:py:mod:`dissect.target.plugins.os.windows.search`
==================================================

.. py:module:: dissect.target.plugins.os.windows.search




Module Contents
---------------

Classes
~~~~~~~

.. autoapisummary::

   dissect.target.plugins.os.windows.search.SearchIndexPlugin
   dissect.target.plugins.os.windows.search.TableRecord




Attributes
~~~~~~~~~~

.. autoapisummary::

   dissect.target.plugins.os.windows.search.SearchIndexRecord
   dissect.target.plugins.os.windows.search.SearchIndexActivityRecord
   dissect.target.plugins.os.windows.search.RE_URL
   dissect.target.plugins.os.windows.search.BROWSER_RECORD_MAP
   dissect.target.plugins.os.windows.search.SearchIndexRecords


.. py:data:: SearchIndexRecord

.. py:data:: SearchIndexActivityRecord

.. py:data:: RE_URL

.. py:data:: BROWSER_RECORD_MAP

.. py:data:: SearchIndexRecords

.. py:class:: SearchIndexPlugin(target: dissect.target.target.Target)

   Bases: :py:obj:`dissect.target.plugin.Plugin`


   Windows Search Index plugin.


   .. py:attribute:: SYSTEM_PATHS
      :value: ('sysvol/ProgramData/Microsoft/Search/Data/Applications/Windows/Windows.db',...



   .. py:attribute:: USER_PATHS
      :value: ('AppData/Roaming/Microsoft/Search/Data/Applications/S-1-*/*.*db',)



   .. py:attribute:: databases


   .. py:method:: find_databases() -> collections.abc.Iterator[tuple[pathlib.Path, dissect.target.plugins.general.users.UserDetails | None]]


   .. py:method:: check_compatible() -> None

      Perform a compatibility check with the target.

      This function should return ``None`` if the plugin is compatible with the current target (``self.target``).
      For example, check if a certain file exists. Otherwise it should raise an
      :class:`UnsupportedPluginError`.

      :raises UnsupportedPluginError: If the plugin could not be loaded.



   .. py:method:: search() -> collections.abc.Iterator[SearchIndexRecords]

      Yield Windows Search Index records.

      Parses ``Windows.edb`` ESE and ``Windows.db`` SQLite3 databases. Currently does not parse
      ``GatherLogs/SystemIndex/SystemIndex.*.(Crwl|gthr)`` files or ``Windows-gather.db`` and ``Windows-usn.db`` files.

      Windows Search is a standard component of Windows 7 and Windows Vista, and is enabled by default. The standard (non-Windows Server)
      configuration of Windows Search indexes the following paths: ``C:\Users\*`` and ``C:\ProgramData\Microsoft\Windows\Start Menu\Programs\*``,
      with some exceptions for certain file extensions (see the linked references for more information).

      The difference between the fields ``System_Date*`` and ``System_Document_Date*`` should be researched further.
      It is unclear what the field ``InvertedOnlyMD5`` is a checksum of (record or file content?). It might be possible
      to correlate the field ``System_FileOwner`` with a ``UserRecordDescriptor``. The field ``System_FileAttributes`` should be
      investigated further.

      No test data available for indexed Outlook emails, this plugin might not be able to handle indexed email messages.

      .. rubric:: References

      - https://learn.microsoft.com/en-us/windows/win32/search/-search-3x-wds-overview
      - https://github.com/libyal/esedb-kb/blob/main/documentation/Windows%20Search.asciidoc
      - https://www.aon.com/en/insights/cyber-labs/windows-search-index-the-forensic-artifact-youve-been-searching-for
      - https://github.com/strozfriedberg/sidr
      - https://devblogs.microsoft.com/windows-search-platform/configuration-and-settings/
      - https://learn.microsoft.com/en-us/windows/win32/search/-search-3x-wds-included-in-index



   .. py:method:: parse_esedb(path: pathlib.Path, user_details: dissect.target.plugins.general.users.UserDetails | None) -> collections.abc.Iterator[SearchIndexRecords]

      Parse the ESE ``SystemIndex_PropertyStore`` table.



   .. py:method:: parse_sqlite(path: pathlib.Path, user_details: dissect.target.plugins.general.users.UserDetails | None) -> collections.abc.Iterator[SearchIndexRecords]

      Parse the SQLite3 ``SystemIndex_1_PropertyStore`` table.



   .. py:method:: build_record(values: dict[str, Any] | TableRecord, user_details: dissect.target.plugins.general.users.UserDetails | None, db_path: pathlib.Path) -> collections.abc.Iterator[SearchIndexRecords]

      Build a ``SearchIndexRecord``, ``SearchIndexActivityRecord`` or ``HistoryRecord``.



.. py:class:: TableRecord(table: dissect.database.ese.table.Table, record: dissect.database.ese.record.Record)

   .. py:attribute:: table


   .. py:attribute:: record


   .. py:attribute:: columns


   .. py:method:: get(key: str, default: Any | None = None) -> Any