Difference between pages "User:Joachim Metz" and "Windows Desktop Search"
Joachim Metz (Talk | contribs) |
Joachim Metz (Talk | contribs) (→Obfuscation and compression) |
||
| Line 1: | Line 1: | ||
| − | + | {{Expand}} | |
| − | + | ||
| − | + | Windows Desktop Search (or Windows Search) is a 'desktop' indexer for Microsoft Windows. | |
| + | In Windows XP, Search 4.0 (or Search XP) was an add-on, however Microsoft integrated Search into Windows Vista as 'part of the package'. | ||
| + | The artifacts in the Windows Search database can be useful in forensic analysis of a desktop Windows system, especially Windows Vista and later. | ||
| + | |||
| + | == Data location == | ||
| + | Windows Search stores its data in: | ||
| + | |||
| + | <pre> | ||
| + | %Profiles%/All Users/Application Data/Microsoft/Search/Data/Applications/Windows/ | ||
| + | </pre> | ||
| + | |||
| + | Note that '%Profile%' is dependent on the Windows version. | ||
| + | |||
| + | The search index is stored in a file named '''Windows.edb'''. This file is an [[Extensible_Storage_Engine_(ESE)_Database_File_(EDB)_format | Extensible Storage Engine Database (EDB)]]. | ||
| + | |||
| + | To access the Windows.edb file (on a live system) the the Windows Search service needs to be deactivated and the necessary access rights are required. | ||
| + | |||
| + | == Analysis == | ||
| + | Currently there are not many tools which 'forensically' allow you to analyze the Windows Search database. Some of the available are: | ||
| + | * [[libesedb | esedbtools]] | ||
| + | * EseDbViewer | ||
| + | * eseutil or esentutl | ||
| + | * Windows Search Index Examiner | ||
| + | |||
| + | === Dirty database === | ||
| + | When analyzing Windows Search databases you can come across a 'dirty database'. This is one left in a dirty state. | ||
| + | Some of the tools mentioned before fail to open these databases. You might have to resort to repairing the database or use a tools that does not have such limitations. | ||
| + | |||
| + | === Obfuscation and compression === | ||
| + | Windows Search uses both obfuscation and compression to store some of its data, but according to 'Forensic analysis of the Windows Search database' this is easily circumvented. | ||
| + | |||
| + | == See Also == | ||
| + | |||
| + | [[Google Desktop Search]] | ||
| + | |||
| + | [[Extensible_Storage_Engine_(ESE)_Database_File_(EDB)_format | Windows.edb file format]] | ||
| + | |||
| + | [[libesedb | Open Source library and tools to read the Windows.edb]] | ||
| + | |||
| + | == External Links == | ||
| + | |||
| + | * [http://www.microsoft.com/windows/desktopsearch/ Official website] | ||
| + | * [http://en.wikipedia.org/wiki/Windows_Desktop_Search Wikipedia entry on Windows Desktop Search] | ||
| + | * [http://en.wikipedia.org/wiki/List_of_search_engines#Desktop_search_engines Wikipedia list of Desktop search engines] | ||
| + | * [http://sourceforge.net/projects/libesedb/files/Documentation/ESEDB%20Forensics/Forensic%20analysis%20of%20the%20Windows%20Search%20database.pdf/download Forensic analysis of the Windows Search database ] | ||
| + | * [http://www.woany.co.uk/esedbviewer/ EseDBViewer] | ||
Revision as of 13:59, 26 June 2010
|
|
Please help to improve this article by expanding it.
|
Windows Desktop Search (or Windows Search) is a 'desktop' indexer for Microsoft Windows. In Windows XP, Search 4.0 (or Search XP) was an add-on, however Microsoft integrated Search into Windows Vista as 'part of the package'. The artifacts in the Windows Search database can be useful in forensic analysis of a desktop Windows system, especially Windows Vista and later.
Contents |
Data location
Windows Search stores its data in:
%Profiles%/All Users/Application Data/Microsoft/Search/Data/Applications/Windows/
Note that '%Profile%' is dependent on the Windows version.
The search index is stored in a file named Windows.edb. This file is an Extensible Storage Engine Database (EDB).
To access the Windows.edb file (on a live system) the the Windows Search service needs to be deactivated and the necessary access rights are required.
Analysis
Currently there are not many tools which 'forensically' allow you to analyze the Windows Search database. Some of the available are:
- esedbtools
- EseDbViewer
- eseutil or esentutl
- Windows Search Index Examiner
Dirty database
When analyzing Windows Search databases you can come across a 'dirty database'. This is one left in a dirty state. Some of the tools mentioned before fail to open these databases. You might have to resort to repairing the database or use a tools that does not have such limitations.
Obfuscation and compression
Windows Search uses both obfuscation and compression to store some of its data, but according to 'Forensic analysis of the Windows Search database' this is easily circumvented.
See Also
Open Source library and tools to read the Windows.edb
