Windows.edb Repairs
Windows.edb files acquired for forensic examination are often acquired using techniques that will leave the database in a state of flux and make it unreadable using either the Extensible Storage Engine or structured parsing techniques. Such methods include both immediate power disconnection and live copy.
The problems caused within the database are invariably simple in nature and often relate to one or more inconsistencies in page pointers or incorrect checksums for pages being updated.
As the Extensible Storage Engine is used to access the database by Windows Search Index Analyzer the engine is also used to repair the inconsistencies arising from unclean shutdown procedures. WSia will check a database when opening for the first time and if it is found to require repairs will prompt for the repair to be undertaken. A backup of the original copy is made before carrying out the repair and this is used subsequently for repair analysis.
Forensic Implications
It is of paramounnt importance to forensic examiners that they can ascertain that the data that is recovered from the database has not been altered by the repair process. The data recovered can often play a significant role within an investigation and doubt as to its integrity will often render such evidence as unusable.
To facilitate a proper understanding of the repairs undertaken by the Extensible Storage Engine, WSia includes repair analysis features to help the forensic examiner understand the nature and extent of the repairs.
The repair analysis features include:
- An Original File Data tab with the changed bytes highlighted
- A 'jump to' next difference function for SystemIndex_0A differences, other differences or all differences
- An analysis function which analyzes the differences between the original and the repaired files
- A function to facilitate viewing the Microsoft Repair Report