The EDB File and EDB File Structure
An edb file is an Extensible Storage Engine (ESE) Database stored in a single ISAM database file which is capable of holding indexed data in excess of 1 Terabyte and theoretically up to at least 16 TB with Windows Vista and later. In addition to the edb file, ESE also creates a number of other files including .log and .chk files which are necessary for the general operating of the database. These files are not required for the retrieval of forensic data from the edb file itself. Indeed, it is possible that a repair performed with these files present may result in the loss of information from the database.
The edb file consists of a variable number of equally sized, 4KB aligned, pages organized into B+Trees around Index and Table objects. Every table in an ESE database consists of a number of trees, each one dedicated to a single index or to a special purpose such as storing large string values.
All data in an edb file must be traversed via an index and each table is guaranteed to have a Primary Key index which contains the bulk of the tables data. Secondary keys only contain the value of the indexed column and a pointer to the appropriate record in the primary key.
EDB Header Page
The first page of the database is structured differently to the other pages with the exception of its own shadow page, on the second page in the file, which should be identical. The header page contains information about the entire database including the log file and its state. If the edb header page checksum is found to be incorrect the database engine will attempt to retrieve the information from the shadow header page.
Offset | Length | Data |
---|---|---|
0x00 | 0x4 | Page Checksum |
0x04 | 0x4 | EDB Magic Number: 0x89ABCDEF |
0x08 | 0x8 | File Version |
0x10 | 0x8 | Database Time |
0x18 | 0xC | Database Signature |
0x24 | 0x10 | Computer Name |
0x34 | 0x4 | Database State |
0x38 | 0x8 | Last Consistent Log |
0x40 | 0x8 | Last Consistent Date/Time |
0x48 | 0x8 | Last Attach Date/Time |
0x50 | 0x8 | Last Attach Log |
0x58 | 0x8 | Last Detach Date/Time |
0x60 | 0x8 | Last Detach Log |
0x68 | 0x4 | Database ID |
0x6C | 0x8 | Log Signature |
EDB Page Structure
Apart from the first 2 pages (the header and its backup) and empty pages, every page in an EDB file starts with a 40 byte header used to identify the data within the page and to facilitate navigation between neighbouring pages in the corresponding tree.
At the bottom of an EDB page there are tag identifiers which are used to locate entries within the tree stored in the page. Whether these entries are also part of records in their respective tables depends on the tree type, location in the tree, the page flags and the structure of the tag.
The rest of the page comprises either the tags themselves or white space (unused space).
To traverse tasg within a page the engine must firstly read the Next Free Tag entry in the header to determine the number of tags. The engine can then read each tag identifier to determine the state, length and position of each tag on the page.
Most tags on an EDB page are treated in a similar manner based upon the type of page and the tags flags. However, the first tag on a page usually holds separate significance and is treated as such.
Page Header Layout
Offset | Length | Data |
---|---|---|
0x00 | 0x4 | Page Checksum |
0x04 | 0x4 | Page No. or 2nd checksum (Vista onwards) |
0x08 | 0x8 | Page Time |
0x10 | 0x4 | Previous Page |
0x14 | 0x4 | Next Page |
0x18 | 0x4 | FDPObjID |
0x1C | 0x2 | Free Bytes |
0x1E | 0x2 | Uncommitted Free Bytes |
0x20 | 0x2 | Next Free Byte |
0x22 | 0x2 | Next Free Tag |
0x24 | 0x4 | Flags |
Tree Structure
Trees in an EDB File are structured in order to ensure the least amount of necessary disk reads are performed to retrieve any single piece of information. Data is therefore spread out over as many leaf pages as possible to ensure a minimum number of parent pages is achieved whilst maintaining both speed and efficiency in terms of size.
While all pages within the file have a similar tag structure, only leaf pages, those at the bottom of the treet, contain tree data. All other pages are used to locate and traverse the trees.
System Trees
All EDB Files contain at least two special trees used in oreder to locate information within the database. These tables are MSysObjects, also known as the System Catalog, and MSysObjectsShadow which, as it sounds, is a backup of MSysObjects.
MSysObjects includes metadata on every table, index and column within the database and is used to define its overall content and structure. In the event that the MSysObjects table is corrupted Windows will revert to the backup copy, MSysObjectsShadow.