Most companies have a robust incident response plan that requires an internal team or service provider to be at the ready should a data breach occur. While these teams may each have their own means of detecting and responding to cyberattacks, all of them have in common the requirement to collect data related to a breach, whether from logs or other sources.
The collection of data gives incident response members the ability to look back into past events and learn what has occurred during a given time frame. This can be the execution of a program, the transfer of information, user log ins and so forth.
For companies that do not maintain extensive traffic logs or want to enhance their current logging process, the system resource utilization management (SRUM) feature in Windows is a good option. It gives investigators the ability to learn of ransomware exfiltration where logging of transferred data is not being recorded or is not sufficient.
A Complement To Logs
It should be stated, though, that the SRUM feature is not something that should replace logging for Windows systems but rather complement it.
System Resource Utilization Management (SRUM) is a feature that was introduced back in Windows 8 as a means of diagnostics. Applications, services, and network connections are monitored through it and recorded into a database held on the system.
The major benefit of this, from a forensic and incident response standpoint, is the ability to see the amount of data that applications have transferred and when the transfers occurred, as it maintains a database of historical activity. SRUM collects the following information into its database which may be useful for incident response teams:
1. Network Connectivity
- Interface Type & ID
- Network Profile ID
- Time connection was established
- Length of time connected
2. Network Data usage
- Application/Service/App consuming data (User SID)
- Bytes Uploaded & downloaded
- Interface Type & ID
- Network Profile ID
3. Windows push notifications
Good Tool For Data Breaches
SRUM is invaluable for an incident response team to determine programs run and data sizes sent. If ransomware were to infect a corporation where logs are not properly recorded, at the very least SRUM allows you to determine if the program has spoken out to the internet and the total size of the packets sent and/ or received.
One of the major tools to go alongside SRUM, is one created by Mark Baggett. The tool srum-dump, (https://github.com/MarkBaggett/srum-dump), parses through the SRUM database to present information in a much easier and more digestible fashion in an excel file.
The output has proven useful in many of our investigations by giving a little more clarification on what processes and applications have run on a system as well as how much data it has transmitted. It gives a good insight into the commands run by an attacker even when they attempt to hide their footsteps.
If you need help with a data breach, our incident response team stands ready to help utilizing techniques and methodologies developed in our 24 years in business as a cybersecurity services firm. Learn more about our digital forensic and incident response services here.
