Windows Search Index Database

windowsUser ActivityDisk Image

Location

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb (Win10) or C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.db (Win11)

Description

Windows Search indexing database containing metadata and partial content of indexed files, emails, and browser history. The ESE database (Windows.edb) or SQLite database (Windows.db) contains file properties, text excerpts, and path information.

Forensic Value

The Windows Search index contains metadata and content snippets of files that may have been deleted, providing evidence of their former existence. Indexed email content can supplement Exchange/M365 investigations. Browser history entries in the index may survive browser history clearing. File property records include modification timestamps, sizes, and partial content that can prove sensitive documents existed on the system.

Tools Required

KAPESIDBParserESEDatabaseView (NirSoft)DB Browser for SQLiteAutopsy

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical