ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Windows Desktop Search" and "Windows SuperFetch Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(MEM file)
 
Line 1: Line 1:
{{Expand}}
+
{{expand}}
  
Windows Desktop Search (or Windows Search) is a 'desktop' indexer for Microsoft Windows.
+
== MEM file ==
In Windows XP, Search 4.0 (or Search XP) was an add-on. However Microsoft integrated Search into Windows Vista as 'part of the package'.
+
Some of the <tt>Ag*.db</tt> files are of the MEM file format.
  
 +
<b>Note that the following format specification is incomplete.</b>
  
== Data location ==
+
The MEM file consists of:
Windows Search stores its data in:
+
* file header
 +
* compressed blocks
  
<pre>
+
=== File header ===
%CommonApplicationData%\Microsoft\Search\Data\Applications\Windows\
+
The file header is 84 bytes of size and consists of:
</pre>
+
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| "MEMO" (0x4d, 0x45, 0x4d, 0x4f) or "MEM0" (0x4d, 0x45, 0x4d, 0x30)
 +
| Signature
 +
|-
 +
| 4
 +
| 4
 +
|
 +
| Uncompressed (total) data size
 +
|-
 +
|}
  
Note that '%CommonApplicationData%' is dependent on the [[Windows]] version.
+
Where:
 +
* "MEMO" (0x4d, 0x45, 0x4d, 0x4f) is used on Windows Vista
 +
* "MEM0" (0x4d, 0x45, 0x4d, 0x30) is used on Windows 7
  
E.g. on Windows XP
+
=== Compressed blocks ===
<pre>
+
The file header is followed by compressed blocks:
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\
+
{| class="wikitable"
</pre>
+
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
|
 +
| Compressed data size
 +
|-
 +
| 4
 +
| ...
 +
|
 +
| Compressed data
 +
|-
 +
|}
  
E.g. on Windows 7
+
=== Uncompressed data ===
<pre>
+
<b>TODO</b>
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\
+
</pre>
+
  
The search index is stored in a file named '''Windows.edb'''. This file is an [[Extensible_Storage_Engine_(ESE)_Database_File_(EDB)_format | Extensible Storage Engine Database (EDB)]].
+
== MAM file ==
 +
On Windows 8 (seen on 8.1) the MEM file format seem to have been replaced by the MAM file format.
  
To access the Windows.edb file (on a live system) the the Windows Search service needs to be deactivated and the necessary access rights are required.
+
<b>Note that the following format specification is incomplete.</b>
  
== Analysis ==
+
{| class="wikitable"
Currently there are not many [[Windows Desktop Search#Tools|tools]] which allow you to 'forensically' analyze the Windows Search database.
+
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| "MAM\x84" (0x4d, 0x41, 0x4d, 0x84)
 +
| Signature
 +
|-
 +
|}
  
=== Artifacts ===
+
== TRX file ==
The artifacts in the Windows Search database can be useful in forensic analysis of a desktop Windows system, especially Windows Vista and later.
+
The <tt>Ag*.db.trx</tt> files are TRX files.
A few applications are:
+
* to (partial) recover the content of indexed documents and even email messages stored on a Microsoft Exchange server
+
* to indicate the former existence of files
+
* time-line analysis
+
  
=== Dirty database ===
+
<b>Note that the following format specification is incomplete.</b>
When analyzing Windows Search databases you can come across a 'dirty database'. This is one left in a dirty state.
+
Some of the tools fail to open these databases. You might have to resort to repairing the database or use a tools that does not have such limitations.
+
  
=== Obfuscation and compression ===
+
=== File header ===
Windows Search uses both obfuscation and compression to store some of its data, but according to 'Forensic analysis of the Windows Search database' this is easily circumvented.
+
The file header is variable of size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| 1
 +
| Unknown (Version?)
 +
|-
 +
| 4
 +
| 4
 +
|
 +
| Unknown
 +
|-
 +
| 8
 +
| 4
 +
|
 +
| File size
 +
|-
 +
| 12
 +
| 4
 +
|
 +
| Maximum number of records (of the record offsets array)
 +
|-
 +
| 16
 +
| 4
 +
|
 +
| Number of records
 +
|-
 +
| 20
 +
| ...
 +
|
 +
| Record offsets array, where the record offset is a 32-bit integer. Unused record offset are set to 0.
 +
|-
 +
|}
 +
 
 +
=== Record ===
 +
<b>TODO describe</b>
  
 
== See Also ==
 
== See Also ==
* [[Google Desktop Search]]
+
* [[SuperFetch]]
* [[Extensible_Storage_Engine_(ESE)_Database_File_(EDB)_format | Windows.edb file format]]
+
  
 
== External Links ==
 
== External Links ==
* [http://www.microsoft.com/windows/desktopsearch/ Official website]
+
* [http://blog.rewolf.pl/blog/?p=214 Windows SuperFetch file format – partial specification], by ReWolf, October 5, 2011
* [http://en.wikipedia.org/wiki/Windows_Desktop_Search Wikipedia entry on Windows Desktop Search]
+
* [http://en.wikipedia.org/wiki/List_of_search_engines#Desktop_search_engines Wikipedia list of Desktop search engines]
+
* [http://code.google.com/p/libesedb/downloads/detail?name=Forensic%20analysis%20of%20the%20Windows%20Search%20database.pdf Forensic analysis of the Windows Search database]
+
 
+
== Tools ==
+
* [http://www.woany.co.uk/esedbviewer/ EseDBViewer]
+
* [[libesedb]]
+
* [http://www.lostpassword.com/search-index-examiner.htm Windows Search Index Examiner]
+
  
[[Category:Desktop Search]]
+
[[Category:File Formats]]
[[Category:Windows]]
+

Revision as of 06:03, 15 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

MEM file

Some of the Ag*.db files are of the MEM file format.

Note that the following format specification is incomplete.

The MEM file consists of:

  • file header
  • compressed blocks

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 "MEMO" (0x4d, 0x45, 0x4d, 0x4f) or "MEM0" (0x4d, 0x45, 0x4d, 0x30) Signature
4 4 Uncompressed (total) data size

Where:

  • "MEMO" (0x4d, 0x45, 0x4d, 0x4f) is used on Windows Vista
  • "MEM0" (0x4d, 0x45, 0x4d, 0x30) is used on Windows 7

Compressed blocks

The file header is followed by compressed blocks:

Offset Size Value Description
0 4 Compressed data size
4 ... Compressed data

Uncompressed data

TODO

MAM file

On Windows 8 (seen on 8.1) the MEM file format seem to have been replaced by the MAM file format.

Note that the following format specification is incomplete.

Offset Size Value Description
0 4 "MAM\x84" (0x4d, 0x41, 0x4d, 0x84) Signature

TRX file

The Ag*.db.trx files are TRX files.

Note that the following format specification is incomplete.

File header

The file header is variable of size and consists of:

Offset Size Value Description
0 4 1 Unknown (Version?)
4 4 Unknown
8 4 File size
12 4 Maximum number of records (of the record offsets array)
16 4 Number of records
20 ... Record offsets array, where the record offset is a 32-bit integer. Unused record offset are set to 0.

Record

TODO describe

See Also

External Links