Windows Index Search

Overview

Evidence: Windows Index Search Description: Collect Windows Index Search Database Category: Other Evidence Platform: Windows Short Name: indxs Is Parsed: No - Raw ESE database file Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows Search maintains an index database (Windows.edb) that catalogs file content, properties, and metadata to enable fast searching. The index contains information about files, emails (if Outlook is installed), and other indexed content.

The search index can contain remnants of deleted files, email content, and document metadata that may not be available elsewhere.

Data Collected

Field

Description

Example

Name

Artifact name

Windows Index Search

Type

File

SourcePath

Original file path

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb

Path

Relative path in evidence

Other/Windows.edb

Collection Method

This collector collects the Windows Search database from:

ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
Documents and Settings\Application Data\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb (legacy path)

Usage

The Windows Search index can reveal file content and metadata including indexed emails and documents. Investigators use this data to recover deleted file metadata, search indexed email content, find document keywords and properties, track user search activity, and identify files that were indexed before deletion.

Known Limitations

ESE database format requires specialized tools
Database may be locked by Windows Search service
Index content depends on indexing configuration
May not index all file types or locations

Notes

Windows.edb is an ESE database that can be parsed with tools like ESEDatabaseView or similar ESE parsing utilities. The database may contain remnants of deleted files that were previously indexed.

PreviousWindow Screenshots NextWinrar

Last updated 45 minutes ago

Was this helpful?