Forensic implications of System Resource Usage Monitor (SRUM) data in Windows 8

The Microsoft Windows 8 operating system has a newly added feature to track system resource usage, specifically process and network metrics over time. Process related information such as process owner, CPU cycles used, data bytes read/written, and network data (sent/received) are continuously recorded by a mechanism called System Resource Usage Monitor (SRUM). This paper describes the SRUM mechanism, its databases, Windows registry entries, data logging, and potential uses in a forensic examination. Prior to this applied research, no tools were available to parse the SRUM data to a usable format. As part of this paper, two scripts have been developed to aid forensic examiners who would want to read, parse, and decode this information from a forensic disk image.