Difference between pages "Blogs" and "Windows Desktop Search"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Challenges (and test images))
 
(Data location)
 
Line 1: Line 1:
[[Computer forensics]] related resources like: blogs, fora, tweets, tools and challenges (and test images).
+
{{Expand}}
  
= Blogs =
+
Windows Desktop Search (or Windows Search) is a 'desktop' indexer for Microsoft Windows.
 +
In Windows XP, Search 4.0 (or Search XP) was an add-on. However Microsoft integrated Search into Windows Vista as 'part of the package'.
  
== English ==
 
  
* [http://www.appleexaminer.com/ The Apple Examiner]
+
== Data location ==
* [http://computer.forensikblog.de/en/ Computer Forensics Blog], by [[Andreas Schuster]]
+
Windows Search stores its data in:
* [http://www.niiconsulting.com/checkmate/ Checkmate - e-zine on Digital Forensics and Incident Response]
+
* [http://www.infosecinstitute.com/blog/ethical_hacking_computer_forensics.html Jack Koziol - Ethical Hacking and Computer Forensics]
+
* [http://windowsir.blogspot.com/ Windows Incident Response Blog], by [[Harlan Carvey]]
+
* [http://geschonneck.com/ Computer Forensics Blog], by [[Alexander Geschonneck]]
+
* [http://forensicblog.org/ Computer Forensics Blog], by [[Michael Murr]]
+
* [http://forenshick.blogspot.com/ Forensic news, Technology, TV, and more], by [[Jordan Farr]]
+
* [http://unixsadm.blogspot.com/ UNIX, OpenVMS and Windows System Administration, Digital Forensics, High Performance Computing, Clustering and Distributed Systems], by [[Criveti Mihai]]
+
* [http://intrusions.blogspot.com/ Various Authors - Intrusions and Malware Analysis]
+
* [http://chicago-ediscovery.com/education/computer-forensics-glossary/ Computer Forensic Glossary Blog, HOWTOs and other resources], by [[Andrew Hoog]]
+
* [http://secureartisan.wordpress.com/ Digital Forensics with a Focus on EnCase], by [[Paul Bobby]]
+
* [http://www.crimemuseum.org/blog/ National Museum of Crime and Punishment-CSI/Forensics Blog]
+
* [http://forensicsfromthesausagefactory.blogspot.com/ Forensics from the sausage factory]
+
* [http://integriography.wordpress.com Computer Forensics Blog], by [[David Kovar]]
+
* [http://jessekornblum.livejournal.com/ A Geek Raised by Wolves], by [[Jesse Kornblum]]
+
* [http://computer-forensics.sans.org/blog SANS Computer Forensics and Incident Response Blog by SANS Institute]
+
* [http://www.digitalforensicsource.com Digital Forensic Source]
+
* [http://dfsforensics.blogspot.com/ Digital Forensics Solutions]
+
* [http://forensicaliente.blogspot.com/ Forensicaliente]
+
* [http://www.ericjhuber.com/ A Fistful of Dongles]
+
* [http://gleeda.blogspot.com/ JL's stuff]
+
* [http://4n6k.blogspot.com/ 4n6k]
+
* [http://justaskweg.com/ JustAskWeg], by [[Jimmy Weg]]
+
* [http://blog.kiddaland.net/ IR and forensic talk], by [[Kristinn Gudjonsson]]
+
* [http://c-skills.blogspot.ch/ c-skills], by [[Sebastian Krahmer]]
+
* [http://sketchymoose.blogspot.ch/ Sketchymoose's Blog]
+
* [http://www.swiftforensics.com/ All things forensic and security related], by [[Yogesh Khatri]]
+
* [http://dan3lmi.blogspot.pt/ Dlog], by [[Daniela Elmi]]
+
  
=== Windows ===
+
<pre>
* [http://blogs.msdn.com/b/ntdebugging/ ntdebugging - Advanced Windows Debugging and Troubleshooting]
+
%CommonApplicationData%\Microsoft\Search\Data\Applications\Windows\
 +
</pre>
  
== Dutch ==
+
Note that '%CommonApplicationData%' is dependent on the [[Windows]] version.
  
* [http://stam.blogs.com/8bits/ 8 bits], by [[Mark Stam]] (also contain English articles otherwise use [http://translate.google.com/translate?u=http%3A%2F%2Fstam.blogs.com%2F8bits%2Fforensisch%2Findex.html&langpair=nl%7Cen&hl=en&ie=UTF-8 Google translation])
+
E.g. on Windows XP
 +
<pre>
 +
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\
 +
</pre>
  
== French ==
+
E.g. on Windows 7
 +
<pre>
 +
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\
 +
</pre>
  
* [http://forensics-dev.blogspot.com Forensics-dev] ([http://translate.google.com/translate?u=http%3A%2F%2Fforensics-dev.blogspot.com%2F&langpair=fr%7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])
+
The search index is stored in a file named '''Windows.edb'''. This file is an [[Extensible_Storage_Engine_(ESE)_Database_File_(EDB)_format | Extensible Storage Engine Database (EDB)]].
  
== German ==
+
To access the Windows.edb file (on a live system) the the Windows Search service needs to be deactivated and the necessary access rights are required.
  
* [http://computer.forensikblog.de/ Computer Forensik Blog Gesamtausgabe], by [[Andreas Schuster]] ([http://computer.forensikblog.de/en/ English version])
+
== Analysis ==
* [http://computer-forensik.org computer-forensik.org], by [[Alexander Geschonneck]] ([http://translate.google.com/translate?u=http%3A%2F%2Fwww.computer-forensik.org&langpair=de%7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])
+
Currently there are not many [[Windows Desktop Search#Tools|tools]] which allow you to 'forensically' analyze the Windows Search database.
* [http://henrikbecker.blogspot.com Digitale Beweisführung], by [[Henrik Becker]] ([http://translate.google.com/translate?u=http%3A%2F%2Fhenrikbecker.blogspot.com&langpair=de%7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])
+
  
== Korean ==
+
=== Artifacts ===
* [http://forensic-proof.com/ Forensic-Proof], by 이름 : Kim Jinkook
+
The artifacts in the Windows Search database can be useful in forensic analysis of a desktop Windows system, especially Windows Vista and later.
 +
A few applications are:
 +
* to (partial) recover the content of indexed documents and even email messages stored on a Microsoft Exchange server
 +
* to indicate the former existence of files
 +
* time-line analysis
  
== Spanish ==
+
=== Dirty database ===
 +
When analyzing Windows Search databases you can come across a 'dirty database'. This is one left in a dirty state.
 +
Some of the tools fail to open these databases. You might have to resort to repairing the database or use a tools that does not have such limitations.
  
* [http://www.forensic-es.org/blog forensic-es.org] ([http://translate.google.com/translate?u=http%3A%2F%2Fwww.forensic-es.org%2Fblog&langpair=es%7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])
+
=== Obfuscation and compression ===
* [http://www.inforenses.com InForenseS], by [[Javier Pages]] ([http://translate.google.com/translate?u=http%3A%2F%2Fwww.inforenses.com&langpair=es%7Cen&hl=es&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])
+
Windows Search uses both obfuscation and compression to store some of its data, but according to 'Forensic analysis of the Windows Search database' this is easily circumvented.
* [http://windowstips.wordpress.com El diario de Juanito]
+
* [http://conexioninversa.blogspot.com Conexión inversa]
+
  
== Russian ==
+
== See Also ==
 +
* [[Google Desktop Search]]
 +
* [[Extensible_Storage_Engine_(ESE)_Database_File_(EDB)_format | Windows.edb file format]]
  
* Group-IB: [http://notheft.ru/blogs/group-ib blog at notheft.ru], [http://www.securitylab.ru/blog/company/group-ib/ blog at securitylab.ru]
+
== External Links ==
  
= Related blogs =
+
* [http://www.microsoft.com/windows/desktopsearch/ Official website]
 +
* [http://en.wikipedia.org/wiki/Windows_Desktop_Search Wikipedia entry on Windows Desktop Search]
 +
* [http://en.wikipedia.org/wiki/List_of_search_engines#Desktop_search_engines Wikipedia list of Desktop search engines]
 +
* [http://code.google.com/p/libesedb/downloads/detail?name=Forensic%20analysis%20of%20the%20Windows%20Search%20database.pdf Forensic analysis of the Windows Search database]
  
* [http://www.c64allstars.de C64Allstars Blog]
+
== Tools ==
* [http://www.emergentchaos.com/ Emergent Chaos], by [[Adam Shostack]]
+
* [http://www.woany.co.uk/esedbviewer/ EseDBViewer]
* [http://jeffjonas.typepad.com/ Inventor of NORA discusses privacy and all things digital], by [[Jeff Jonas]]
+
* [[libesedb]]
* [http://www.cs.uno.edu/~golden/weblog Digital Forensics, Coffee, Benevolent Hacking], by [[Golden G. Richard III]]
+
* [http://www.lostpassword.com/search-index-examiner.htm Windows Search Index Examiner]
  
= Circles/Fora/Groups =
+
[[Category:Desktop Search]]
* [http://forensicfocus.com/ Forensic Focus]
+
* [http://tech.groups.yahoo.com/group/win4n6 Yahoo! groups: win4n6 · Windows Forensic Analysis]
+
 
+
= Tweets =
+
* [http://twitter.com/#!/search/%23DFIR?q=%23DFIR #DFIR]
+
* [http://twitter.com/#!/search/%23forensics #forensics]
+
 
+
= Tools =
+
* [http://www2.opensourceforensics.org/ Open Source Digital Forensics]
+
* [http://forensiccontrol.com/resources/free-software/ Free computer forensic tools]
+
* [http://code.google.com/p/libyal/ Yet another library library (and tools)]
+
 
+
= Challenges (and test images) =
+
* [http://www.dc3.mil/challenge/ DC3 Challenges]
+
* [http://testimages.wordpress.com/ Digital Forensics Test Images]
+
* [http://www.forensicfocus.com/images-and-challenges Forensic Focus - Test Images and Forensic Challenges]
+
* [https://www.honeynet.org/challenges/ Honeynet Project Challenges]
+
* [http://testimages.wordpress.com/ Digital Forensic Test Images]
+
* [http://secondlookforensics.com/linux-memory-images/ Second Look - Linux Memory Images]
+
* [http://sourceforge.net/projects/nullconctf2014/ NullconCTF2014]
+
* [http://hackingexposedcomputerforensicsblog.blogspot.com/2014/03/daily-blog-277-sample-forensic-images.html Daily Blog #277: Sample Forensic Images]
+
 
+
= Conferences =
+
See: [[:Category:Conferences|Conferences]]
+
 
+
[[Category:Further information]]
+

Revision as of 07:45, 4 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Windows Desktop Search (or Windows Search) is a 'desktop' indexer for Microsoft Windows. In Windows XP, Search 4.0 (or Search XP) was an add-on. However Microsoft integrated Search into Windows Vista as 'part of the package'.


Data location

Windows Search stores its data in:

%CommonApplicationData%\Microsoft\Search\Data\Applications\Windows\

Note that '%CommonApplicationData%' is dependent on the Windows version.

E.g. on Windows XP

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\

E.g. on Windows 7

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\

The search index is stored in a file named Windows.edb. This file is an Extensible Storage Engine Database (EDB).

To access the Windows.edb file (on a live system) the the Windows Search service needs to be deactivated and the necessary access rights are required.

Analysis

Currently there are not many tools which allow you to 'forensically' analyze the Windows Search database.

Artifacts

The artifacts in the Windows Search database can be useful in forensic analysis of a desktop Windows system, especially Windows Vista and later. A few applications are:

  • to (partial) recover the content of indexed documents and even email messages stored on a Microsoft Exchange server
  • to indicate the former existence of files
  • time-line analysis

Dirty database

When analyzing Windows Search databases you can come across a 'dirty database'. This is one left in a dirty state. Some of the tools fail to open these databases. You might have to resort to repairing the database or use a tools that does not have such limitations.

Obfuscation and compression

Windows Search uses both obfuscation and compression to store some of its data, but according to 'Forensic analysis of the Windows Search database' this is easily circumvented.

See Also

External Links

Tools