Slide 1
Slide 1 text
Veronica Schmitt
Slide 2
Slide 2 text
whoami
Veronica Schmitt
P01z0n_P1x13
Slides Published online:
● https://medium.com/
● @P01z0n_P1x13
● [email protected]
● www.dfirlabs.com
Slide 3
Slide 3 text
No content
Slide 4
Slide 4 text
What does it monitor?
1
3
5
2
4
Slide 5
Slide 5 text
●
●
●
●
●
●
●
Slide 6
Slide 6 text
NOT AVAILABLE
Slide 7
Slide 7 text
No content
Slide 8
Slide 8 text
No content
Slide 9
Slide 9 text
No content
Slide 10
Slide 10 text
SRUM Energy Usage (Long Term)
Slide 11
Slide 11 text
No content
Slide 12
Slide 12 text
No content
Slide 13
Slide 13 text
No content
Slide 14
Slide 14 text
No content
Slide 15
Slide 15 text
● Timestamps are in UTC in OLE format (64 bits) and FILETIME format (64
bits)
● Network interfaces are specified as InterfaceLuid (NET_LUID)
Slide 16
Slide 16 text
No content
Slide 17
Slide 17 text
No content
Slide 18
Slide 18 text
Prefetch file records start time of process, not duration
Slide 19
Slide 19 text
● Prefetch only retains last 8 start times, no record of prior runs
● SRUM can tell you if an app was run or not
Slide 20
Slide 20 text
No content
Slide 21
Slide 21 text
Downloads to Ares
and Utorrent and he
was running
OpenVPN
Slide 22
Slide 22 text
Application Resource Manager
Slide 23
Slide 23 text
No content
Slide 24
Slide 24 text
No content
Slide 25
Slide 25 text
Energy Usage
Slide 26
Slide 26 text
Well, what did we find...
Slide 27
Slide 27 text
● Utorrent and Ares downloading.
● Network connected to and total downloads.
● TOR being used
● Veracrypt
● Ccleaner being run.
● OpenVPN being used
● Skype Activity
● Viber Chat Activity
Slide 28
Slide 28 text
Using srum-dump-master
https://github.com/MarkBaggett/srum-dump
LET'S DO THIS
Slide 29
Slide 29 text
No content