The dump of ESE (Extensible Storage Engine) databases and the analysis of SRUM (System Resource Usage Monitor) databases were implemented in Chainsaw as part of a research project about the inner workings of SRUM, presented at the SANS DFIR Summit Europe 2023 on October 1, 2023. A WithSecure Labs article will soon be published containing more information about it. The research was conducted by members of the incident response team at WithSecure: Catarina de Faria Cristas, Lucas Echard and Diego Fuschini.
This parser differs from others because it does not rely on hard-coded values about the tables. The information is extracted directly from the SOFTWARE hive, which is mandatory. The goal is to avoid errors related to unknown tables.
One thing to note is that this version of the SRUM database parser does not map the InterfaceLuid values. That will be implemented in the next update.
The dump of ESE (Extensible Storage Engine) databases and the analysis of SRUM (System Resource Usage Monitor) databases were implemented in Chainsaw as part of a research project about the inner workings of SRUM, presented at the SANS DFIR Summit Europe 2023 on October 1, 2023. A WithSecure Labs article will soon be published containing more information about it. The research was conducted by members of the incident response team at WithSecure: Catarina de Faria Cristas, Lucas Echard and Diego Fuschini. This parser differs from others because it does not rely on hard-coded values about the tables. The information is extracted directly from the SOFTWARE hive, which is mandatory. The goal is to avoid errors related to unknown tables. One thing to note is that this version of the SRUM database parser does not map the InterfaceLuid values. That will be implemented in the next update.