Difference between pages "RFID" and "Windows Desktop Search"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(RFID)
 
(Data location)
 
Line 1: Line 1:
== RFID ==
+
{{Expand}}
RFID stands for Radio Frequency IDentification. It typically applies to a technology that uses radio waves to automatically identify people or objects.  While there are various ways to identify, the most common is to store a serial number that represents a person or object identity and possibly other information, on a microchip that is attached to an antenna. Collectively the microchip and antenna represent a RFID transponder or an RFID tag. The antenna gives the chip ability to transmit identity information to a RFID reader. Then the RFID reader converts the radio waves into digital information that can then be passed to the computer for usage. RFID has been around since the 1970s. Since the radio waves from the low end of the electromagnetic spectrum, waves are safe as  radio waves from a car radio.
+
  
RFID and Bar codes are different technologies and have different applications.  The big difference between the two is bar codes are line-of-sight technology. A scanner requires a bar code be brought towards a scanner in order for it to be read. RFID on the other hand, doesn’t require line of sight. RFID tags can be read as long as they are within range of a RFID reader. If a label is somehow removed or damaged there is no way to scan the item.
+
Windows Desktop Search (or Windows Search) is a 'desktop' indexer for Microsoft Windows.
 +
In Windows XP, Search 4.0 (or Search XP) was an add-on. However Microsoft integrated Search into Windows Vista as 'part of the package'.
  
Currently many forms and sizes such as personal items, services, and products use RFID. Currently in the United States, most public transportation such as trains, buses, and restaurants such as Mcdonald's all carry RFID receptacles that allow credit card transactions using MasterCard's PayPass. MasterCard PayPass is the payment feature that can be added to any MasterCard payment account to enable payments with a simple tap. PayPass is flexible enough that it can be built into cards or other devices such as key fobs, and can be used in markets that primarily issue smart cards or those that primarily issue magnetic stripe cards.
 
  
According to InfoSync.com, "
+
== Data location ==
Motorola and MasterCard are conducting field tests of new mobile phones that include Radio Frequency Identification (RFID) chips embedded in them as part of a cashless payment system dubbed PayPass. The phones will be equipped with Near Field Communication (NFC) systems, which will allow them to communicate with nearby readers to, for instance, pay for small purchases or tickets for transit or events simply by passing their phone close to a reader.
+
Windows Search stores its data in:
  
Once the phone and account has been identified by the RFID tag, the user's MasterCard account will be billed automatically by the network for the appropriate amount. MasterCard also sees potential for the phones as contactless readers, which it claims opens the door for "a variety of marketing and promotional applications", on which the company did not elaborate further.
+
<pre>
 +
%Profiles%\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\
 +
</pre>
  
The PayPass trials will be run by the end of the year at various locations in the United States."
+
Note that '%Profiles%' is dependent on the Windows version.
 +
 
 +
The search index is stored in a file named '''Windows.edb'''. This file is an [[Extensible_Storage_Engine_(ESE)_Database_File_(EDB)_format | Extensible Storage Engine Database (EDB)]].
 +
 
 +
To access the Windows.edb file (on a live system) the the Windows Search service needs to be deactivated and the necessary access rights are required.
 +
 
 +
== Analysis ==
 +
Currently there are not many tools which allow you to 'forensically' analyze the Windows Search database. Some of the available are:
 +
* [[libesedb | esedbtools]]
 +
* EseDbViewer
 +
* Windows Search Index Examiner
 +
 
 +
Other useful tools:
 +
* eseutil (comes with Exchange server) or esentutl (comes with a Windows NT variant which has the ESE engine)
 +
 
 +
=== Artifacts ===
 +
The artifacts in the Windows Search database can be useful in forensic analysis of a desktop Windows system, especially Windows Vista and later.
 +
A few applications are:
 +
* to (partial) recover the content of indexed documents and even email messages stored on a Microsoft Exchange server
 +
* to indicate the former existence of files
 +
* time-line analysis
 +
 
 +
=== Dirty database ===
 +
When analyzing Windows Search databases you can come across a 'dirty database'. This is one left in a dirty state.
 +
Some of the tools mentioned before fail to open these databases. You might have to resort to repairing the database or use a tools that does not have such limitations.
 +
 
 +
=== Obfuscation and compression ===
 +
Windows Search uses both obfuscation and compression to store some of its data, but according to 'Forensic analysis of the Windows Search database' this is easily circumvented.
 +
 
 +
== See Also ==
 +
 
 +
[[Google Desktop Search]]
 +
 
 +
[[Extensible_Storage_Engine_(ESE)_Database_File_(EDB)_format | Windows.edb file format]]
 +
 
 +
[[libesedb]] Open Source library and tools to read the Windows.edb
 +
 
 +
== External Links ==
 +
 
 +
* [http://www.microsoft.com/windows/desktopsearch/ Official website]
 +
* [http://en.wikipedia.org/wiki/Windows_Desktop_Search Wikipedia entry on Windows Desktop Search]
 +
* [http://en.wikipedia.org/wiki/List_of_search_engines#Desktop_search_engines Wikipedia list of Desktop search engines]
 +
* [http://sourceforge.net/projects/libesedb/files/Documentation/ESEDB%20Forensics/Forensic%20analysis%20of%20the%20Windows%20Search%20database.pdf/download Forensic analysis of the Windows Search database ]
 +
* [http://www.woany.co.uk/esedbviewer/ EseDBViewer]
 +
 
 +
[[Category:Desktop Search]]

Revision as of 04:14, 26 May 2012

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Windows Desktop Search (or Windows Search) is a 'desktop' indexer for Microsoft Windows. In Windows XP, Search 4.0 (or Search XP) was an add-on. However Microsoft integrated Search into Windows Vista as 'part of the package'.


Data location

Windows Search stores its data in:

%Profiles%\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\

Note that '%Profiles%' is dependent on the Windows version.

The search index is stored in a file named Windows.edb. This file is an Extensible Storage Engine Database (EDB).

To access the Windows.edb file (on a live system) the the Windows Search service needs to be deactivated and the necessary access rights are required.

Analysis

Currently there are not many tools which allow you to 'forensically' analyze the Windows Search database. Some of the available are:

Other useful tools:

  • eseutil (comes with Exchange server) or esentutl (comes with a Windows NT variant which has the ESE engine)

Artifacts

The artifacts in the Windows Search database can be useful in forensic analysis of a desktop Windows system, especially Windows Vista and later. A few applications are:

  • to (partial) recover the content of indexed documents and even email messages stored on a Microsoft Exchange server
  • to indicate the former existence of files
  • time-line analysis

Dirty database

When analyzing Windows Search databases you can come across a 'dirty database'. This is one left in a dirty state. Some of the tools mentioned before fail to open these databases. You might have to resort to repairing the database or use a tools that does not have such limitations.

Obfuscation and compression

Windows Search uses both obfuscation and compression to store some of its data, but according to 'Forensic analysis of the Windows Search database' this is easily circumvented.

See Also

Google Desktop Search

Windows.edb file format

libesedb Open Source library and tools to read the Windows.edb

External Links