WindowsIndexSearch

Windowsv1.2

Author: Mark Hallman, Reece394

description

Windows Index Search

paths

4 paths

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: WindowsIndexSearch
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# 1. WindowsIndexSearch
Collect-Artifact -SourceDir "C:\programdata\microsoft\search\data\applications\windows" -FolderName "WindowsIndexSearch"

# 2. GatherLogs
Collect-Artifact -SourceDir "C:\programdata\microsoft\search\data\applications\windows\GatherLogs" -FolderName "GatherLogs"

# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
    Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
    ForEach-Object {
        $UserName = $_.Name
        # WindowsIndexSearch - User
        $UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Search\Data\Applications\S-1*"
        Collect-Artifact -SourceDir $UserPath -FolderName "WindowsIndexSearch_User_$UserName"
        # GatherLogs - User
        $UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Search\Data\Applications\S-1*\GatherLogs"
        Collect-Artifact -SourceDir $UserPath -FolderName "GatherLogs_User_$UserName"
    }

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

references

forensafe.com https://www.forensafe.com/blogs/winsearchindex.html

github.com https://github.com/strozfriedberg/sidr

aon.com https://www.aon.com/cyber-solutions/aon_cyber_labs/windows-search-index-the-forensic-artifact-youve-been-searching-for/

jkindon.com https://jkindon.com/windows-search-in-server-2019-and-multi-session-windows-10/

notes

Beginning from Windows Vista until Windows 10, Windows stores the Search

index inside an Extensible Storage Engine (ESE) database located at

C:\ProgramData\Microsoft\Search\Data\Application\Windows\Windows.edb. For

Windows Server 2008 until Windows Server 2022, Stroz Friedberg observed that

the database was structured the same way, but that Search Indexer was not

enabled by default. The service is enabled by default on non-Server Windows

versions.

In Windows 11, this data is stored in the same directory, but the single ESE

database is replaced by SQLite database files called Windows.db and

Windows-gather.db

included in collections

BasicCollection SANS_Triage

// description

// paths

// collection commands

// references

// notes

// included in collections