Windows.edb Obfuscation
Microsoft obfuscates some of the text data fields included within a windows.edb file so that it cannot be read in a simple text viewer. Despite comments made on the Windows Search FAQ by Microsoft not all text data is obfuscated and the extent to which it is, is dependent upon the version of Windows Search and its installed platform.
The actual method of obfuscation is reasonably simple although the data may then also be compressed to minimize the amount of space used within the database. This is often the case for the System_Search_AutoSummary field which will contain content rather than file meta data.
WSia De-obfuscation
WSia decompresses and de-obfuscates data that has been compressed and obfuscated before displaying the data to the user. The actual data before this process is carried out can be viewed on the Record tab of the program in the Selected Field Stored Data window.
The de-obfuscation technique used by WSia is believed to be extremely robust and has been tested on a sample of over 50 different windows.edb files from different systems with a resulting success rate of 100%. However, in the event that any user encounters data that may not have been properly de-obfuscated or decompressed the WSia team would like to hear from them so that they can improve their algorithms further.
Verifying De-obfuscation
The team at WSia have been asked how it is possible to verify the veracity of the de-obfuscation technique without having to acquire a full understanding of the compression and de-obfuscation algorithms involved. The technique used by the WSia team involves the creation of a new windows.edb database on a test platform, with identical OS and Windows Search versions. A file is then created to match the given criteria in question (for example with identical content with a text file) and this is then indexed into the new database. The consequently stored data can then be checked to ensure that it includes the obfuscated data
If requested, the WSia team will also provide this service to users of the forensic version of Windows Search index analyzer should it be required.