Investigating Windows Search Index
07/01/2022 Friday
Windows Search is a desktop search platform that was first introduced by Microsoft in Windows Vista and continued with later versions of Windows (Windows 7, 8 and 10). As indicated in the figure below, the service "provides content indexing, property caching, and search results for files, e-mail, and other content". In other words, Windows Search service acts as an internal dictionary running in the background, collecting and indexing the content of the system.
Whenever a user searches for a document, image or any other file type, she is actually searching the Windows Search Index database rather than conducting the search in real time making the search process easier and faster. The service is enabled by default; however, the user can modify which files and folders are indexed via “Indexing Options” or even disable the feature altogether.
Digital Forensics Value of Windows Search Index Artifacts
Windows Search can be a valuable source of evidence during investigations. The database contains a large amount of data related to the files, images, videos, directories and other file types found on Windows systems. In addition, Windows Search database may also collect and index data from other sources such as Microsoft Outlook. What makes Windows Search even more valuable is that users may not be aware of it. The service is enabled by default, running in the background, collecting and indexing potential evidence without the user's knowledge.
Location of Windows Search Index Artifacts
Windows Search uses the Extensible Storage Engine (ESE) format to store its data. In Windows 7, 8 and 10,
the database can be found at the following location:
C:\%USERPROFILE%\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
Analyzing Windows Search Index Artifacts with ArtiFast Windows
This section discusses how to use ArtiFast Windows to analyze Windows Search Index artifacts from Windows
machines and what kind of digital forensics insight we can gain from the artifacts.
After you have created your case and added evidence for the investigation, at the Artifacts Selection phase,
you can select Windows Search Index artifact:
Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View”, with indexing, filtering, and searching capabilities. Below is a detailed description of Windows Search Index artifact in ArtiFast Windows.
Windows Search Index Artifact
- File Name - File name.
- File Path - File path.
- Search Store - Source of item that user set stored.
- Created Date/Time - Created date/time of the file.
- Modified Date/Time - Modified date/time of the file.
- Accessed Date/Time - Accessed date/time of the file.
For more information or suggestions please contact: [email protected]
