markbaggett / srum-dump Goto Github PK
View Code? Open in Web Editor NEWA forensics tool to convert the data in the Windows srum (System Resource Usage Monitor) database to an xlsx spreadsheet.
License: GNU General Public License v3.0
A forensics tool to convert the data in the Windows srum (System Resource Usage Monitor) database to an xlsx spreadsheet.
License: GNU General Public License v3.0
Getting the following error when trying to run Srum dump from commandline. Got similar error when running it from the GUI as well. Running as Admin.
Traceback (most recent call last):
File "srum_dump2.py", line 581, in
File "srum_dump2.py", line 316, in process_srum
File "srum_dump2.py", line 316, in
OSError: pyesedb_table_get_number_of_records: unable to retrieve number of records. libcdata_array_get_entry_by_index: invalid entry index value out of bounds. libfdata_vector_get_element_index_at_offset:
unable to retrieve entry: 2 from mapped ranges array. libfdata_vector_get_element_value_at_offset: unable to retrieve element index at offset: 0x029de000. libesedb_page_tree_read_page: unable to retrieve
page: 10719 at offset: 0x029de000. libesedb_page_tree_read_node: unable to read page: 10719 at offset: 0x029de000. libfdata_btree_read_node: unable to read node at offset: 43900928.
libfdata_btree_read_sub_tree: unable to read node. libfdata_btree_get_number_of_leaf_values: unable to read root node sub tree. libesedb_table_get_number_of_records: unable to retrieve number of leaf
values from table values tree.
When I run the tool against valid files I am getting "not an ese file". Ultimately, I was hoping this tool could help me understand why ESENT is not dumping app name not app description from srudb.dat.
ese-analyst-master\ese-analyst-master> .\ese2csv.exe -p srudb_plugin -l C:\Windows\system32\sru\srudb.dat
Processing File C:\Windows\system32\sru\srudb.dat
Not an ese file. Skipping.
1 files matched the file path criteria specified.
By default WSL has no GUI so tkinker cannot be installed or load
Was able to bypass and run successfully with the "-q" switch by commenting out the line
"import PySimpleGUI as sg"
So perhaps this is more of a feature request than a bug.
command:
python srum_dump2.py -q -i /mnt/c/temp/SRUDB.dat -t SRUM_TEMPLATE2.xlsx -o /mnt/c/temp/sru1.xlsx
error:
Traceback (most recent call last):
File "srum_dump2.py", line 19, in
import PySimpleGUI as sg
File "/usr/local/lib/python3.8/dist-packages/PySimpleGUI/init.py", line 2, in
from .PySimpleGUI import *
File "/usr/local/lib/python3.8/dist-packages/PySimpleGUI/PySimpleGUI.py", line 136, in
import tkinter as tk
ModuleNotFoundError: No module named 'tkinter'
The link to Yogesh Khatri's PDF seems to be broken. I believe it can now be found here: https://digital-forensics.sans.org/summit-archives/file/summit-archive-1492184583.pdf
Hi Mark, I gave this a try on my Mac using Python 2.7.15 and openpyxl 2.6.1 and ran into some errors related to openpyxl. Here is the first error it generated:
Traceback (most recent call last):
File "srum_dump.py", line 8, in
from openpyxl.writer.write_only import WriteOnlyCell
ImportError: No module named write_only
Which I got around by changing the import to:
from openpyxl.cell import WriteOnlyCell
After that I received this error:
Traceback (most recent call last):
File "srum_dump.py", line 285, in
ese_template_table = template_sheet.cell("A1").value
TypeError: cell() takes at least 3 arguments (2 given)
Which I got around by changing the line to:
ese_template_table = template_sheet["A1"].value
I have no idea if it still works as intended though.
PySimpleGUI==4.11.0 is not available.
Latest PySimpleGUI is 4.34.0 and this gives a missing module error.
I suspected no one was using that so I remove it. I was wrong.
Sorry Mark Hallman. I'll fix it when I get back in the office.
I could not open the specified template file /home/tkrabec/srudb/SRUM_TEMPLATE.xlsx. Check your path and file name.
Error : File is not a zip file
Same error windows 10 and Centos.
Could you add an output path like there is in srum_dump? This will be helpful for adding a module to KAPE.
Dear Mark,
When i run srum-dump on Windows 11 i got exception:
Registry.Registry.RegistryKeyNotFoundException: Registry key not found: ROOT\Microsoft\WlanSvc\Interfaces{9973590D-191A-42BB-A2C9-63981C0BD659}\Profiles{9D178DC5-2D6A-40AD-836C-B76801191869}\MetaData [19916] Failed to execute script 'srum_dump2' due to unhandled exception!
Hi,
When runnnig srum_dump2.exe on a Windows 10 machine I get the following error:
File "srum_dump2.py", line 563, in <module>
if regsids:
NameError: name 'regsids' is not defined.
Any idea of what's going wrong?
Does SRUM_dump2.exe only retrieve the last 30 days of records?
I have a SRUDB.dat where I can see much older artifacts of interest in ASCII/HEX view, but SRUM_dump2 doesn't seem to retrieve any info about this. The events of interest occurred 3 years before the last event in SRUDB.dat
I was given an example of a SRUM.DAT file that I am unable to process. (Thank you Martin WIlling!) While processing the file the tool produces the following output:
Unable to find table Undocumented Windows 10 Table {97C2CE28-A37B-4920-B1E9-8B76CD341EC5}
I was unable to write the output file. Do you have an old version open? If not this is probably a path or permissions issue.
Error :
Finished!
The first line "Unable to find table ..." isn't a problem. This is just a warning that indicates that the SRUM file you are analyzing doesn't contain that table. No big deal. The next line "I was unable to write the output file..." is a problem. In this case the error is not caused by permissions or the path as the error message indicates. The problem is that the system is running out of Memory. Unfortunately MemoryErrors can not be always be caught in Python (See docs https://docs.python.org/2/library/exceptions.html#exceptions.MemoryError ) so the error message returned by the program isn't at all helpful. Usually after the word "ERROR:" you would see what the error is. If NOTHING appears after the word "ERROR:" then you are probably having the same issue. When I run this through the debugger I can clearly see that it is a memory error...
Creating Sheet Energy Usage
While you wait, did you know ...
This program was written by Twitter:@markbaggett and @donaldjwilliam5 because @ovie said so.
Unable to find table Undocumented Windows 10 Table {97C2CE28-A37B-4920-B1E9-8B76CD341EC5}
> c:\host\documents\pythonprojects\srum\srum-dump\srum_dump.py(365)<module>()
-> firstsheet=target_wb.get_sheet_by_name("Sheet")
(Pdb)
(Pdb) target_wb.save(".\\outtest.xlsx")
***** MemoryError:**
(Pdb)
There were some recent changes to openpyxl in dealing with memory usage and large spreadsheets. The current release was using openpyxl (2.4.7). This is an open issue that I will have to resolve. I'm working on it now.
Error due to line not being indented.
Traceback (most recent call last):
File "srum_dump_csv.py", line 361, in
print("While you wait, did you know ...\n"+ad+"\n")
NameError: name 'ad' is not defined
Traceback (most recent call last):
File "srum_dump.py", line 328, in
print("While you wait, did you know ...\n"+ad+"\n")
NameError: name 'ad' is not defined
Hy Mark,
I'm using srum-dump to analyze SRUDB.dat on Windows 10 (1809)...
For now, all result of User's SID in Application Resource Usage was "None".
I tried it on the multiple SRUDB.dat (exported with FTK Imager) files, with or without template and SOFTWARE hive. There is no error message in cmd...
Any idea why I can't get user's SIDs?
Best regards
Hi Mark,
Sorry for using your Github to get a hold of you, but I couldn't find an easy way to get in touch. I have a question regarding the parsing of OLE Timestamps like the ones you parse from the SRUdb. In what format is the actual timestamp when it's processed by your python version of the parser?
I am trying to do pretty much the same thing in a program I'm writing as you did, but I keep getting a struct.unpack error "unpack requires a string argument of length 8".
It's not directly related to your srum-dump, but do you think you can help?
@MarkBaggett, this is a great tool! I do most of my analysis in MacOs or Linux, so my preference was to use your raw python script. Unfortunately, I'm getting the following openpyxl
(using version 2.4.1) error:
Traceback (most recent call last):
File "./srum_dump.py", line 327, in <module>
cell_style = template_sheet.cell(row = 4, column = eachcolumn).style
AttributeError: 'ReadOnlyCell' object has no attribute 'style'
It appears (in this version anyway) that the ReadOnlyCell
class has different properties than the standard Cell
class. Simply changing your call to openpyxl.load_workbook
(line 268) to open the template read-write fixed the issue for me. Not ideal, but provides for a quick fix.
(Also, FYI opening read-write appears to be a fairly safe operation if you don't call wb.save()
.)
It would be nice to resolve the SID prior to outputting the data.
But i hear doing so can be dangerous in PKI situations where UPN is an external namespace (like the DoD). As it generates network traffic but also targets the PDC-E role which is single homed by design. WMI's Win32_UserAccounts sid resolver will hit the PDC-E, so not sure if there is a good way around doing this, or maybe allow as a configurable/opt in option.
Hello,
Thank you for developing this tool. However, as your repository is missing a license file, or any reference to a specific license in the first place, it is strictly speaking forbidden for anybody to use the tool for any purpose besides those outlined in the GitHub Terms of Service (section D.4 - D.7).
GitHub has both excellent instructions and a tool for choosing a license - which conveniently includes details on what it means when you don't choose a license.
You mention that parts of srum-dump originate from GRR's wmi_parser.py, which is licensed under the Apache license 2.0. Without explicit permission given to you, this likely means that srum-dump should be considered a derivative work and licensed under the same terms.
Furthermore, it is my personal understanding that all contributors to the code should agree to license their contributions under the chosen terms.
As the standard disclaimer, I am not a lawyer - I'm just a person who (full disclosure: and whose employer) would like to use this tool.
I could not open the specified SRUM file. Check your path and file name.
Error : ("Unpacked data doesn't match constant value 'b'0\x00\x03\x00'' should be ''ïÍ«\x89''", 'When unpacking field 'Signature | "ïÍ«\x89 | b"0\x00\x03\x00\x95\x10E\x95\x02\x00\x00\x00\x01\x00\x01\x008\x00\x01\x00\xc8\x01\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00
Hmmm... I get following when I use the default template:
Unable to find table Undocumented Windows 10 Table {97C2CE28-A37B-4920-B1E9-8B76CD341EC5}
I was unable to write the output file. Do you have an old version open? If not this is probably a path or permissions issue.
Error :
Finished!
And I get this when I use the small template:
Traceback (most recent call last):
File "", line 347, in
AttributeError: 'NoneType' object has no attribute 'replace'
This is running on a Windows 10 Enterprise v1607 with a copy of the SRUDB.dat file from the same machine.
I get the following error when running srum_dump_csv:
C:\Software\srum-dump>srum_dump_csv
What is the path to the SRUDB.DAT file? (Ex: \image-mount-point\Windows\system32\sru\srudb.dat) : E:\DFIRNW-19.2\endpoint\windows\vanko-c-drive\vanko-c-drive.CYLR\G\Windows\System32\sru\SRUDB.dat
What XLS Template should I use? (Press enter for the default SRUM_TEMPLATE.XLSX) :
What is the full path of the SOFTWARE registry hive? Usually \image-mount-point\Windows\System32\config\SOFTWARE (or press enter to skip Network resolution) : E:\DFIRNW-19.2\endpoint\windows\vanko-c-drive\vanko-c-drive.CYLR\G\Windows\System32\config\SOFTWARE
Creating CSV for Network Usage
While you wait, did you know ...
Check out SANS Automating Infosec with Python SEC573 to learn to write program like this on your own.
Finished processing Network Usage. Writing Output File.
Creating CSV for Application Resource Usage
While you wait, did you know ...
To learn how SRUM and other artifacts can enhance your forensics investigations check out SANS Windows Forensics FOR500/408
Finished processing Application Resource Usage. Writing Output File.
Creating CSV for Network Connections
While you wait, did you know ...
This program uses the function BinarySIDtoStringSID from the GRR code base to convert binary data into a user SID and relies heavily on the CoreSecurity Impacket ESE module. This works because of them. Check them out!
Finished processing Network Connections. Writing Output File.
Creating CSV for Push Notification Data
While you wait, did you know ...
Yogesh Khatri's paper at https://files.sans.org/summit/Digital_Forensics_and_Incident_Response_Summit_2015/PDFs/Windows8SRUMForensicsYogeshKhatri.pdf was essential in the creation of this tool.
Finished processing Push Notification Data. Writing Output File.
Creating CSV for Energy Usage (Long Term)
While you wait, did you know ...
By modifying the template file you have control of what ends up in the analyzed results. Try creating an alternate template and passing it with the --XLSX_TEMPLATE option.
Finished processing Energy Usage (Long Term). Writing Output File.
Creating CSV for Energy Usage
While you wait, did you know ...
This program was written by Twitter:@MarkBaggett and @donaldjwilliam5 because @ovie said so.
Finished processing Energy Usage. Writing Output File.
Creating CSV for Undocumented Windows 10 Table
While you wait, did you know ...
Check out SANS Automating Infosec with Python SEC573 to learn to write program like this on your own.
Traceback (most recent call last):
File "srum_dump_csv.py", line 385, in
for ese_row in ese_getnextrow(ese_table):
File "srum_dump_csv.py", line 94, in ese_getnextrow
current_row[reverse_column_lookup[each_column]] = smart_retrieve(ese_table, ese_row_num, each_column)
File "srum_dump_csv.py", line 104, in smart_retrieve
col_data = "" if not col_data else col_data.encode("HEX")
AttributeError: 'bytes' object has no attribute 'encode'
[13228] Failed to execute script srum_dump_csv
C:\Software\srum-dump>
Do you need a copy of the test DB & Software hive, or is the error sufficint?
Thanks
John
Traceback (most recent call last):
File "<string>", line 274, in <module>
File "<string>", line 130, in load_lookups
File "<string>", line 64, in BinarySIDtoStringSID
UnboundLocalError: local variable 'sid_str' referenced before assignment
I ran srum_dump on a centos machine I use for analysis thats headless and found with srum_dump2 I had issues when running srum_dump2.py -h with the following error: ModuleNotFoundError: No module named 'tkinter'.
Even after installing tkinter, the issue persisted. I ended up commenting out the line: import PySimpleGUI to see help so I could run the switches (I havent run version 2 before).
Running SRUM with all switches applied worked as expected.
I believe this is caused by srum_dump defaulting to GUI with no variables set. I think you should allow "-h|--help" with no variables and then import PySimpleGUI afterwards.
Matt
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.