
WinSearchDBAnalyzer
Introduction
One of the most powerful tools for parsing the Windows Search Database is WinSearchDBAnalyzer. This tool effectively makes the contents of the Windows search index available for forensic investigation. It currently supports parsing ESE (Extensible Storage Engine) database format up to Windows 10 (Windows.edb files) and can analyze already exported files or extract the database from a live system.
Key Features
Provides control over which metadata fields to extract.
LCan parse both live and exported Windows.edb files.
Can parse corrupt ESE databases, but repairing them beforehand ensures better results.
Organizes indexed items by file extension, allowing easy filtering of specific file types (.docx, .zip, etc.).
Investigators can explore indexed content structured as folders.
Metadata columns can be sorted for better analysis, and a preview pane displays file details upon selection.
The Find search bar enables keyword searches across multiple metadata fields, including filenames, folder names, and indexed file content (Search_AutoSummary field).
Carves deleted records from unallocated database space, which may contain traces of previously deleted files.
Practical Usage Example
In an investigation, a search for "secret" filtered across all files and metadata. A file named "akash.pdf" was identified, and its extracted metadata was visible in the preview pane. The metadata included file system timestamps and indexed content, revealing that the term "secret" appeared within the indexed content (Search_AutoSummary field).
Useful Search Queries
Practical search tips
To view visited URLs: Search for "http://" or "https://"
To find internet queries: Search for "q=" or "query="
To locate records by date: Search for "2021-11-"
To view all records: Select "ALL"
To recover deleted records: Check "Unknown"
Note: Parsing a full Windows Search Database can be slow due to the large volume of indexed data.
Esedatabaseview

----------------------------------------------------------------------------------------------------------
SQLite-Based Windows Search Index Parsing
While WinSearchDBAnalyzer automates parsing, manual review is also possible using a SQLite database viewer.
Key SQLite Databases in Windows 11
1. Windows-gather.db
Path:
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows-gather.db
This database provides a high-level overview of indexed files and folders, allowing full path reconstruction.
Important Fields in SystemIndex_Gthr Table:
ScopeID: Foreign key linked to Scope in SystemIndex_GthrPth table (to find parent folder).
DocumentID: Unique identifier for a file, linked to WorkID in Windows.db.
FileName: Name of the indexed item.
LastModified: Last modified time (Windows FILETIME format).

Important Fields in SystemIndex_GthrPth Table:
Scope: Foreign key linked to ScopeID.
Parent: Identifier for parent folder.
Name: Folder name.

2. Windows.db
Path:
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.db
Stores a massive collection of metadata for indexed files.
Important Fields in SystemIndex_1_PropertyStore Table:
WorkId: Unique identifier for an indexed item.
ColumnId: Identifies metadata property type (linked to SystemIndex_1_PropertyStore_Metadata).
Value: Metadata information.

Important Fields in SystemIndex_1_PropertyStore_Metadata Table:
Id: Property ID (linked to ColumnId in PropertyStore table).
UniqueKey: Describes metadata property type.

Example of Parsing Windows.db

----------------------------------------------------------------------------------------------------------
WinEDB and Windows 11 Search Index Changes
Their WinEDB project provides useful SQL queries for analyzing the new database schema. These queries can be executed in DB Browser for SQLite to extract human-readable data.
📌 Reference: GitHub – kacos2000 WinEDB Search Index Tool
---------------------------------------------------------------------------------------------------------
Search Index DB Reporter (SIDR)
SIDR is an incredibly effective tool for parsing the Windows Search Index Database. It can parse both the original Extensible Storage Engine (ESE) database found in Windows 10 and the newer SQLite database format introduced in Windows 11.
Command:
E:\Windows Forensic Tools\window.edb.db analysis>sidr.exe -f csv -o "C:\Users\Akash's\Downloads" "C:\ProgramData\Microsoft\Search\Data\Applications\Windows"

SIDR is designed to export a curated view of well-known and important items from the database. The output from SIDR is divided into three reports:
File Report
Activity History Report
Internet History Report
While the executable exports pre-defined metadata types, advanced users can modify the report output by editing the YAML file within the source code (compilation of the source code would be required).
File Report
The File Report provides a curated list of metadata for indexed files. It includes:
Full file name and path
Created, modified, and accessed timestamps
File size and owner
Indexed content (System_Search_AutoSummary)
System_Search_GatherTime (timestamp when the file information was recorded in the database)
The System_Search_GatherTime is particularly useful because it offers another indicator of when a file was present on the system, independent of file creation time.
However, it is important to note that SIDR extracts only a subset of the available metadata. Out of potentially hundreds of metadata types, only about ten are included in this report.
If an investigation requires more detailed metadata, tools like WinSearchDBAnalyzer (for Windows 10) or manual SQLite database parsing (for Windows 11) can supplement the extracted data.
Internet History Report
The Internet History Report extracts browser-related items stored in the Windows Search Index. Currently, this report includes data from Internet Explorer and Microsoft Edge. It records:
Visited URL
Page title
Date visited
System_Search_GatherTime (when the information was recorded in the database)
This report can be particularly useful if browser history is missing from primary browser databases. However, it is important to note that InPrivate browsing sessions are not stored in the Search Index.
Activity History Report
The Activity History Report provides insights into user activity recorded in the Windows Search Index. It aggregates multiple System_Activity metadata types, revealing:
Files opened by a user
Applications used to open those files
Start and end times of the activity (providing duration information)
A key forensic insight is the Windows Search Index does not delete Activity History information when the original file is removed. This means that even if a suspect deletes or renames a file, uninstalls an application, or attempts other cleanup actions, relevant forensic data may persist in the Search Index.
-------------------------------------------------------------------------------------------------------------
Conclusion
The SIDR tool is designed by investigators, for investigators. It efficiently extracts key forensic data from the Windows Search Index without overwhelming analysts with unnecessary information. Advanced users can further customize the tool by modifying the source code and integrating it with additional analysis tools like Velociraptor or WinSearchDBAnalyzer.
-------------------------------------------------Dean---------------------------------------------
Comments