Greenspot Technologies Ltd Logo

Windows Search Index Forensics

The Windows Search index can provide useful evidence to forensic investigators. The search index is stored in a file called windows.edb and it is the windows.edb file that is loaded and analyzed by Windows Search Index Analyzer. The windows search index location varies depending upon which operating system is in use.

Forensic Uses

The forensic uses of the Search Index are quite varied and obviously dependent upon the individual investigation but the main uses can be categorized into 6 main areas.

  • Absent Data
  • Event Bounding
  • Deleted Data
  • Damaged Disks
  • Unique Data
  • Encrypted Files

Absent Data

Absent data includes the general absence of physical hardware. This includes situations where an external drive that has been attached to a machine and has been indexed by a suspect but has not been acquired during an investigation. The search index will contain data relating to all items stored within the external location even though it has not been acquired.

Whilst external drives are not indexed by default, they can become indexed with relative ease. A user searches for an item on an un-indexed drive and Windows Explorer displays a bar at the top stating that the search might be slow and adds 'Click to add to index...". The user is keen to find their information quickly and clicks the bar and chooses 'Add to Index...' so that their future searches will be faster. Thereafter the location is indexed.

An example of absent data can be seen in Case Study One

Deleted Data

Data contained within the index can support the existence of data which may have been deleted. For example, recently deleted file system entries may still be contained within the index prior to updating from its temporary edb files. The chances of obtaining recently deleted file information is increased during acquisitions in which the suspect machine is not allowed a normal shutdown. The ACPO guidelines in the UK recommend acquisition in such a way.

Event Bounding

The created, modified, accessed and ItemDate times stored within the search index are updated when the actual file dates are changed and these are, therefore, only as reliable as the file dates themselves. When used in respect of absent data they provide event bounding data that wouldn't be otherwise available.

The System_Search_GatherTime field is more useful for forensic purposes as it contains the date and time the Search Gatherer was last provided with details of properties or data that required updating.

Damaged Disks

In the case of a disk having suffered significant damage recovery of the search index from the disk can provide substantial information about the content of a drives indexed areas which include, by default, a users document folders.

Unique Data

The search index contains unique data that can assist in investigations. Such data includes the System_Search_AccessCount, System_Search_GatherTime and the System_ThumbnailCacheId.

The System_ThumbnailCacheId can be used to tie in an entry found in the thumbcache stores to its entry in the file system.

Encrypted Files

It is possible to recover plain text data from the search index for files which are encrypted. To do this the user has to have selected the option to index encrypted files as they are not indexed by default. This is particularly useful where the appropriate filter indexes content as well as properties.

forensics at work
Record view on Windows Search index analyzer