Analyzing CRWL File...
 
Notifications
Clear all

Analyzing CRWL Files for Windows explorer search forensics

3 Posts
2 Users
0 Likes
2,210 Views
Nicotrel
(@nicotrel)
Posts: 15
Active Member
Topic starter
 

Lately i've been toying around with Windows explorer forensic methods & i came across CRWL files, which are basically windows explorer index files (presumably) that are stored in
(Sysvol)\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex

Does anybody here has experience analyzing these files? if so - what data can i extrapolate from them & how? when i took the hex data from the files and translated it to text, i got plain gibberish, no matter what i tried.

ALSO, I would have loved to know what is the best way to find dates of windows explorer keyword searches. The WordWheelQuery registry key does provide me a list of the keywords searched, but the lastwritetime timestamp tells me the last time WordWheelQuery was changed - e.g - what was the last time someone preformed a search. not the last time a PARTICULAR SEARCH was made.

Any help would be highly appreciated! )

 
Posted : 21/05/2016 9:34 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

CRWL files should be Windows Search/Indexer service related (not necessarily Explorer), they stand (seemingly) for "crawl" file.
The thing that creates them is likely the wsearch service, see
http//forum.piriform.com/?showtopic=26112

As an experiment, you can try using the above info to disable the service and delete the files, then re-enable it and see what happens, I don't think there is a parser or a format documentation for those files, but seemingly (IF the above info is verified) they shouldn't have much "forensics value" as they would more or less contain just a list of files on the system. ?

Maybe one could use the provided API and/or LINQ mechanism
https://msdn.microsoft.com/en-us/library/windows/desktop/bb331575(v=vs.85).aspx
or maybe the actual files are some version of database/ole db/*whatever* and a stand-alone viewer is available for them, though I have no ideas about which program may work with them.

Wild shot, but try running TriD on those files and see if it recognizes them as a "known" format
http//mark0.net/soft-trid-e.html

jaclaz

 
Posted : 22/05/2016 6:44 pm
Nicotrel
(@nicotrel)
Posts: 15
Active Member
Topic starter
 

Trid states the following

Collecting data from file SystemIndex.1.Crwl
65.7% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
32.8% (.MP3) MP3 audio (1000/1)
1.3% (.CPT) Corel Photo Paint (41/41)

I chose a random crwl file from the directory stated and it's content was

abbaea27 1d12a7a 4000001f 0 40d83 0 0 4294967295
abcdf52a 1d12a7a 4000001f 0 40d83 1 2 4294967295
ef770fb7 1d12a7a 4000001f 0 40d83 2 3 4294967295
8a68d78d 1d12a7b 40000020 0 40d83 0 0 4294967295
8a68d78d 1d12a7b 40000020 0 40d83 2 3 4294967295
8a68d78d 1d12a7b 4000001f 0 40d84 0 1 4294967295
e4d6d895 1d12a7b 40000020 0 40d84 0 1 4294967295
eabe6263 1d12a7b 40000020 0 40d83 1 2 4294967295
26d2ca76 1d12a7e 4000001f 0 40d83 3 4 4294967295
2869d5c5 1d12a7e 40000020 0 40d83 3 4 4294967295
e0b47399 1d12a9d 4000001f 0 40d83 4 5 4294967295
5d3c6a03 1d12a9e 40000020 0 40d83 4 5 4294967295

Contextually, I have absolutely no idea what this data can mean. Perhaps it indexes some memory cells for wsearch or something.
If someone on the forum has any idea what these particular files are used for, and how - it would be interesting to know.

Thanks for your help Jaclaz,

Nicotrel.

 
Posted : 26/05/2016 5:32 pm
Share: