Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SRUM Forensics

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Veronica Schmitt Veronica Schmitt
October 26, 2018
Technology
0
650

SRUM Forensics

Delving into the world of SRUM forensics.

Avatar for Veronica Schmitt

Veronica Schmitt

October 26, 2018
Tweet

More Decks by Veronica Schmitt

See All by Veronica Schmitt
The Autopsy of the PHOENIX X36 Hemodialysis System
Avatar for Veronica Schmitt velandra666
2
1.1k

Other Decks in Technology

See All in Technology
「ストレッチゾーンに挑戦し続ける」ことって難しくないですか? メンバーの持続的成長を支えるEMの環境設計
Avatar for SansanTech sansantech
PRO
1
280
Introduction to Sansan Meishi Maker Development Engineer
Avatar for Sansan, Inc. sansan33
PRO
0
360
OpenClawで回す組織運営
Avatar for Kazuto Kusama jacopen
1
160
Exadata Fleet Update
Avatar for oracle4engineer oracle4engineer
PRO
0
1.3k
Oracle Database@Google Cloud:サービス概要のご紹介
Avatar for oracle4engineer oracle4engineer
PRO
5
1.1k
大規模な組織におけるAI Agent活用の促進と課題
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
6
7.7k
Databricksアシスタントが自分で考えて動く時代に! エージェントモード体験もくもく会
Avatar for Takaaki Yayoi taka_aki
0
310
チームメンバー迷わないIaC設計
Avatar for hayama hayama17
5
3.7k
EMからICへ、二周目人材としてAI全振りのプロダクト開発で見つけた武器
Avatar for Yuji Yamaguchi yug1224
3
290
【SLO】"多様な期待値" と向き合ってみた
Avatar for kaita z63d
2
300
Eight Engineering Unit 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
1
6.9k
問い合わせ自動化の技術的挑戦
Avatar for Recruit recruitengineers
PRO
2
140

Featured

See All Featured
Leveraging Curiosity to Care for An Aging Population
Avatar for Cassini Nazir cassininazir
1
190
Claude Code どこまでも/ Claude Code Everywhere
Avatar for nwiizo nwiizo
63
53k
Making the Leap to Tech Lead
Avatar for Ryan Cromwell cromwellryan
135
9.8k
Heart Work Chapter 1 - Part 1
Avatar for Lake Fama lfama
PRO
5
35k
The Spectacular Lies of Maps
Avatar for Per Axbom axbom
PRO
1
580
Evolving SEO for Evolving Search Engines
Avatar for Ryan Jones ryanjones
0
150
Mozcon NYC 2025: Stop Losing SEO Traffic
Avatar for Sam Torres samtorres
0
170
Bash Introduction
Avatar for André Augusto Costa Santos 62gerente
615
210k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
Avatar for Joe Casabona jcasabona
34
2.6k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
Avatar for Sam Stephenson sstephenson
162
16k
Rebuilding a faster, lazier Slack
Avatar for samanthasiow samanthasiow
85
9.4k
How to Ace a Technical Interview
Avatar for Jacob Kaplan-Moss jacobian
281
24k

Transcript

  1. Veronica Schmitt

  2. whoami Veronica Schmitt P01z0n_P1x13 Slides Published online: • https://medium.com/ •

    @P01z0n_P1x13 • [email protected] • www.dfirlabs.com
  3. None

  4. What does it monitor? 1 3 5 2 4

  5. • • • • • • •

  6. NOT AVAILABLE

  7. None
  8. None
  9. None

  10. SRUM Energy Usage (Long Term)

  11. None
  12. None
  13. None
  14. None

  15. • Timestamps are in UTC in OLE format (64 bits)

    and FILETIME format (64 bits) • Network interfaces are specified as InterfaceLuid (NET_LUID)
  16. None
  17. None

  18. Prefetch file records start time of process, not duration

  19. • Prefetch only retains last 8 start times, no record

    of prior runs • SRUM can tell you if an app was run or not
  20. None

  21. Downloads to Ares and Utorrent and he was running OpenVPN

  22. Application Resource Manager

  23. None
  24. None

  25. Energy Usage

  26. Well, what did we find...

  27. • Utorrent and Ares downloading. • Network connected to and

    total downloads. • TOR being used • Veracrypt • Ccleaner being run. • OpenVPN being used • Skype Activity • Viber Chat Activity

  28. Using srum-dump-master https://github.com/MarkBaggett/srum-dump LET'S DO THIS

  29. None