Windows Index Search
Overview
Section titled “Overview”Evidence: Windows Index Search
Description: Collect Windows Index Search Database
Category: System
Platform: windows
Short Name: indxs
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”Windows Search maintains an index database (Windows.edb) that catalogs file content, properties, and metadata to enable fast searching. The index contains information about files, emails (if Outlook is installed), and other indexed content.
The search index can contain remnants of deleted files, email content, and document metadata that may not be available elsewhere.
Data Collected
Section titled “Data Collected”This collector gathers structured data about windows index search.
Windows Index Search Data
Section titled “Windows Index Search Data”| Field | Description | Example |
|---|---|---|
Name | Artifact name | Windows Index Search |
Type | File | File |
SourcePath | Original file path | C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb |
Path | Relative path in evidence | Other/Windows.edb |
Collection Method
Section titled “Collection Method”This collector collects the Windows Search database from:
ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edbDocuments and Settings\Application Data\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb(legacy path)
Forensic Value
Section titled “Forensic Value”The Windows Search index can reveal file content and metadata including indexed emails and documents. Investigators use this data to recover deleted file metadata, search indexed email content, find document keywords and properties, track user search activity, and identify files that were indexed before deletion.