Home » Updates » Windows Search Forensics Explained

Windows Search Forensics Explained

author
Published By Raj Kumar
Aswin Vijayan
Approved By Aswin Vijayan
Published On April 14th, 2022
Reading Time 4 Minutes Reading
Category Updates

Although, the Windows Vista is a dump in some cases but makes a way for the windows search forensic investigators since it has the feature ‘Windows Search’ in it. You can even see this feature default in Windows 7. Windows Search contains information on internet history, emails, and valuable sources helpful from an investigative point of view. This feature has been deployed by Microsoft Windows. All the files get stored in a single database such as Windows.edb, which is an Extensible Storage Engine (ESE) Database file. Let us get into the details through this blog.

What Is Windows Search?

Windows Search, otherwise known as Windows Desktop Search is an Indexed Search platform and builds whole text indexes seen on a computer, with supporting features such as; IFilter, incremental search, etc. The Windows Desktop Search contains many information and the created files are stored in an EDB file i.e. Windows.edb.

Windows Desktop stores the data files at:

windows search forensics

Note: The initial folder in “%%” can vary depending on the Windows versions.

Windows XP:

windows search index forensics

Windows 7:

windows desktop search forensics

This search is mainly effective in Vista. The applications provided are:

  • Timeline analysis
  • Shows the former existence of the file
  • Recover the contents of email messages and indexed documents stored at the Exchange server

How Is Windows Search Applicable In Forensics? Windows Search Forensics

forensic investigators mostly use Windows Search. It helps in many fields of investigation. Gives details regarding the;

  • Damaged disks
  • Deleted data
  • Event bounding
  • Unique data
  • Encrypted files
  • Absent data

As mentioned above, files created are stored in the ESE database. The following segment reveals what is an ESE.

ESE Database Format:

ESE stands for Extensible Storage Engine, which is a complex database used by Windows Search, It stores Windows Mail, Active Directory, etc. and the files in Windows.edb format. The page size of the database differs according to the version of Windows used and the files are stored as a B-tree structure.

The components are:

  • Database header
  • Backup
  • page contains:
  • Long value data
  • Database table data
  • Space tree data
  • Database index data

Database Header:

The database starts with a header, which consists of at least 667 bytes, like;

windows search forensics

It stores the header in blocks followed by another block. The first 4 to 8 bytes contain the unique tag ‘\xef\xcd\xab\x89′ of the format and the rest of the values are for the page size, file format, format version, etc.

Page Storage:

A page contains values, header and index and it might not be filled indicating that there are ‘page unallocated spaces’; containing remnant data useful for forensic research. One can see the size of the header in the header part and a page may contain multiple page values. A view of page 13 of Windows Vista Search ESE (Windows.edb) is;

windows search index forensics

The information starts with the header followed by page value and for each of the page values, you can see a tag identified by c, d and v.

Details View On Windows Search Index Database Forensics:

For getting into the Windows.edb, you will have to get the access rights and the Windows Search service should be deactivation. While looking from the forensic point of view, the ESE method is not apt since it alters the data stored when the ESE sets the state to ‘dirty’.

The exporting of the data from XP works well but, not with Windows Vista. In Windows 7, Searching is done with the help of ESE compression.

Data Obfuscation:

The TECHNET shows that the index files are obfuscation and describes like;

If we remove the obfuscation then, data can be brought out. The structure of index files does not bring any easy reconstruction of documents. Instead, with enough time one can regain the text of the documents.

In Obfuscation the XOR with bitmask and initial 32bit bitmask are used. The data get obfuscated using the following;

windows desktop search forensics

Data Compression:

Compression of the data takes place before the obfuscating takes in and the compression methods get incorporated with ‘MSSUncompressText’ stored at Windows Search DLL. The DLL names may not be the same in all versions.

Observations:

There are even other thinking in Windows Search Forensics. Only some of the ways are mentioned over here. The Windows Search helps in forensic investigation with their works. The ESE database is used in this search even though it is complex in maintaining.

offer-banner