SANS Cyber Defense Initiative® 2020 Live Online: 30+ Interactive Courses | Virtual NetWars Tournaments. Save $300 thru 11/18


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

SANS @MIC Talk -Hacking the SRUM and other Devious New Ways to Interrogate Windows

  • Monday, June 22, 2020 at 3:30 PM EDT (2020-06-22 19:30:00 UTC)
  • Alissa Torres

You can now attend the webcast using your mobile device!



Data is king! With increasing granularity, Windows 10+ tracks user behavior, application and network activity, geolocation data, power consumption and more. OS monitoring is now in hyperdrive, with modern performance and usability features fueled by metrics-laden databases and log files. The forensic implications of today's OS endpoint monitoring are obvious, but these data sources can be a gold mine for the adversary as well. To fuel attacker discovery and lateral movement, adversaries may utilize these data sources to quickly and quietly interrogate the host. Let's dig into the newest and most data-rich endpoint artifacts (SRUM, Windows.edb, Toast Notifications, pinned clipboard items, ActivitiesCache.db, etc) and the tools available for remote collection and parsing.

Speaker Bio

Alissa Torres

Alissa Torres is a SANS analyst and certified SANS instructor specializing in advanced computer forensics and incident response (IR). She has extensive experience in information security in the government, academic and corporate environments. Alissa has served as an incident handler and as a digital forensic investigator on an internal security team. She has taught at the Defense Cyber Investigations Training Academy (DCITA), delivering IR and network basics to security professionals entering the forensics community. A GIAC Certified Forensic Analyst (GCFA), Alissa holds the GCFE, GPEN, CISSP, EnCE, CFCE, MCT and CTT+ certifications.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.