dissect.target.plugins.os.windows.search

Module Contents

Classes

SearchIndexPlugin	Windows Search Index plugin.
TableRecord

Attributes

SearchIndexRecord
SearchIndexActivityRecord
RE_URL
BROWSER_RECORD_MAP
SearchIndexRecords

dissect.target.plugins.os.windows.search.SearchIndexRecord

dissect.target.plugins.os.windows.search.SearchIndexActivityRecord

dissect.target.plugins.os.windows.search.RE_URL

dissect.target.plugins.os.windows.search.BROWSER_RECORD_MAP

dissect.target.plugins.os.windows.search.SearchIndexRecords

class dissect.target.plugins.os.windows.search.SearchIndexPlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugin.Plugin

Windows Search Index plugin.

SYSTEM_PATHS = ('sysvol/ProgramData/Microsoft/Search/Data/Applications/Windows/Windows.db',...

USER_PATHS = ('AppData/Roaming/Microsoft/Search/Data/Applications/S-1-*/*.*db',)

databases

find_databases() → collections.abc.Iterator[tuple[pathlib.Path, dissect.target.plugins.general.users.UserDetails | None]]

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

search() → collections.abc.Iterator[SearchIndexRecords]

Yield Windows Search Index records.

Parses Windows.edb ESE and Windows.db SQLite3 databases. Currently does not parse GatherLogs/SystemIndex/SystemIndex.*.(Crwl|gthr) files or Windows-gather.db and Windows-usn.db files.

Windows Search is a standard component of Windows 7 and Windows Vista, and is enabled by default. The standard (non-Windows Server) configuration of Windows Search indexes the following paths: C:\Users\* and C:\ProgramData\Microsoft\Windows\Start Menu\Programs\*, with some exceptions for certain file extensions (see the linked references for more information).

The difference between the fields System_Date* and System_Document_Date* should be researched further. It is unclear what the field InvertedOnlyMD5 is a checksum of (record or file content?). It might be possible to correlate the field System_FileOwner with a UserRecordDescriptor. The field System_FileAttributes should be investigated further.

No test data available for indexed Outlook emails, this plugin might not be able to handle indexed email messages.

References

• https://learn.microsoft.com/en-us/windows/win32/search/-search-3x-wds-overview

• https://github.com/libyal/esedb-kb/blob/main/documentation/Windows%20Search.asciidoc

• https://www.aon.com/en/insights/cyber-labs/windows-search-index-the-forensic-artifact-youve-been-searching-for

• https://github.com/strozfriedberg/sidr

• https://devblogs.microsoft.com/windows-search-platform/configuration-and-settings/

• https://learn.microsoft.com/en-us/windows/win32/search/-search-3x-wds-included-in-index

parse_esedb(path: pathlib.Path, user_details: dissect.target.plugins.general.users.UserDetails | None) → collections.abc.Iterator[SearchIndexRecords]

Parse the ESE SystemIndex_PropertyStore table.

parse_sqlite(path: pathlib.Path, user_details: dissect.target.plugins.general.users.UserDetails | None) → collections.abc.Iterator[SearchIndexRecords]

Parse the SQLite3 SystemIndex_1_PropertyStore table.

build_record(values: dict[str, Any] | TableRecord, user_details: dissect.target.plugins.general.users.UserDetails | None, db_path: pathlib.Path) → collections.abc.Iterator[SearchIndexRecords]

Build a SearchIndexRecord, SearchIndexActivityRecord or HistoryRecord.

class dissect.target.plugins.os.windows.search.TableRecord(table: dissect.database.ese.table.Table, record: dissect.database.ese.record.Record)

table

record

columns

get(key: str, default: Any | None = None) → Any