Difference between pages "Windows Desktop Search" and "Windows SuperFetch Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(MEM file)
 
Line 1: Line 1:
{{Expand}}
+
{{expand}}
  
Windows Desktop Search (or Windows Search) is a 'desktop' indexer for Microsoft Windows.
+
== MEM file ==
In Windows XP, Search 4.0 (or Search XP) was an add-on. However Microsoft integrated Search into Windows Vista as 'part of the package'.
+
Some of the <tt>Ag*.db</tt> files are of the MEM file format.
  
 +
<b>Note that the following format specification is incomplete.</b>
  
== Data location ==
+
The MEM file consists of:
Windows Search stores its data in:
+
* file header
 +
* compressed blocks
  
<pre>
+
=== File header ===
%CommonApplicationData%\Microsoft\Search\Data\Applications\Windows\
+
The file header is 84 bytes of size and consists of:
</pre>
+
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| "MEMO" (0x4d, 0x45, 0x4d, 0x4f) or "MEM0" (0x4d, 0x45, 0x4d, 0x30)
 +
| Signature
 +
|-
 +
| 4
 +
| 4
 +
|
 +
| Uncompressed (total) data size
 +
|-
 +
|}
  
Note that '%CommonApplicationData%' is dependent on the [[Windows]] version.
+
Where:
 +
* "MEMO" (0x4d, 0x45, 0x4d, 0x4f) is used on Windows Vista
 +
* "MEM0" (0x4d, 0x45, 0x4d, 0x30) is used on Windows 7
  
E.g. on Windows XP
+
=== Compressed blocks ===
<pre>
+
The file header is followed by compressed blocks:
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\
+
{| class="wikitable"
</pre>
+
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
|
 +
| Compressed data size
 +
|-
 +
| 4
 +
| ...
 +
|
 +
| Compressed data
 +
|-
 +
|}
  
E.g. on Windows 7
+
=== Uncompressed data ===
<pre>
+
<b>TODO</b>
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\
+
</pre>
+
  
The search index is stored in a file named '''Windows.edb'''. This file is an [[Extensible_Storage_Engine_(ESE)_Database_File_(EDB)_format | Extensible Storage Engine Database (EDB)]].
+
== MAM file ==
 +
On Windows 8 (seen on 8.1) the MEM file format seem to have been replaced by the MAM file format.
  
To access the Windows.edb file (on a live system) the the Windows Search service needs to be deactivated and the necessary access rights are required.
+
<b>Note that the following format specification is incomplete.</b>
  
== Analysis ==
+
{| class="wikitable"
Currently there are not many [[Windows Desktop Search#Tools|tools]] which allow you to 'forensically' analyze the Windows Search database.
+
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| "MAM\x84" (0x4d, 0x41, 0x4d, 0x84)
 +
| Signature
 +
|-
 +
|}
  
=== Artifacts ===
+
== TRX file ==
The artifacts in the Windows Search database can be useful in forensic analysis of a desktop Windows system, especially Windows Vista and later.
+
The <tt>Ag*.db.trx</tt> files are TRX files.
A few applications are:
+
* to (partial) recover the content of indexed documents and even email messages stored on a Microsoft Exchange server
+
* to indicate the former existence of files
+
* time-line analysis
+
  
=== Dirty database ===
+
<b>Note that the following format specification is incomplete.</b>
When analyzing Windows Search databases you can come across a 'dirty database'. This is one left in a dirty state.
+
Some of the tools fail to open these databases. You might have to resort to repairing the database or use a tools that does not have such limitations.
+
  
=== Obfuscation and compression ===
+
=== File header ===
Windows Search uses both obfuscation and compression to store some of its data, but according to 'Forensic analysis of the Windows Search database' this is easily circumvented.
+
The file header is variable of size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| 1
 +
| Unknown (Version?)
 +
|-
 +
| 4
 +
| 4
 +
|
 +
| Unknown
 +
|-
 +
| 8
 +
| 4
 +
|
 +
| File size
 +
|-
 +
| 12
 +
| 4
 +
|
 +
| Maximum number of records (of the record offsets array)
 +
|-
 +
| 16
 +
| 4
 +
|
 +
| Number of records
 +
|-
 +
| 20
 +
| ...
 +
|
 +
| Record offsets array, where the record offset is a 32-bit integer. Unused record offset are set to 0.
 +
|-
 +
|}
 +
 
 +
=== Record ===
 +
<b>TODO describe</b>
  
 
== See Also ==
 
== See Also ==
* [[Google Desktop Search]]
+
* [[SuperFetch]]
* [[Extensible_Storage_Engine_(ESE)_Database_File_(EDB)_format | Windows.edb file format]]
+
  
 
== External Links ==
 
== External Links ==
* [http://www.microsoft.com/windows/desktopsearch/ Official website]
+
* [http://blog.rewolf.pl/blog/?p=214 Windows SuperFetch file format – partial specification], by ReWolf, October 5, 2011
* [http://en.wikipedia.org/wiki/Windows_Desktop_Search Wikipedia entry on Windows Desktop Search]
+
* [http://en.wikipedia.org/wiki/List_of_search_engines#Desktop_search_engines Wikipedia list of Desktop search engines]
+
* [http://code.google.com/p/libesedb/downloads/detail?name=Forensic%20analysis%20of%20the%20Windows%20Search%20database.pdf Forensic analysis of the Windows Search database]
+
 
+
== Tools ==
+
* [http://www.woany.co.uk/esedbviewer/ EseDBViewer]
+
* [[libesedb]]
+
* [http://www.lostpassword.com/search-index-examiner.htm Windows Search Index Examiner]
+
  
[[Category:Desktop Search]]
+
[[Category:File Formats]]
[[Category:Windows]]
+

Revision as of 02:03, 15 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

MEM file

Some of the Ag*.db files are of the MEM file format.

Note that the following format specification is incomplete.

The MEM file consists of:

  • file header
  • compressed blocks

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 "MEMO" (0x4d, 0x45, 0x4d, 0x4f) or "MEM0" (0x4d, 0x45, 0x4d, 0x30) Signature
4 4 Uncompressed (total) data size

Where:

  • "MEMO" (0x4d, 0x45, 0x4d, 0x4f) is used on Windows Vista
  • "MEM0" (0x4d, 0x45, 0x4d, 0x30) is used on Windows 7

Compressed blocks

The file header is followed by compressed blocks:

Offset Size Value Description
0 4 Compressed data size
4 ... Compressed data

Uncompressed data

TODO

MAM file

On Windows 8 (seen on 8.1) the MEM file format seem to have been replaced by the MAM file format.

Note that the following format specification is incomplete.

Offset Size Value Description
0 4 "MAM\x84" (0x4d, 0x41, 0x4d, 0x84) Signature

TRX file

The Ag*.db.trx files are TRX files.

Note that the following format specification is incomplete.

File header

The file header is variable of size and consists of:

Offset Size Value Description
0 4 1 Unknown (Version?)
4 4 Unknown
8 4 File size
12 4 Maximum number of records (of the record offsets array)
16 4 Number of records
20 ... Record offsets array, where the record offset is a 32-bit integer. Unused record offset are set to 0.

Record

TODO describe

See Also

External Links