.. generated, remove this comment to keep this file ``search`` ========== .. code-block:: console $ target-query -f search .. list-table:: Details :widths: 20 80 * - Module - ``dissect.target.plugins.os.windows.search.SearchIndexPlugin`` * - Output - ``records`` **Module documentation** Windows Search Index plugin. **Function documentation** Yield Windows Search Index records. Parses ``Windows.edb`` ESE and ``Windows.db`` SQLite3 databases. Currently does not parse ``GatherLogs/SystemIndex/SystemIndex.*.(Crwl|gthr)`` files or ``Windows-gather.db`` and ``Windows-usn.db`` files. Windows Search is a standard component of Windows 7 and Windows Vista, and is enabled by default. The standard (non-Windows Server) configuration of Windows Search indexes the following paths: ``C:\Users\*`` and ``C:\ProgramData\Microsoft\Windows\Start Menu\Programs\*``, with some exceptions for certain file extensions (see the linked references for more information). The difference between the fields ``System_Date*`` and ``System_Document_Date*`` should be researched further. It is unclear what the field ``InvertedOnlyMD5`` is a checksum of (record or file content?). It might be possible to correlate the field ``System_FileOwner`` with a ``UserRecordDescriptor``. The field ``System_FileAttributes`` should be investigated further. No test data available for indexed Outlook emails, this plugin might not be able to handle indexed email messages. References: - https://learn.microsoft.com/en-us/windows/win32/search/-search-3x-wds-overview - https://github.com/libyal/esedb-kb/blob/main/documentation/Windows%20Search.asciidoc - https://www.aon.com/en/insights/cyber-labs/windows-search-index-the-forensic-artifact-youve-been-searching-for - https://github.com/strozfriedberg/sidr - https://devblogs.microsoft.com/windows-search-platform/configuration-and-settings/ - https://learn.microsoft.com/en-us/windows/win32/search/-search-3x-wds-included-in-index