Greenspot Technologies Ltd Logo

The EDB File and EDB File Structure

An edb file is an Extensible Storage Engine (ESE) Database stored in a single ISAM database file which is capable of holding indexed data in excess of 1 Terabyte and theoretically up to at least 16 TB with Windows Vista and later. In addition to the edb file, ESE also creates a number of other files including .log and .chk files which are necessary for the general operating of the database. These files are not required for the retrieval of forensic data from the edb file itself. Indeed, it is possible that a repair performed with these files present may result in the loss of information from the database.

The edb file consists of a variable number of equally sized, 4KB aligned, pages organized into B+Trees around Index and Table objects. Every table in an ESE database consists of a number of trees, each one dedicated to a single index or to a special purpose such as storing large string values.

All data in an edb file must be traversed via an index and each table is guaranteed to have a Primary Key index which contains the bulk of the tables data. Secondary keys only contain the value of the indexed column and a pointer to the appropriate record in the primary key.

EDB Header Page

The first page of the database is structured differently to the other pages with the exception of its own shadow page, on the second page in the file, which should be identical. The header page contains information about the entire database including the log file and its state. If the edb header page checksum is found to be incorrect the database engine will attempt to retrieve the information from the shadow header page.

OffsetLengthData
0x000x4Page Checksum
0x040x4EDB Magic Number: 0x89ABCDEF
0x080x8File Version
0x100x8Database Time
0x180xCDatabase Signature
0x240x10Computer Name
0x340x4Database State
0x380x8Last Consistent Log
0x400x8Last Consistent Date/Time
0x480x8Last Attach Date/Time
0x500x8Last Attach Log
0x580x8Last Detach Date/Time
0x600x8Last Detach Log
0x680x4Database ID
0x6C0x8Log Signature

EDB Page Structure

Apart from the first 2 pages (the header and its backup) and empty pages, every page in an EDB file starts with a 40 byte header used to identify the data within the page and to facilitate navigation between neighbouring pages in the corresponding tree.

At the bottom of an EDB page there are tag identifiers which are used to locate entries within the tree stored in the page. Whether these entries are also part of records in their respective tables depends on the tree type, location in the tree, the page flags and the structure of the tag.

The rest of the page comprises either the tags themselves or white space (unused space).

To traverse tasg within a page the engine must firstly read the Next Free Tag entry in the header to determine the number of tags. The engine can then read each tag identifier to determine the state, length and position of each tag on the page.

Most tags on an EDB page are treated in a similar manner based upon the type of page and the tags flags. However, the first tag on a page usually holds separate significance and is treated as such.

Page Header Layout

OffsetLengthData
0x000x4Page Checksum
0x040x4Page No. or 2nd checksum (Vista onwards)
0x080x8Page Time
0x100x4Previous Page
0x140x4Next Page
0x180x4FDPObjID
0x1C0x2Free Bytes
0x1E0x2Uncommitted Free Bytes
0x200x2Next Free Byte
0x220x2Next Free Tag
0x240x4Flags

Tree Structure

Trees in an EDB File are structured in order to ensure the least amount of necessary disk reads are performed to retrieve any single piece of information. Data is therefore spread out over as many leaf pages as possible to ensure a minimum number of parent pages is achieved whilst maintaining both speed and efficiency in terms of size.

While all pages within the file have a similar tag structure, only leaf pages, those at the bottom of the treet, contain tree data. All other pages are used to locate and traverse the trees.

System Trees

All EDB Files contain at least two special trees used in oreder to locate information within the database. These tables are MSysObjects, also known as the System Catalog, and MSysObjectsShadow which, as it sounds, is a backup of MSysObjects.

MSysObjects includes metadata on every table, index and column within the database and is used to define its overall content and structure. In the event that the MSysObjects table is corrupted Windows will revert to the backup copy, MSysObjectsShadow.

-
-
forensics at work
Raw Data view on Windows Search index analyzer