departing executives). |
Week +6 | Company intelligence | Competitor launches targeted campaign against all 40 Priority Tier 1 accounts using information consistent with CRM export content. |
Week +8 | Engagement | Mjolnir Security retained by legal counsel. Forensic image provided. SRUM.db identified as key artifact on day 2 of analysis. |
Week +10 | Forensic report | Report delivered to legal counsel: SRUM confirmed 8.5 GB exfiltration, VSS confirmed MEGA destination, CRM logs confirmed Priority Tier 1 data access, LNK files confirmed document collection. |
What This Engagement Teaches Us
For Digital Forensic Examiners
- Add SRUM.db to your standard collection checklist for every Windows 8+ investigation. It is at
C:\Windows\System32\sru\SRUM.db, it requires the SOFTWARE registry hive to decode AppIDs meaningfully, and it must be acquired offline (VSS or image mount) because the operating system locks it on a live system. It retains ~30–60 days of per-application network usage regardless of whether the application still exists. - The SRUM retention window of 30–60 days means timing matters for collection. If you are engaged more than 60 days after the suspected exfiltration, SRUM may have already purged the relevant entries. Request device preservation immediately. Do not wait for the evidence to come to you.
- An application appearing in SRUM with very high BytesSent and negligible BytesRecvd is a strong indicator of a one-way upload. Legitimate sync applications (OneDrive, Dropbox in sync mode) show roughly proportional send and receive. A 260:1 BytesSent:BytesRecvd ratio for an unknown executable in
AppData\Tempis not a sync. It is an exfiltration. - Always enumerate VSS shadow copies when SRUM or other artifacts suggest deleted evidence. Configuration files, browser profiles, and recently deleted documents frequently survive in shadows even when the live filesystem has been cleaned.
For Security Engineers & Incident Responders
- SRUM is a detection source, not just a forensic artifact. On a live system, parsing SRUM.db via a scheduled task or endpoint agent can identify applications transferring anomalous outbound data volumes in near-real-time — particularly useful for detecting renamed rclone or similar tools that evade name-based EDR rules.
- Rclone exfiltration is ubiquitous in both insider threat and ransomware affiliate cases. Standard detection approaches (looking for ‘rclone.exe’ in process names or Prefetch) fail trivially against renamed binaries. Behavioral detection — looking for SRUM network usage anomalies, large outbound transfers to MEGA/Backblaze/Wasabi/S3-compatible endpoints — is more robust.
- Windows Recent Items (LNK files) are frequently overlooked in anti-forensics cleaning. They persist in
%APPDATA%\Microsoft\Windows\Recent\and are not cleared by most commercial cleaning tools unless specifically configured. They record the full UNC path of network share files when accessed. - For HR and legal teams: a forensic image of the device before wipe is cheap insurance. The image in this case was taken as a standard procedure — not because the company suspected Marcus specifically. That image, and SRUM.db within it, was the difference between a civil case that settled within three months and one that could have dragged on for years without evidence.
Mjolnir Security — Digital Forensics & Litigation Support
Mjolnir Security provides digital forensic investigation, insider threat analysis, and expert witness testimony for civil and criminal proceedings. Our DFIR team has provided forensic evidence in over 80 corporate data theft, IP misappropriation, and employment dispute matters.
mjolnirsecurity.com — 24/7 Incident Response Hotline: +1 833 403 5875
Written by Mjolnir Security DFIR team
Published March 2024 · DFIR Engagement Series · TLP:WHITE
Case #156 · Skuggaheimar · Mjolnir Security · All client details anonymized · TLP:WHITE