Windows Search Index Database

WindowsUser ActivityDisk Image

Location

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb (Win10) or C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.db (Win11)

Description

Windows Search indexing database containing metadata and partial content of indexed files, emails, and browser history. The ESE database (Windows.edb) or SQLite database (Windows.db) contains file properties, text excerpts, and path information.

Forensic Value

The Windows Search index contains metadata and content snippets of files that may have been deleted, providing evidence of their former existence. Indexed email content can supplement Exchange/M365 investigations. Browser history entries in the index may survive browser history clearing. File property records include modification timestamps, sizes, and partial content that can prove sensitive documents existed on the system.

Tools Required

KAPESIDBParserESEDatabaseView (NirSoft)DB Browser for SQLiteAutopsy

Collection Commands

KAPE

kape.exe --tsource C: --tdest C:\output --target WindowsSearchIndex

ESEDatabaseView

ESEDatabaseView.exe (GUI - open Windows.edb for table browsing)

SIDBParser

python3 sidb_parser.py -i "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb" -o C:\output\search_index

PowerShell

Stop-Service WSearch; Copy-Item "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb" -Destination C:\output\

Collection Constraints

•Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.

MITRE ATT&CK Techniques

T1005T1083

References

Windows PowerShell Logging NTFS Change Journals Additional LSA Protection

Acquisition Methods

KAPE Triage Collection

windows — triage

FTK Imager Logical Image (AD1)

windows — logical

Velociraptor Remote Collection

windows — remote