Blog

Windows Search Forensics Explained

John Doe | July 27th, 2015 | Updates

Although, the Windows Vista is a dump in some cases but makes a way for the forensic investigators since it has a feature ‘Windows Search’ in it. You can even see this feature default in Windows 7. Windows Search contains the information of internet history, emails, and valuable sources helpful from investigative point of view. This feature has been deployed by Microsoft Windows. All the files get stored to a single database as Windows.edb, which is an Extensible Storage Engine (ESE) Database file. Let us get into the details through this blog.

What Is Windows Search?

Windows Search, otherwise known as Windows Desktop Search is an Indexed Search platform and builds whole text indexes seen on a computer, with the supporting features such as; IFilter, incremental search, etc. The Windows Desktop Search contains many information and the created files are stored in as EDB file i.e. Windows.edb.

Windows Desktop stores the data files at:

windows search forensics

Note: The initial folder in “%%” can vary depending on the Windows versions.

Windows XP:

windows search index forensics

Windows 7:

windows desktop search forensics

This search is mainly effective in Vista. The applications provided are:

  • Time-line analysis
  • Shows the former existence of the file
  • Recover the contents of email messages and indexed document stored at the Exchange server

How Is Windows Search Applicable In Forensics? Windows Search Forensics

Windows Search is mostly used by forensic investigators. It helps in many fields of investigations. Gives details regarding the;

  • Damaged disks
  • Deleted data
  • Event bounding
  • Unique data
  • Encrypted files
  • Absent data

As mentioned above, files created are stored in ESE database. The following segment reveals what is an ESE.

ESE Database Format:

ESE stands for Extensible Storage Engine, is a complex database used by Windows Search, Windows Mail, Active Directory, etc. and the files are stored in Windows.edb format. The page size of the database differs according to the version of Windows used and the files are stored as B-tree structure.

The components are:

  • Database header
  • Backup
  • page contains:
  • Long value data
  • Database table data
  • Space tree data
  • Database index data

Database Header:

The database starts with header, which consists of at least 667 bytes, like;

windows search forensics

The header is stored in blocks followed by another block. The first 4 to 8 bytes contain the unique tag ‘\xef\xcd\xab\x89′ of the format and rest of the values are for the page size, file format, format version, etc.

Page Storage:

A page contains values, header and index and it might not be filled indicating that there are ‘page unallocated spaces’; containing remnant data useful for forensic research. The size of the header can be seen in the header part and a page may contain multiple page values. A view of page 13 of Windows Vista Search ESE (Windows.edb) is;

windows search index forensics

The information starts with the header followed by page value and for each of the page value you can see a tag identified by c, d and v.

Details View On Windows Search Index Database Forensics:

For getting into the Windows.edb, you will have to get the access rights and the Windows Search service should be deactivation. While looking from the forensic point of view, ESE method is not apt since it alters the data stored when the ESE sets the state to ‘dirty’.

The exporting of the data from XP works well but, not with Windows Vista. In Windows 7, Searching is done with the help of ESE compression.

Data Obfuscation:

The TECHNET shows that the index files is obfuscation and describes like;

If we remove the obfuscation then, data can be brought out. The structure of index files does not bring any easy reconstruction of document. Instead, with enough time one can regain the text of the documents.

In Obfuscation the XOR with bitmask and initial 32bit bitmask are used. The data get obfuscated using the following;

windows desktop search forensics

Data Compression:

Compression of the data takes place before the obfuscating takes in and the compression methods gets incorporated with ‘MSSUncompressText’ stored at Windows Search DLL. The DLL names may not be the same in all versions.

Observations:

There are even other thinking in Windows Search Forensics. Only some of the ways are mentioned over here. The Windows Search helps in forensic investigation with their works. The ESE database is used in this searching even though it is complex in maintaining.