Info

Extensible Storage Engine (ESE) is one of the least known and yet most widely distributed database engines (on Windows). ESE is also known as JET Blue, is an Indexed Sequential Access Method (ISAM) data storage technology from Microsoft. ESE is notably a core of Microsoft Exchange Server and Active Directory. Its purpose is to allow applications to store and retrieve data via indexed and sequential access. Windows Mail and Desktop Search on Windows Vista also make use of ESE to store indexes and property information respectively. It is now also used within Windows Live Messenger.

I only care about ESE from a forensics point of view, since some interesting data could be stored in an ESE database like a suspects document paths or their entire Windows Live Messenger contacts list. Rather than making one tool to work with the Windows Live ESE database and one for the Desktop Search etc, I thought it would make more sense to create a database data viewer with special features for some of the apps that use ESE e.g. Windows Live Messenger, Desktop Search and Windows Mail. When you open an ESE database you get to choose the "Mode" which currently consists of Generic, Desktop Search and Windows Live Messenger.

If you choose the Windows Live Messenger mode option and (obviously) open a Contacts.edb file, then rather than giving you access to every field of every table, only the "SimpleContacts" table is shown, with only the key fields shown. Then when exporting data you only have the key data shown rather than every column etc. If you use the application to view the Desktop Search database (Windows.edb), then I recommend that you extract the entire "WindowsSearch" directory tree, since ESE uses extra files to store transactions and logs.

The application uses a managed wrapper (http://www.codeplex.com/ManagedEsent) to access the ESE functionality as its pretty dirty to use, well from a nice, safe C# point of view! :-)

Some example paths for the *.edb files are shown below:

• Windows Live Messeneger: C:\Users\woany\AppData\Local\Microsoft\Windows Live Contacts\{5dabbe1a-86f7-47af-92d9-8228549cb5d9}\DBStore
• Desktop Search: C:\ProgramData\Microsoft\Search\Data\Applications\Windows

Notes

There have been a number of occurances of an "JET_errSoftRecoveryOnBackupDatabase" error, which I think it is due to an attempt to open either a corrupt or backup database. If the contacts.edb file comes from a path like so:

C:\Users\woany\AppData\Local\Microsoft\Windows Live Contacts\{5dabbe1a-86f7-47af-92d9-8228549cb5d9}\DBStore\Backup\new

Then I guess are database backups which need some of the other files that are stored in the same directory and a command run using the esentutl tool. Below shows some useful commands for the esentutl tool:

• Recovery: ESENTUTL.EXE /r <database name>
• Integrity: ESENTUTL.EXE /g <database name>
• Repair: ESENTUTL.EXE /p <database name>

Note that I have read that running the "ESENTUTL.EXE /p" command is rarely required, since it may cause more damage than good. Since you have acquired the files in a forensically sound manner (you can get them again), it doesn't matter if the app corrupts the files.

Another item we have identified this week, is that EseDbViewer uses the esent.dll binary on your local computer, so if you extract the contacts.edb from a Windows Vista computer, then run EseDbViewer on a Windows XP computer, it is unlikely that you will be able to open them as the esent.dll binary will have more functionality etc.

You can match user avatar pictures using the UserTileFilePath column to the picture at the location specified in the column. An example path would be: C:\Users\woany\AppData\Local\Temp\MessengerCache

Features

• Fast
• Multiple Mode e.g. Generic, Desktop Search and Windows Live Messenger
• Exports a single table to CSV and HTML
• Exports all tables to CSV
• Flexibility in opening ESE files with variable page sizes
• Can create a User Tile (Avatar) report to link users/email addresses to avatar pictures

Screenshot

Requirements

Microsoft .Net v3.5