Windows Search Primer - Windows.edb

Windows Search is an indexed search engine released by Microsoft for the Windows OS. Windows search creates an index of the files on a computer,the type of files indexed by Windows search can be determined by the user.

Searches can be performed on the filenames, file contents and meta-data. The default name for the main index database is Windows.edb. The default location for the database on Vista is: ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb

This folder may also contain transaction logs and other files required for the database/engine to function correctly as shown below.

The user can determine what is indexed via the Control Panel Control Panel > Indexing Options

By reviewing the advanced options of the Indexing Options screen you can determine which file types can be indexed and to what extent. The screenshot below show that emails (.eml) on the example system will be indexed to include both file properties and file content.

Microsoft includes a program called esentutl which can be used to perform basic maintenance and recovery and has 7 modes of operation displayed in the screenshot below:

The actual content of the Windows.edb can include but is not limited to: Filenames Email addresses Email message content Documents (names and content) Metadata File path informationdDate/Time information.

The content of the Windows.edb file can be extracted for further inspection using the Search Index Extractor, a forensic software utility part of the SC Suite.