Generic ESE Database Table Parser
This script will attempt to parse one or more tables from Extensible Storage Engine (ESE) database files specified by the user.
In order to use the script, the examiner must know the name of each database/table he/she wishes to parse. A tool such as ESEDatabaseView from Nirsoft can assist with this.
The ESEDatabaseView tool can be installed as an external viewer by specifing the '/table [file] MSysObjects' command-line (the MSysObjects table exists in every ESE database; it contains the database's table definitions).
The script will only read the main database file, not the transaction-log files. These may contain new data or cloak deleted data, so alternative action will need to be taken if the examiner wishes to check for presence of the former.
When it comes to long values (LVs), which have to be stored separately because they won't fit within the associated record, the script only supports LVs that fit within a single LV page. Data that overflows into other LV pages won't be read.
It's not entirely clear how the ESE database-engine identifies compressed-text in LV pages, so the script uses entropy analysis for this purpose. Whilst this should work reasonably well in most cases, it may fail on occasion. The LV bookmarks created by the script (see below) may help to diagnose parsing errors of this nature.
The script will treat any 8-byte binary value whose name contains the string 'date' or or the string 'time' as a FILETIME value, which will be decoded accordingly and presented as UTC.
The byte-order of FILETIME timestamps varies, so the script will assume that the leading-byte of each one will have a value of 0x01 and parse accordingly. Again, this could fail in a small number of cases.
Note that the 'System_Search_AutoSummary' field from the 'SystemIndex_0A' table of older Windows.edb files (e.g., those from Windows 7) may be obfuscated. The script does not currently support deobfuscation of such data and will display it as hex.
Output is via the console window, bookmarks and a TSV output file.
Notwithstanding that the TSV file will provide the greatest number of options when it comes to filtering/sorting the output data, it will contain every column that is referenced by at least one record in the associated table. This may result in a very large table that is difficult to examine in any detail.
Accordingly the list-view provided by the console and bookmarks may prove useful. It makes it much easier to identify the fields contained in each record.
Please note there is a substantial mount of additional overhead when creating bookmarks, so the script will take longer to run and there will be a slight delay before it finishes processing.
ESE database files are very complex, so one should not expect the script to parse every database without issue, especially those that are large.
For additional information, please see the following Twitter post:
This script was developed for use in EnCase training. For more details, please click the following link:
Download Now