search

$ target-query <path/to/target> -f search

Details

Module	dissect.target.plugins.os.windows.search.SearchIndexPlugin
Output	records

Module documentation

Windows Search Index plugin.

Function documentation

Yield Windows Search Index records.

Parses Windows.edb ESE and Windows.db SQLite3 databases. Currently does not parse GatherLogs/SystemIndex/SystemIndex.*.(Crwl|gthr) files or Windows-gather.db and Windows-usn.db files.

Windows Search is a standard component of Windows 7 and Windows Vista, and is enabled by default. The standard (non-Windows Server) configuration of Windows Search indexes the following paths: C:\Users\* and C:\ProgramData\Microsoft\Windows\Start Menu\Programs\*, with some exceptions for certain file extensions (see the linked references for more information).

The difference between the fields System_Date* and System_Document_Date* should be researched further. It is unclear what the field InvertedOnlyMD5 is a checksum of (record or file content?). It might be possible to correlate the field System_FileOwner with a UserRecordDescriptor. The field System_FileAttributes should be investigated further.

No test data available for indexed Outlook emails, this plugin might not be able to handle indexed email messages.

References:

• https://learn.microsoft.com/en-us/windows/win32/search/-search-3x-wds-overview

• https://github.com/libyal/esedb-kb/blob/main/documentation/Windows%20Search.asciidoc

• https://www.aon.com/en/insights/cyber-labs/windows-search-index-the-forensic-artifact-youve-been-searching-for

• https://github.com/strozfriedberg/sidr

• https://devblogs.microsoft.com/windows-search-platform/configuration-and-settings/

• https://learn.microsoft.com/en-us/windows/win32/search/-search-3x-wds-included-in-index