Starting from Windows 11:
<SYSTEMDRIVE>:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.db
<SYSTEMDRIVE>:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows-gather.db
Windows 7 to Windows 10:
<SYSTEMDRIVE>:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
Windows XP:
<SYSTEMDRIVE>:\Documents and Settings\All user\Application Data\Microsoft\Search\Data\Application\Windows\Windows.edb
Overview
The Windows Search database provides an index to the Windows Search feature
to improve search speed by indexing content. The Windows Search index is used
for searches made through Windows taskbar, the Windows Explorer, and some
Universal Windows Platform (UWP) applications (such as Outlook, OneDrive,
etc.).
By default, only a subset of folders and files are indexed (to reduce the
Windows Search database size and CPU usage). The folders scanned and number of
items indexed can be consulted in the “Windows search settings” menu.
From Windows Vista / Windows Server 2008 to Windows 10 /
Windows Server 2019, the Windows Search used an
Extensible Storage Engine (ESE) database (Windows.edb). Starting with
Windows 11 / Windows Server 2022, the Windows Search switched to two
SQLite databases (Windows.db and Windows-gather.db).
Information of interest
By default, only items from the following sources are scanned and indexed:
-
Files and folders from the folders
C:\Users\*(excludingAppData
directories) andC:\ProgramData\Microsoft\Windows\Start Menu\Programs\*
(which include startupLNKfiles).Data available: file name, path, size, attributes,
MACtimestamps.
For small file, part of the content of the file may be indexed as well. -
Outlook mail data (with timestamp of reception, possible mail content).
-
OneNote notes title.
-
Internet Explorer history (URLs, timestamp of last visit).
Tool(s)
The Search Index DB Reporter (SIDR)
utility (SIDRWindowsIndexSearchParser KAPE module) can be used to parse the
Windows Search database (in both ESE and SQLite formats).
# Recursively scan the <INPUT_DIRECTORY> for Windows.edb and Windows.db files.
sidr.exe -f <json | csv> <INPUT_DIRECTORY> -o <DESTINATION_DIRECTORY>
Alternatively, the WinSearchDBAnalyzer
graphical utility can be used to parse and explore the Windows Search, in
ESE database format only.
References
-
SANS DFIR Summit 2023 — Phalgun Kulkarni & Julia Paluch — Windows Search Index: The Forensic Artifact You’ve Been Searching For
-
Aon — Phalgun Kulkarni, Julia Paluch — Windows Search Index: The forensic artifact you’ve been searching for
View on GitHub
Сегодня, в рамах прохождения задания Hunter c площадки Hack The Box Sherlocks, будем извлекать и анализировать файл Windows.edb (Windows Search Database) — важный компонент Windows, который хранит индексированные данные всех файлов, папок и другого контента на компьютере. Данная база данных может быть ценным источником информации в процессе форензического анализа.
Еще по теме: Поиск артефактов на компьютере Windows
Анализ и форензика Windows Search Database с помощью Sidr
Windows Search Database может предоставлять ценные данные для форензического анализа, такие как:
- Временные метки доступа к файлам.
- Путь и местоположение файлов.
- Содержимое файлов, если они были проиндексированы.
- Сведения об удаленных файлах, которые всё ещё могут находиться в индексе.
Иногда данные, которые были удалены из системы, всё ещё могут находиться в базе данных. Поэтому всегда стоит проверять Windows.edb на наличие следов удаленных файлов и папок.
По умолчанию файл Windows.edb находится в следующем каталоге:
|
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\ |
Файл может занимать значительное место на диске, особенно если на компьютере много данных для индексации.
Для анализа Windows Search Database на Linux воспользуемся утилитой sidr. Для Windows можно использовать утилиту от NirSoft.
|
./sidr ~./2023—06—22T092426_Acquisition/C/ —f json —o ~/sidr/ |
В результате мы получили три файла:
- File_Report_20240503_120219.452284.json;
- Internet_History_Report_20240503_120219.452528.json;
- Activity_History_Report_20240503_120219.452589.json.
Нас интересует первый файл, давай загрузим его в ZUI.
Посмотрим, какие расширения файлов есть в базе:
|
fuse | «06-21» | count() by System_ItemType | sort —r count |
Наибольший интерес для нас представляет информация о .bat:
|
fuse | «06-21» | System_ItemType==».bat |
В последнем столбце — часть содержимого batch-файла. Скрипт ниже представлен не полностью, поскольку остальные строки в нем закомментированы.
|
set «source=%userprofile%» set «destination=%temp%\Exfil» if not exist «%destination%» mkdir «%destination%» for /r «%source%» %%a in (*.docx *.docm *.pdf *.xls *.txt *.ppt *.xlsx *.pptx) do ( copy «%%a» «%destination%» ) cd %TEMP%\Exfil «C:\Program Files\WinRAR\Rar.exe» a Exfil |
Вот что делает скрипт:
- устанавливаются переменные source и destination;
- если директория
%temp%\Exfil отсутствует, она создается; - копируются файлы, подходящие под маску;
- создается архив
%TEMP%\Exfil\Exfil.rar.
Заключение
Использование специализированных инструментов и методов извлечения данных из Windows.edb может значительно помочь в расследованиях и выявлении подозрительной активности. Правильный анализ этой базы данных может предоставить критически важные доказательства и помочь восстановить хронологию событий на целевой системе.
ПОЛЕЗНЫЕ ССЫЛКИ:
- Анализ событий Windows [Форензика Windows]
- Извлечение временных меток и создание таймлайна событий
How often you should search for the various information? Most likely it occurs every day. It is important, that an information search problem not trivial. Also the information can is in various sources — in files, in e-mail messages, in documents etc. Not the secret, that most part of an information is in a network — local and global.
Windows Search which allows to search easily and conveniently on the basis of indexes has been developed in Windows Vista. In Windows 7 a theme of search has found the continuation and in new OS there was additional tool — Windows 7 Federated Search.
Windows 7 Federated Search is a tool which allows to search of information in a network within Windows Explorer. As a data source in this case can act anything you like — a corporate site, Internet shop, Internet auctions etc.
Difference between federated search and Windows Search consists that mechanisms of federated search do not index data sources, and simply call to them with the request to execute search query. Federated search is focused on the distributed remote sources of an information. Indexation of remote sources can be inefficient and lead to the excessive expense of the Internet traffic. For this reason the approach at which the task of processing of search query is assigned to a remote source. Thus, there is a possibility to connect all necessary remote sources and to search in them not leaving from Windows Explorer.
Despite all convenience of such search, implementation of the search provider is very simple. Federated search in Windows 7 is based on OpenSearch 1.1 standard, and works as follows. For search execution, the Windows 7 will call to the external web service constructed on the basis of the REST-approach. It means, that search query, and also other data necessary for search, are transferred in URI at the calling to this web service. Web-service on the basis of these data should execute search in the data source and will return result in RSS or AtomPub format. After that Windows 7 will present results of search from the received data in the form of files and will display to their user.
For addition of own search provider in Windows 7 it is necessary to create a file of the description of this provider. The format of this file is based on XML and contains the information on the given search service, including URI format for the calling to a web-service.
Thus, for implementation of own provider of federated search in Windows 7 it is necessary to execute two simple actions — to create REST-service for information search and to make for it a description file.
Let’s consider process of creation of the search provider on a following example. There is a list of books with the description, the author and other information. In this case this list contains in XML file (for a demonstration example). As a data source it is possible to use anything you like. Let’s make the search provider for this list.
The file of the description of a search provider represents a XML-file and has “.osdx” extension. This file has the following structure.
<?xml version="1.0" encoding="utf-8" ?>
<OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/">
<ShortName>Federated Search sample provider</ShortName>
<Url type="application/rss+xml" template="http://somehost.com/search/
?q={searchTerms}&start={startIndex}&count={count}" />
</OpenSearchDescription>
In Url section of this file the template of the address which will be used at the call to web service is set. It is visible, that this address can assume absolutely various representation. In the address template some sections in which values will be substituted are used. The main section is a “searchTerms” section. In this section the line for search will be substituted. Federated search in Windows 7 obtains data page by page, therefore there are sections “count” and “startIndex” which set the size and page number. It is necessary for, that Windows could receive the first results of search, display their to user, and then work with other elements.
<?xml version="1.0" encoding="utf-8" ?>
<OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/">
<ShortName>Federated Search sample provider</ShortName>
<Url type="application/rss+xml" template="http://localhost:8731/
FederatedSearchProviderSample/search/{searchTerms}/
?start={startIndex}&count={count}" />
</OpenSearchDescription>
The last, that it is necessary to make is to create service which will carry out search. In this case there is no binding to concrete technology and the only requirement — service should return result in RSS/Atom format. It is clear, that service can be constructed on absolutely various platforms and technologies. For these purposes the best choice — the usage of possibilities of WCF for creation of REST-services. A lot of attention is already given construction of similar services, therefore I will not stop in detail on it, and I will describe only key steps.
The first, that it is necessary to make is to define the contract. At the contract there will be two operations — execution of search and generating of the detailed information.
[ServiceContract]
[ServiceKnownType(typeof(Atom10FeedFormatter))]
[ServiceKnownType(typeof(Rss20FeedFormatter))]
public interface ISearchProvider
{
[OperationContract]
[WebGet(UriTemplate = "search/{searchTerms}/*")]
SyndicationFeedFormatter Search(string searchTerms);
[OperationContract]
[WebGet(UriTemplate = "details/{id}")]
Stream Description(string id);
}
The most important thing, on what it is necessary to pay attention during this moment — definition of URI template. Apparently in this case the “search/{searchTerms}/*” template completely corresponds to that has been defined in a description file.
It is necessary to implement this service only. At implementation it is necessary to consider the specified parametres at the call to service (searchTerms, start, count) and to divide search result into pages if it is necessary. For this purpose it is possible to use LINQ methods — Take/Skip. Thus, service implementation will look as follows.
public class SearchProvider : ISearchProvider
{
public SyndicationFeedFormatter Search(string searchTerms)
{
int count;
int startIndex;
int.TryParse(WebOperationContext.Current.IncomingRequest.UriTemplateMatch.QueryParameters.Get("count"), out count);
int.TryParse(WebOperationContext.Current.IncomingRequest.UriTemplateMatch.QueryParameters.Get("start"), out startIndex);
var result = SearchBooks(searchTerms);
if (count > 0)
{
if (startIndex >= 0)
{
result = result.Skip(count * (startIndex - 1)).Take(count);
}
else
{
result = result.Take(count);
}
}
return new Rss20FeedFormatter(
new SyndicationFeed("Federated search sample", String.Empty, null,
from item in result
select new SyndicationItem(item.Element(XName.Get("name")).Value,
item.Element(XName.Get("description")).Value,
new Uri(WebOperationContext.Current.IncomingRequest.UriTemplateMatch.BaseUri.ToString() + @"/details/" + item.Element(XName.Get("id")).Value))
{
PublishDate = DateTimeOffset.Parse(item.Element(XName.Get("date")).Value),
}));
}
//...
}
Also at service there are methods for display of the detailed information and search execution. At desire it is possible to download an example and to look their implementation there.
After service is ready and started, it is necessary to open a file of the description of service (.osdx) in Windows and to agree with offer to add the search provider. After that this provider will appear in the list of search providers.
Now, when web service works and also the provider of search is successfully added, it is possible to search on a network resource directly from Windows Explorer.
Apparently, implementation of the search provider for Windows 7 Federated Search is very simple. However, it can make use of your data much more conveniently and easier. One of the most successful examples of using of federated search in external sources is the search provider for corporate sites on the basis of Sharepoint. Why and to us not to implement similar functionality for our applications?
Sample application:
| Windows Search | |
|---|---|
| Basic data | |
| developer | Microsoft |
| Current version | 4 (2008) |
| operating system | Windows XP , Windows Server 2003 , Windows Vista , Windows Server 2008 , Windows Home Server , Windows 7 , Windows 8 , Windows Server 2008 R2 |
| category | Desktop search |
| License | Proprietary |
| German speaking | Yes |
| www.microsoft.com/windows/desktopsearch |
Windows Search (WS, also called MSN Desktop Search and Windows Desktop Search in older versions ) is a desktop search program that uses filter criteria to find certain documents , files and e-mails accessible by a user on the hard drive of a Windows system and in the network (on UNC shares) and enables a fast full-text search. WS can replace the classic file search of Windows Explorer within the Windows XP operating system . For the «quick search» WS integrates an input field in the Windows task bar (Windows XP) or in the start menu (from Windows Vista). The hits are listed in a drop-down window as soon as they are typed. Windows Explorer is used for the «advanced search» (this includes setting the filter criteria, sorting and preview).
Since Windows Vista , WS has been an integral part of the operating system. WS is offered as an optional update for Windows XP . Microsoft Outlook 2007 and 2010 preferably use Windows Search for the «quick search», but do not necessarily require it.
WS is also offered in German. The download and use of WS are free on Windows.
Supported data sources
According to Microsoft, Windows Search searches more than 200 common file formats, including e-mails , documents , pictures , music , videos and PDF files.
Windows Search can be expanded with plugins, so-called iFilters , for indexing new file formats. iFilter are filter modules that can understand the internal structure of a certain file type and extract the information that can be used for indexing. They are usually offered by independent manufacturers who want to make their in-house document types accessible to Windows search. This allows the search function to search for other formats such as B. zipped archives ( ZIP ) or MindManager can be expanded. The Windows Indexing Service also uses such iFilters.
Database / technology
WS catalogs all files corresponding to the filter criteria, determines the relevant keywords based on a frequency analysis and saves the index data in a database. Microsoft’s JET -DB technology is used (which is also used for storing the Exchange Server information store). The index data is thus available in a single EDB file (Embedded Database), which is stored in the user’s profile.
WS can replace the classic file search. However, WS will only find files that have been indexed. Indexing takes place either on command, or (by default) in the background or while files are being accessed. To search for files that are not part of the indexed directories, you have to switch back to the classic search.
Differences to other desktop search programs / unique selling points
In contrast to other desktop search programs, Windows Search can also meet the requirements for use in (Windows) networks:
- The most important «unique selling point» is the ability to control the configuration network-wide via the Windows group policies ( Group Policy Objects GPO). The desktop search Lookeen Search also offers GPO support from version 2.0.
- In the case of shared network drives, the WS can compare the existing index of the server with its own index, provided the server also offers the Windows search services. However, the index search on Windows Server does not work in combination with deduplication or with DFS namespaces.
- It is also possible to exclude individual folders from the search directly in Explorer.
Alternatives
See list of desktop search programs
System requirements
- Microsoft Windows XP (at least SP2 for WS Version 3), Windows Server 2003 SP1, Windows Vista, Windows Server 2008, Windows Home Server, Windows 7, Windows 8
- Microsoft Internet Explorer 6 or higher
- For e-mail indexing: Microsoft Outlook 2000 or higher, Microsoft Outlook Express 6.0 or higher. Plugins for other email clients are available on the web.
- For previewing Microsoft Office documents: Office XP or higher
Web links
- Windows Search 4.x
- IFilter Explorer: Tool for displaying installed iFilters
- Detailed tutorial with examples
Individual evidence
- ↑ Widows Search not working with Data Deduplication? In: social.technet.microsoft.com. Retrieved August 15, 2016 .
- ↑ WDS 4.0 and DFS. In: social.msdn.microsoft.com. Retrieved August 15, 2016 .