Difference between revisions of "Windows Desktop Search"

From ForensicsWiki
Jump to: navigation, search
 
(8 intermediate revisions by the same user not shown)
Line 9: Line 9:
  
 
<pre>
 
<pre>
%Profiles%\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\
+
%CommonApplicationData%\Microsoft\Search\Data\Applications\Windows\
 
</pre>
 
</pre>
  
Note that '%Profiles%' is dependent on the [[Windows]] version.
+
Note that '%CommonApplicationData%' is dependent on the [[Windows]] version.
 +
 
 +
E.g. on Windows XP
 +
<pre>
 +
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\
 +
</pre>
 +
 
 +
E.g. on Windows 7
 +
<pre>
 +
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\
 +
</pre>
  
 
The search index is stored in a file named '''Windows.edb'''. This file is an [[Extensible_Storage_Engine_(ESE)_Database_File_(EDB)_format | Extensible Storage Engine Database (EDB)]].
 
The search index is stored in a file named '''Windows.edb'''. This file is an [[Extensible_Storage_Engine_(ESE)_Database_File_(EDB)_format | Extensible Storage Engine Database (EDB)]].
Line 19: Line 29:
  
 
== Analysis ==
 
== Analysis ==
Currently there are not many tools (see below) which allow you to 'forensically' analyze the Windows Search database.
+
Currently there are not many [[Windows Desktop Search#Tools|tools]] which allow you to 'forensically' analyze the Windows Search database.
 
+
Other useful tools:
+
* eseutil (comes with Exchange server) or esentutl (comes with a Windows NT variant which has the ESE engine)
+
  
 
=== Artifacts ===
 
=== Artifacts ===
Line 33: Line 40:
 
=== Dirty database ===
 
=== Dirty database ===
 
When analyzing Windows Search databases you can come across a 'dirty database'. This is one left in a dirty state.
 
When analyzing Windows Search databases you can come across a 'dirty database'. This is one left in a dirty state.
Some of the tools mentioned before fail to open these databases. You might have to resort to repairing the database or use a tools that does not have such limitations.
+
Some of the tools fail to open these databases. You might have to resort to repairing the database or use a tools that does not have such limitations.
  
 
=== Obfuscation and compression ===
 
=== Obfuscation and compression ===
Line 43: Line 50:
  
 
== External Links ==
 
== External Links ==
 
 
* [http://www.microsoft.com/windows/desktopsearch/ Official website]
 
* [http://www.microsoft.com/windows/desktopsearch/ Official website]
 
* [http://en.wikipedia.org/wiki/Windows_Desktop_Search Wikipedia entry on Windows Desktop Search]
 
* [http://en.wikipedia.org/wiki/Windows_Desktop_Search Wikipedia entry on Windows Desktop Search]
 
* [http://en.wikipedia.org/wiki/List_of_search_engines#Desktop_search_engines Wikipedia list of Desktop search engines]
 
* [http://en.wikipedia.org/wiki/List_of_search_engines#Desktop_search_engines Wikipedia list of Desktop search engines]
* [http://sourceforge.net/projects/libesedb/files/Documentation/ESEDB%20Forensics/Forensic%20analysis%20of%20the%20Windows%20Search%20database.pdf/download Forensic analysis of the Windows Search database ]
+
* [http://code.google.com/p/libesedb/downloads/detail?name=Forensic%20analysis%20of%20the%20Windows%20Search%20database.pdf Forensic analysis of the Windows Search database]
  
 
== Tools ==
 
== Tools ==
Line 55: Line 61:
  
 
[[Category:Desktop Search]]
 
[[Category:Desktop Search]]
 +
[[Category:Windows]]

Latest revision as of 07:46, 4 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Windows Desktop Search (or Windows Search) is a 'desktop' indexer for Microsoft Windows. In Windows XP, Search 4.0 (or Search XP) was an add-on. However Microsoft integrated Search into Windows Vista as 'part of the package'.


Data location

Windows Search stores its data in:

%CommonApplicationData%\Microsoft\Search\Data\Applications\Windows\

Note that '%CommonApplicationData%' is dependent on the Windows version.

E.g. on Windows XP

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\

E.g. on Windows 7

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\

The search index is stored in a file named Windows.edb. This file is an Extensible Storage Engine Database (EDB).

To access the Windows.edb file (on a live system) the the Windows Search service needs to be deactivated and the necessary access rights are required.

Analysis

Currently there are not many tools which allow you to 'forensically' analyze the Windows Search database.

Artifacts

The artifacts in the Windows Search database can be useful in forensic analysis of a desktop Windows system, especially Windows Vista and later. A few applications are:

  • to (partial) recover the content of indexed documents and even email messages stored on a Microsoft Exchange server
  • to indicate the former existence of files
  • time-line analysis

Dirty database

When analyzing Windows Search databases you can come across a 'dirty database'. This is one left in a dirty state. Some of the tools fail to open these databases. You might have to resort to repairing the database or use a tools that does not have such limitations.

Obfuscation and compression

Windows Search uses both obfuscation and compression to store some of its data, but according to 'Forensic analysis of the Windows Search database' this is easily circumvented.

See Also

External Links

Tools