PDB Information
Overview
Section titled “Overview”Evidence: PDB Information
Description: Collect Program Database Information
Category: System
Platform: windows
Short Name: pdbinf
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Program Database (PDB) files contain debugging symbols for compiled binaries. PE executables and DLLs embed references to their PDB files including the PDB file name, GUID, and age. This information is used by debuggers and crash analysis tools to load the correct symbols.
PDB information can be used to verify the authenticity of system binaries and detect malware that may have corrupted or replaced system files.
Data Collected
Section titled “Data Collected”This collector gathers structured data about pdb information.
PDB Information Data
Section titled “PDB Information Data”| Field | Description | Example |
|---|---|---|
Path | Path to binary file | C:\Windows\System32\ntoskrnl.exe |
Name | PDB file name | ntkrnlmp.pdb |
GUID | PDB GUID identifier | 12345678-1234-1234-1234-123456789ABC |
Age | PDB age value | 1 |
Collection Method
Section titled “Collection Method”This collector extracts PDB information from critical system binaries:
C:\Windows\System32\NTOSKRNL.EXEC:\Windows\System32\NTKRNLPA.EXEC:\Windows\System32\NTKRNLMP.EXEC:\Windows\System32\NTKRPAMP.EXEC:\Windows\System32\drivers\ntfs.sysC:\Windows\System32\HAL.dllC:\Windows\System32\ntdll.dllC:\Windows\SysWOW64\ntdll.dllC:\Windows\System32\kernel32.dllC:\Windows\SysWOW64\kernel32.dll
For each binary, it parses the PE debug directory to extract CodeView PDB information.
Forensic Value
Section titled “Forensic Value”PDB information helps verify system binary integrity and supports advanced debugging scenarios. Investigators use this data to verify system file authenticity, detect rootkit kernel modifications, identify mismatched system files, support crash dump analysis, validate OS patch levels, and correlate with symbol servers for verification.