Forensic data recovery from the Windows Search Database

Chivers, Howard; Hargreaves, Christopher

doi:10.1016/j.diin.2011.01.001

Cited by 18 publications

(8 citation statements)

References 1 publication

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A previous paper (Chivers and Hargreaves, 2011) provides an overview of the database and the reliability of records recovered by carving. This section briefly describes transaction processing, as a background to why database records are often found in log files or in cached memory such as the pagefile.…”

Section: Extensible Storage Engine (Ese)mentioning

confidence: 99%

“…A description of the carving process and its reliability is given in (Chivers and Hargreaves, 2011); the tool is available from the author for forensic investigation, education or research.…”

Section: Appendix a Database File Recovery Using Esentutlmentioning

confidence: 99%

“…(Jones, 2003) ) were replaced by a high performance database technology known as the Extensible Storage Engine (ESE). This database is used to support a range of other applications, including Windows Search, and was the subject of a previous paper in which we described the results of carving for deleted ESE database records from the Search Database (Chivers and Hargreaves, 2011). The carving tool is now known as ESECarve 2 and has subsequently been used to assist a number of real investigations.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Private browsing: A window of forensic opportunity

Chivers

2014

Digital Investigation

Self Cite

View full text Add to dashboard Cite

The release of Internet Explorer 10 marks a significant change in how browsing artifacts are stored in the Windows file system, moving away from well-understood Index.dat files to use a high performance database, the Extensible Storage Engine. Researchers have suggested that despite this change there remain forensic opportunities to recover InPrivate browsing records from the new browser. The prospect of recovering such evidence, together with its potential forensic significance, prompts questions including where and when such evidence can be recovered, and if it is possible to prove that a recovered artefact originated from InPrivate browsing. This paper reports the results of experiments which answer these questions, and also provides some explanation of the increasingly complex data structures used to record Internet activity from both the desktop and Windows 8 Applications. We conclude that there is a time window between the private browsing session and the next use of the browser in which browsing records may be carved from database log files, after which it is necessary to carve from other areas of disk. It proved possible to recover a substantial record of a user's InPrivate browsing, and to reliably associate such records with InPrivate browsing.

show abstract

Section: Extensible Storage Engine (Ese)mentioning

confidence: 99%

Section: Appendix a Database File Recovery Using Esentutlmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Private browsing: A window of forensic opportunity

Chivers

2014

Digital Investigation

Self Cite

View full text Add to dashboard Cite

show abstract

“…2. This is an ESE (Microsoft, Extensible Storage Engine, 2012) database that Microsoft uses quite frequently on many of its products such as Exchange EDB files, Active Directory, Windows Mail, and Windows Search (Chivers and Hargreaves, 2011). The other files seen in this folder (in Fig.…”

Section: Srudbdatmentioning

confidence: 95%

Forensic implications of System Resource Usage Monitor (SRUM) data in Windows 8

Khatri

2015

Digital Investigation

View full text Add to dashboard Cite

“…SQLite had been the focus of forensic analysis particularly because it is used in Firefox Pereira (2009) and in a number of mobile device applications Pieterse and Olivier (2014). Chivers and Hargreaves (2011) investigated recovery of deleted records from the Windows Search database. OfficeRecovery provides a number of commercially sold emergency recovery tools for corrupted DBMSes OfficeRecovery (b,c,a) that support several versions of each DBMS.…”

Section: Related Workmentioning

confidence: 99%

Database forensic analysis through internal structure carving

Wagner

Rasin

Grier

2015

Digital Investigation

View full text Add to dashboard Cite

a b s t r a c tForensic tools assist analysts with recovery of both the data and system events, even from corrupted storage. These tools typically rely on "file carving" techniques to restore files after metadata loss by analyzing the remaining raw file content. A significant amount of sensitive data is stored and processed in relational databases thus creating the need for database forensic tools that will extend file carving solutions to the database realm. Raw database storage is partitioned into individual "pages" that cannot be read or presented to the analyst without the help of the database itself. Furthermore, by directly accessing raw database storage, we can reveal things that are normally hidden from database users. There exists a number of database-specific tools developed for emergency database recovery, though not usually for forensic analysis of a database. In this paper, we present a universal tool that seamlessly supports many different databases, rebuilding table and other data content from any remaining storage fragments on disk or in memory. We define an approach for automatically (with minimal user intervention) reverse engineering storage in new databases, for detecting volatile data changes and discovering user action artifacts. Finally, we empirically verify our tool's ability to recover both deleted and partially corrupted data directly from the internal storage of different databases.

show abstract

Forensic data recovery from the Windows Search Database

Cited by 18 publications

References 1 publication

Private browsing: A window of forensic opportunity

Private browsing: A window of forensic opportunity

Forensic implications of System Resource Usage Monitor (SRUM) data in Windows 8

Database forensic analysis through internal structure carving

Contact Info

Product

Resources

About