Greenspot Technologies Ltd Logo

Windows Search Index Analyzer Features

Windows Search Index Analyzer is one of the only forensic software programs that provides a user interface for finding and recording evidence from windows.edb search index files. The key features are shown on the tabs below:

Windows Search Index Analyzer presents its data in a tabbed view and the first of these is the Tables view.

The Tables view allows you to:
  • See all the tables within the edb database
  • View a list of all search records stored in the database
  • Select any record within any of the tables
  • Change the fields that are displayed to focus on the needs of your investigation
  • Mark records for 3 different categories of review
  • Export a record in XML or CSV format
  • Export a batch of records in XML or CSV format
All fields (columns) for the selected record within a table are displayed on the Record tab.

The Record tab allows you to:
  • View all the data stored within an individual record
  • Hide fields which do not contain any data
  • View data which has been deobfuscated and view the actual obfuscated data stored within the edb database
  • Mark records for review, follow up or action
  • Navigate through marked records
  • Add one or more fields and their data to the selected report
  • Export a record in XML or CSV format
Windows Search Index Analyzer provides both search and find capability on data stored within the search index's edb database. Find looks for data stored within fields and is performed after any required deobfuscation or decoding has taken place whereas Search allows you to look for specific data or values within the raw data of the file.

Find offers improved eficiency in investigations and has these key features:
  • Find text or hex byte data
  • Find multiple words using the Wordlist Find
  • Look in specified field types or all field types
  • Make text find's case sensitive
  • Look for values in all fields or define a specific filter for the find
Search allows you to look for hex bytes, numbers or strings within the raw data of the file.
Reports allow investigators to record key evidence and present it in a simple effective fashion using the presentation screen. With presentations and reports you can:
  • Display a full screen presentation of evidence to relevant parties
  • Include or exclude meta data and edit the presentation to suit your needs
  • Create multiple reports for one file
  • Save presentations to pdf, print them or export them as a series of images
  • Save presentations to secure pdf for distribution to Defence Counsel or otherwise
  • Export evidence within the report data in XML or CSV format
The raw file data tab displays the actual binary data which makes up the file and helps you to:
  • Navigate through the pages making up the edb database
  • Understand and research the structure of the edb database
  • Find raw data within the file itself using Search
  • Navigate through a series of Search results within the file itself
  • See defined fields either within the header pages or even the tags within the data pages themselves
File statistics provides investigators with a quick overview of the structure and content of a file and does the following:
  • Analyzes by file extension using over 170 different file types
  • Analyzes unknown file types by their System_Kind entry in the search index
  • Displays a summary table of search index entries
  • Displays a pie chart of the main categories of files comprising the index
  • Records cumulative durations of media files where this information is stored
  • Records cumulative word counts for documents where this information is stored
search index pie chart
Tables view on Windows Search index analyzer