Difference between pages "User:Joachim Metz" and "Windows Desktop Search"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(Obfuscation and compression)
 
Line 1: Line 1:
I hereby license all my contributions to this wiki (before and after 
+
{{Expand}}
March 19th, 2006) under the [http://creativecommons.org/licenses/by-
+
 
sa/2.5/ Creative Commons Attribution-ShareAlike 2.5] license.
+
Windows Desktop Search (or Windows Search) is a 'desktop' indexer for Microsoft Windows.
 +
In Windows XP, Search 4.0 (or Search XP) was an add-on, however Microsoft integrated Search into Windows Vista as 'part of the package'.
 +
The artifacts in the Windows Search database can be useful in forensic analysis of a desktop Windows system, especially Windows Vista and later.
 +
 
 +
== Data location ==
 +
Windows Search stores its data in:
 +
 
 +
<pre>
 +
%Profiles%/All Users/Application Data/Microsoft/Search/Data/Applications/Windows/
 +
</pre>
 +
 
 +
Note that '%Profile%' is dependent on the Windows version.
 +
 
 +
The search index is stored in a file named '''Windows.edb'''. This file is an [[Extensible_Storage_Engine_(ESE)_Database_File_(EDB)_format | Extensible Storage Engine Database (EDB)]].
 +
 
 +
To access the Windows.edb file (on a live system) the the Windows Search service needs to be deactivated and the necessary access rights are required.
 +
 
 +
== Analysis ==
 +
Currently there are not many tools which 'forensically' allow you to analyze the Windows Search database. Some of the available are:
 +
* [[libesedb | esedbtools]]
 +
* EseDbViewer
 +
* eseutil or esentutl
 +
* Windows Search Index Examiner
 +
 
 +
=== Dirty database ===
 +
When analyzing Windows Search databases you can come across a 'dirty database'. This is one left in a dirty state.
 +
Some of the tools mentioned before fail to open these databases. You might have to resort to repairing the database or use a tools that does not have such limitations.
 +
 
 +
=== Obfuscation and compression ===
 +
Windows Search uses both obfuscation and compression to store some of its data, but according to 'Forensic analysis of the Windows Search database' this is easily circumvented.
 +
 
 +
== See Also ==
 +
 
 +
[[Google Desktop Search]]
 +
 
 +
[[Extensible_Storage_Engine_(ESE)_Database_File_(EDB)_format | Windows.edb file format]]
 +
 
 +
[[libesedb | Open Source library and tools to read the Windows.edb]]
 +
 
 +
== External Links ==
 +
 
 +
* [http://www.microsoft.com/windows/desktopsearch/ Official website]
 +
* [http://en.wikipedia.org/wiki/Windows_Desktop_Search Wikipedia entry on Windows Desktop Search]
 +
* [http://en.wikipedia.org/wiki/List_of_search_engines#Desktop_search_engines Wikipedia list of Desktop search engines]
 +
* [http://sourceforge.net/projects/libesedb/files/Documentation/ESEDB%20Forensics/Forensic%20analysis%20of%20the%20Windows%20Search%20database.pdf/download Forensic analysis of the Windows Search database ]
 +
* [http://www.woany.co.uk/esedbviewer/ EseDBViewer]

Revision as of 14:59, 26 June 2010

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Windows Desktop Search (or Windows Search) is a 'desktop' indexer for Microsoft Windows. In Windows XP, Search 4.0 (or Search XP) was an add-on, however Microsoft integrated Search into Windows Vista as 'part of the package'. The artifacts in the Windows Search database can be useful in forensic analysis of a desktop Windows system, especially Windows Vista and later.

Data location

Windows Search stores its data in:

%Profiles%/All Users/Application Data/Microsoft/Search/Data/Applications/Windows/

Note that '%Profile%' is dependent on the Windows version.

The search index is stored in a file named Windows.edb. This file is an Extensible Storage Engine Database (EDB).

To access the Windows.edb file (on a live system) the the Windows Search service needs to be deactivated and the necessary access rights are required.

Analysis

Currently there are not many tools which 'forensically' allow you to analyze the Windows Search database. Some of the available are:

  • esedbtools
  • EseDbViewer
  • eseutil or esentutl
  • Windows Search Index Examiner

Dirty database

When analyzing Windows Search databases you can come across a 'dirty database'. This is one left in a dirty state. Some of the tools mentioned before fail to open these databases. You might have to resort to repairing the database or use a tools that does not have such limitations.

Obfuscation and compression

Windows Search uses both obfuscation and compression to store some of its data, but according to 'Forensic analysis of the Windows Search database' this is easily circumvented.

See Also

Google Desktop Search

Windows.edb file format

Open Source library and tools to read the Windows.edb

External Links