Forums
Main Category
General (Technical,...
Windows.edb file fo...
 
Notifications
Clear all

Windows.edb file for indexing searches

 
Page 1 / 2
General (Technical, Procedural, Software, Hardware etc.)
Last Post by clifmeister 14 years ago
17 Posts
9 Users
0 Reactions
4,561 Views
RSS
 Chitapett
(@chitapett)
Estimable Member
Joined: 18 years ago
Posts: 76
Topic starter 07/11/2008 6:06 am  

I've spent 2 days looking for emails and movie files that just don't seem to exist. I was starting to think that perhaps it just wasn't there but then I ran a keyword search for derogetory expressions and found a lot of results in the Windows.edb file. Apparently this file is an index of the file system? I'm seeing some obvious file name with extentions in here AND some code around the file names which I'm hoping will translate into date/time.

Does anyone know anything about this file and perhaps have any ideas on how to parse it into a format that is readable?


   
Quote
 BitHead
(@bithead)
Noble Member
Joined: 20 years ago
Posts: 1206
07/11/2008 7:16 am  

EDB files are Microsoft Exchange database files. Plenty of tools to read them, convert them to PST files, etc.


   
ReplyQuote
 Chitapett
(@chitapett)
Estimable Member
Joined: 18 years ago
Posts: 76
Topic starter 07/11/2008 8:31 am  

Typically that is the case but this EDB file is not. It apparently is WindowsXP's index file which happens to have the same extention.


   
ReplyQuote
 BitHead
(@bithead)
Noble Member
Joined: 20 years ago
Posts: 1206
07/11/2008 8:56 am  

Sorry, I mis-read your initial post. You are writing about the Windows Search index Windows.edb file, not a Windows edb file. Have you tried a SQL query using the ISearchQueryHelper?

See MSDN - http//msdn.microsoft.com/en-us/library/bb266518(VS.85).aspx


   
ReplyQuote
tcoakley
 tcoakley
(@tcoakley)
Active Member
Joined: 18 years ago
Posts: 12
15/04/2009 3:13 am  

This program will read and extract the content of the Windows.edb file

Windows Search Index Extractor

The content of this file can provide useful intelligence.


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
16/04/2009 3:11 pm  

Another one
http//www.lostpassword.com/search-index-examiner.htm

Or, if you are a programmer
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=3110
http//msdn.microsoft.com/en-us/library/bb266518(VS.85).aspx

jaclaz


   
ReplyQuote
 Jonathan
(@jonathan)
Prominent Member
Joined: 20 years ago
Posts: 878
16/04/2009 3:26 pm  

Chitapett, John Douglas of QCC Information Security has done a lot of research in to Windows Search Index and its .edb files. He's recently written a paper on this area so it may be worth your while getting in touch with him.


   
ReplyQuote
 Chitapett
(@chitapett)
Estimable Member
Joined: 18 years ago
Posts: 76
Topic starter 27/10/2009 5:12 am  

Chitapett, John Douglas of QCC Information Security has done a lot of research in to Windows Search Index and its .edb files. He's recently written a paper on this area so it may be worth your while getting in touch with him.

Thanks Jonathan

Anyone know how to contact John Douglas? Also, I looked into the two tools suggested on this post for parsing windows.EDB index files but they are pretty expensive. Anyone know of a cheaper product?


   
ReplyQuote
 j2222
(@j2222)
Eminent Member
Joined: 20 years ago
Posts: 36
27/10/2009 12:53 pm  

Chitapett,
Check your PM.

Regards,
James


   
ReplyQuote
 woany
(@woany)
Eminent Member
Joined: 16 years ago
Posts: 28
27/10/2009 3:54 pm  

The Windows Search Indexer just uses the Esent database, the same as the latest Windows Live Messenger (and Exchange server). Esent is an inbuilt Windows transactional database engine.

More info http//en.wikipedia.org/wiki/Extensible_Storage_Engine

Try EseDbViewer, which has specific modes for both Windows Search Indexer and Windows Live Messenger and a generic mode which will open any Esent database.

http//www.woanware.co.uk/esedbviewer/


   
ReplyQuote
Page 1 / 2
Forum Jump:
  Previous Topic
Next Topic  
Share: