Windows Disk

SRUM Database

The Windows System Resource Usage Monitor (SRUM) is a tool designed to track system resource usage comprehensively. It records details such as application resource consumption, energy usage, network connectivity, data usage, and Windows push notifications.

The SRUM database maintains a log of program executions, power consumption patterns, network activities, and various other system interactions, offering a valuable resource for retrieving information even if the original source data has been deleted.

🔒 Location: C:\Windows\System32\SRU\SRUDB.dat

Category

• SRUM Application Resource Usage (Most value)

• SRUM Network Usage (Most value)

• SRUM Network Connections

• SRUM Energy Usage

• SRUM Push Notification Data

• SRUM Energy Usage (Long Term)

Tool

SRUMEcmd

Timeline Explorer

Jumplists

The Jump Lists feature is designed to give users quick access to recently opened application files and frequently used tasks.

Reference: USB Forensic

Recycle Bin

The recycle bin serves as a temporary storage location for items deleted by the user.

🔒 Location: C:$Recycle.Bin{SID}$I######

$I files store metadata, including the file path, size, and deletion timestamp. Each $I file is paired with a $R file, which holds the actual content of the deleted file, as long as the item has not been permanently removed.

Tool

RBcmd

Timeline Explorer

Search Index

The Windows Search service functions as an internal dictionary, operating in the background to collect and index the system's content. The service "provides content indexing, property caching, and search results for files, e-mail, and other content".

When a user searches for a document, image, or any other file type, the query is directed to the Windows Search Index database, rather than performing a real-time search on the system.

🔒 Location : C:\%USERPROFILE%\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb

Tool

SIDR

Timeline Explorer

Our primary focus is on the File_Report and Internet_History_Report data.

RDP Cache

When a user connects to another system via RDP, small bitmap images are stored in their RDP profile files. This allows the system to quickly fetch or retrieve these images for reuse during the session.

🔒 Location:

C:\Users\<username>\AppData\Local\Microsoft\Terminal Server Client\Cache

In RDP lateral movement investigations, RDP bitmap cache files are key evidence.

Tool

bmc-tools

RdpCacheStitcher

Thumbnail Cache

ThumbCache is a feature that stores thumbnail images of files for Windows Explorer's thumbnail view. These images, representing the contents of files, are stored in a centralized Thumbnail Cache file.

Microsoft Windows stores thumbnails for various file types, including JPEG, BMP, GIF, PNG, TIFF, AVI, PDF, PPTX, DOCX, HTML, MP4, and more.

🔒 Location: C:\Users\[Username]\AppData\Local\Microsoft\Windows\Explorer

These files are named Thumcache_xxx.db and iconcache_xxxx.db, where "xxx" represents the bits, pixel, or resolution value.

Tool

ThumbCache Viewer

---

This knowledge has been compiled from resources provided by LetsDefend.