Can’t Remove “debug malware 895-system32.exe failure”, Get Rid Of “...
SRUM forensics - SANS Institute · \Microsoft\Windows NT\CurrentVersion\S RUM\Extensions . SRUM...
Transcript of SRUM forensics - SANS Institute · \Microsoft\Windows NT\CurrentVersion\S RUM\Extensions . SRUM...
![Page 1: SRUM forensics - SANS Institute · \Microsoft\Windows NT\CurrentVersion\S RUM\Extensions . SRUM Database SESE database on disk S C:\Windows\System32\sru\SRUDB.dat S ESE is Extensible](https://reader030.fdocuments.in/reader030/viewer/2022033119/5e5acc1bc490be6c2831d86c/html5/thumbnails/1.jpg)
S
SRUM forensics
Yogesh Khatri
Champlain College
![Page 2: SRUM forensics - SANS Institute · \Microsoft\Windows NT\CurrentVersion\S RUM\Extensions . SRUM Database SESE database on disk S C:\Windows\System32\sru\SRUDB.dat S ESE is Extensible](https://reader030.fdocuments.in/reader030/viewer/2022033119/5e5acc1bc490be6c2831d86c/html5/thumbnails/2.jpg)
What is SRUM?
S System Resource Usage Monitor
S First seen in Windows 8
S Part of Diagnostic Policy Service
S Technology that monitors desktop application programs,
services, windows apps and network connections
S Maintains database of historical activity!
![Page 3: SRUM forensics - SANS Institute · \Microsoft\Windows NT\CurrentVersion\S RUM\Extensions . SRUM Database SESE database on disk S C:\Windows\System32\sru\SRUDB.dat S ESE is Extensible](https://reader030.fdocuments.in/reader030/viewer/2022033119/5e5acc1bc490be6c2831d86c/html5/thumbnails/3.jpg)
System Resource Usage Monitor
S Network Connectivity
S Network Data usage
S Application Resource usage
S Windows push notifications
S Energy usage
![Page 4: SRUM forensics - SANS Institute · \Microsoft\Windows NT\CurrentVersion\S RUM\Extensions . SRUM Database SESE database on disk S C:\Windows\System32\sru\SRUDB.dat S ESE is Extensible](https://reader030.fdocuments.in/reader030/viewer/2022033119/5e5acc1bc490be6c2831d86c/html5/thumbnails/4.jpg)
Network Connectivity & usage
![Page 5: SRUM forensics - SANS Institute · \Microsoft\Windows NT\CurrentVersion\S RUM\Extensions . SRUM Database SESE database on disk S C:\Windows\System32\sru\SRUDB.dat S ESE is Extensible](https://reader030.fdocuments.in/reader030/viewer/2022033119/5e5acc1bc490be6c2831d86c/html5/thumbnails/5.jpg)
Network Connectivity
S SRUM tracks periods of network connectivity (since 8.1)
S Items tracked
S Interface Type & ID
S Network Profile ID
S Time connection established
S Length of time connected
![Page 6: SRUM forensics - SANS Institute · \Microsoft\Windows NT\CurrentVersion\S RUM\Extensions . SRUM Database SESE database on disk S C:\Windows\System32\sru\SRUDB.dat S ESE is Extensible](https://reader030.fdocuments.in/reader030/viewer/2022033119/5e5acc1bc490be6c2831d86c/html5/thumbnails/6.jpg)
Network connectivity tracking
ABcorp
NetgearWootFi
HiltonGuestWifi
T-mobile3G
![Page 7: SRUM forensics - SANS Institute · \Microsoft\Windows NT\CurrentVersion\S RUM\Extensions . SRUM Database SESE database on disk S C:\Windows\System32\sru\SRUDB.dat S ESE is Extensible](https://reader030.fdocuments.in/reader030/viewer/2022033119/5e5acc1bc490be6c2831d86c/html5/thumbnails/7.jpg)
Network Usage
S Information available
S Application/Service/App consuming data
S User SID
S Bytes Uploaded & Downloaded
S Interface Type & ID
S Network Profile ID
S NOT available
S Endpoint info (IP addresses, Port numbers)
S Specific data information (what was downloaded?)
![Page 8: SRUM forensics - SANS Institute · \Microsoft\Windows NT\CurrentVersion\S RUM\Extensions . SRUM Database SESE database on disk S C:\Windows\System32\sru\SRUDB.dat S ESE is Extensible](https://reader030.fdocuments.in/reader030/viewer/2022033119/5e5acc1bc490be6c2831d86c/html5/thumbnails/8.jpg)
Application Resource tracking
S Process Information
S CPU cycles
S Context switches
S I/O bytes read/written
S Number of read operations
S Number of write operations
S Number of Flushes
S User Information
S SID of user who launched program
S NOT available
S Memory, Threads, Handles, Cache or Kernel info
![Page 9: SRUM forensics - SANS Institute · \Microsoft\Windows NT\CurrentVersion\S RUM\Extensions . SRUM Database SESE database on disk S C:\Windows\System32\sru\SRUDB.dat S ESE is Extensible](https://reader030.fdocuments.in/reader030/viewer/2022033119/5e5acc1bc490be6c2831d86c/html5/thumbnails/9.jpg)
App History
S Both App & Desktop Application history
S To view Desktop Application history
S View Show history for all processes
S ‘Uninstalled Processes’ are all programs no longer on disk (in their original locations)
![Page 10: SRUM forensics - SANS Institute · \Microsoft\Windows NT\CurrentVersion\S RUM\Extensions . SRUM Database SESE database on disk S C:\Windows\System32\sru\SRUDB.dat S ESE is Extensible](https://reader030.fdocuments.in/reader030/viewer/2022033119/5e5acc1bc490be6c2831d86c/html5/thumbnails/10.jpg)
Data Collection
S Written once every hour and at shutdown
S Extensions monitor and collect data
SRUM Extension GUID DLL in System32
Windows Network Data Usage Monitor {973F5D5C-1D90-4944-BE8E-24B94231A174} nduprov.dll
Windows Push Notifications (WPN) Provider {d10ca2fe-6fcf-4f6d-848e-b2e99266fa86} wpnsruprov.dll
Application Resource Usage Provider {d10ca2fe-6fcf-4f6d-848e-b2e99266fa89} appsruprov.dll
Windows Network Connectivity Usage Monitor {DD6636C4-8929-4683-974E-22C046A43763} ncuprov.dll
Energy Usage Provider {fee4e14f-02a9-4550-b5ce-5fa2da202e37} energyprov.dll
![Page 11: SRUM forensics - SANS Institute · \Microsoft\Windows NT\CurrentVersion\S RUM\Extensions . SRUM Database SESE database on disk S C:\Windows\System32\sru\SRUDB.dat S ESE is Extensible](https://reader030.fdocuments.in/reader030/viewer/2022033119/5e5acc1bc490be6c2831d86c/html5/thumbnails/11.jpg)
SRUM data in registry
S Registry is temporary location for holding data
S Data is periodically moved to SRUDB.dat
S HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SRUM\Extensions
![Page 12: SRUM forensics - SANS Institute · \Microsoft\Windows NT\CurrentVersion\S RUM\Extensions . SRUM Database SESE database on disk S C:\Windows\System32\sru\SRUDB.dat S ESE is Extensible](https://reader030.fdocuments.in/reader030/viewer/2022033119/5e5acc1bc490be6c2831d86c/html5/thumbnails/12.jpg)
SRUM Database
S ESE database on disk
S C:\Windows\System32\sru\SRUDB.dat
S ESE is Extensible Storage Engine
S Windows Updates, Active Directory, Windows Search, IE11, ..
Database Table Name Description
{DD6636C4-8929-4683-974E-22C046A43763} Network Connectivity data
{D10CA2FE-6FCF-4F6D-848E-B2E99266FA89} Application Resource usage data
{973F5D5C-1D90-4944-BE8E-24B94231A174} Network usage data
{D10CA2FE-6FCF-4F6D-848E-B2E99266FA86} Windows Push Notification data
{FEE4E14F-02A9-4550-B5CE-5FA2DA202E37} Energy usage data
{FEE4E14F-02A9-4550-B5CE-5FA2DA202E37}LT Energy usage data
![Page 13: SRUM forensics - SANS Institute · \Microsoft\Windows NT\CurrentVersion\S RUM\Extensions . SRUM Database SESE database on disk S C:\Windows\System32\sru\SRUDB.dat S ESE is Extensible](https://reader030.fdocuments.in/reader030/viewer/2022033119/5e5acc1bc490be6c2831d86c/html5/thumbnails/13.jpg)
Raw data
Network data usage
![Page 14: SRUM forensics - SANS Institute · \Microsoft\Windows NT\CurrentVersion\S RUM\Extensions . SRUM Database SESE database on disk S C:\Windows\System32\sru\SRUDB.dat S ESE is Extensible](https://reader030.fdocuments.in/reader030/viewer/2022033119/5e5acc1bc490be6c2831d86c/html5/thumbnails/14.jpg)
Data needing
interpretation/conversion
S Timestamps are in UTC in OLE format (64 bits) and
FILETIME format (64 bits)
S Network interfaces are specified as InterfaceLuid
(NET_LUID)
typedef union _NET_LUID { ULONG64 Value; struct { ULONG64 Reserved :24; ULONG64 NetLuidIndex :24; ULONG64 IfType :16; } Info; } NET_LUID, *PNET_LUID;
IfType can be WiFi
(802.11), Ethernet,
ATM, 4G or one of
several other values
![Page 15: SRUM forensics - SANS Institute · \Microsoft\Windows NT\CurrentVersion\S RUM\Extensions . SRUM Database SESE database on disk S C:\Windows\System32\sru\SRUDB.dat S ESE is Extensible](https://reader030.fdocuments.in/reader030/viewer/2022033119/5e5acc1bc490be6c2831d86c/html5/thumbnails/15.jpg)
Resolving network profile from
L2ProfileId field
S Lookup
HKLM\SOFTWARE\Microsoft\WlanSvc\Interfaces\{Int
erfaceGUID}\Profiles\{ProfileGUID}
![Page 16: SRUM forensics - SANS Institute · \Microsoft\Windows NT\CurrentVersion\S RUM\Extensions . SRUM Database SESE database on disk S C:\Windows\System32\sru\SRUDB.dat S ESE is Extensible](https://reader030.fdocuments.in/reader030/viewer/2022033119/5e5acc1bc490be6c2831d86c/html5/thumbnails/16.jpg)
Reading SRUM data
1. Use libesedb (https://github.com/libyal/libesedb) to
convert ESE database tables to csv format
2. Use script available at www.swiftforensics.com to
S Resolve Foreign keys, parse InterfaceLuids and timestamps
from tables
S Parse Network profiles from registry
S Read and parse SRUM data from registry
![Page 17: SRUM forensics - SANS Institute · \Microsoft\Windows NT\CurrentVersion\S RUM\Extensions . SRUM Database SESE database on disk S C:\Windows\System32\sru\SRUDB.dat S ESE is Extensible](https://reader030.fdocuments.in/reader030/viewer/2022033119/5e5acc1bc490be6c2831d86c/html5/thumbnails/17.jpg)
Parsed/Resolved data
Network data usage
![Page 18: SRUM forensics - SANS Institute · \Microsoft\Windows NT\CurrentVersion\S RUM\Extensions . SRUM Database SESE database on disk S C:\Windows\System32\sru\SRUDB.dat S ESE is Extensible](https://reader030.fdocuments.in/reader030/viewer/2022033119/5e5acc1bc490be6c2831d86c/html5/thumbnails/18.jpg)
Forensic Uses
User-Process mapping
• Which user launched the process?
Network statistics
• Data upload/download per network and per process
Application run times can be estimated
Deleted/Uninstalled/External program tracking
SRUM Data
![Page 19: SRUM forensics - SANS Institute · \Microsoft\Windows NT\CurrentVersion\S RUM\Extensions . SRUM Database SESE database on disk S C:\Windows\System32\sru\SRUDB.dat S ESE is Extensible](https://reader030.fdocuments.in/reader030/viewer/2022033119/5e5acc1bc490be6c2831d86c/html5/thumbnails/19.jpg)
Estimate Process Run time
S Prefetch file records start time of process, not duration
Prefetch
SRUM SRUM SRUM SRUM Estimated
duration for
Winword.exe
Known
Unknown
![Page 20: SRUM forensics - SANS Institute · \Microsoft\Windows NT\CurrentVersion\S RUM\Extensions . SRUM Database SESE database on disk S C:\Windows\System32\sru\SRUDB.dat S ESE is Extensible](https://reader030.fdocuments.in/reader030/viewer/2022033119/5e5acc1bc490be6c2831d86c/html5/thumbnails/20.jpg)
Estimate Process Run time
S Prefetch only retains last 8 start times, no record of prior runs
S SRUM can tell you if an app was run or not
SRUM SRUM SRUM SRUM Possible
duration for
Winword.exe?
Known
Unknown
![Page 21: SRUM forensics - SANS Institute · \Microsoft\Windows NT\CurrentVersion\S RUM\Extensions . SRUM Database SESE database on disk S C:\Windows\System32\sru\SRUDB.dat S ESE is Extensible](https://reader030.fdocuments.in/reader030/viewer/2022033119/5e5acc1bc490be6c2831d86c/html5/thumbnails/21.jpg)
Typical Data Theft scenario
S Employee downloads a lot of data from the intranet just
before leaving the company
![Page 22: SRUM forensics - SANS Institute · \Microsoft\Windows NT\CurrentVersion\S RUM\Extensions . SRUM Database SESE database on disk S C:\Windows\System32\sru\SRUDB.dat S ESE is Extensible](https://reader030.fdocuments.in/reader030/viewer/2022033119/5e5acc1bc490be6c2831d86c/html5/thumbnails/22.jpg)
Investigate Program usage
Identify User who
launched program
Detailed Process Stats
CPU cycles
Context switches
I/O bytes read/written
Number of read operations
Number of write operations
Number of Flushes
Identify network &
Profile used
Get Data statistics –
How much data
uploaded & downloaded?
Program
run approx.
timespan
(precision is
one hour)
![Page 23: SRUM forensics - SANS Institute · \Microsoft\Windows NT\CurrentVersion\S RUM\Extensions . SRUM Database SESE database on disk S C:\Windows\System32\sru\SRUDB.dat S ESE is Extensible](https://reader030.fdocuments.in/reader030/viewer/2022033119/5e5acc1bc490be6c2831d86c/html5/thumbnails/23.jpg)
Questions?
S Thanks for listening!
S Link to paper – Forensic Implications of SRUM in windows 8
S http://www.sciencedirect.com/science/article/pii/S1742287615000031
Contact info:
www.swiftforensics.com