Neither En Case or FTK seem to offer any support for this file, although they claim to have EDB support. The effective size of the database header is at least 667 bytes of size, e.g. Bytes 4 to 8 of the database header contain the unique signature ‘\xef\xcd\xab\x89’ of the ESEDB format.Not many other tooling seemed to be available to analyze the Windows Search ESE database. Other significant values in the header are the file type, format version and revision and page size.A single page consists of a header, values and an index.A page does not need to be entirely filled, therefore a page has ‘page unallocated space’ which can contain remnant data.Different revisions can have different methods of storing data, e.g.the Windows 7 version of ESE allows for ‘native’ compression of data; in previous versions applications using ESE needed to do compression themselves, like the (RTF) LZFu compression used by Exchange.The ESE database format is also used for streaming file, e.g.priv1used by Exchange, however until now little is know about the specifics of these streaming files.

Several years after the introduction of Windows Vista and Windows Search, currently only a handful of forensic analysis tools seem to provide support for the Windows Search database even though a Windows Search database can be a valuable source of evidence. The information in this document was obtained by the information available on the Internet and reverse engineering of the file format.

Sometimes it is also necessary repair before eseutil can perform certain operations on ‘dirty’ databases. Libesedb [ESEDB09] will try to open the database in its ‘dirty’ state. Page based storage At the lowest level an ESE database stores its data in pages.

The size of the pages is stored in the database header and is applied to the entire database.

This remnant data can be of interest for forensic analysis.

A feature of impact on this remnant data is ‘ESE (page) zeroing’ which overwrites unused pages with various byte values.

