Windows Search Index Forensics: Recovering Deleted Files, User Activity & Web History in Windows

 

The Windows Search Index constitutes a pivotal forensic artifact within the Windows operating system, tracing its lineage to Windows 2000 with substantial maturation in subsequent versions. Initially rudimentary, the indexing service achieved default activation in Windows XP and has since undergone iterative enhancements by Microsoft, evolving into a robust mechanism for cataloging user activity and digital evidence.

The indexer operates as a background service (SearchIndexer.exe), silently aggregating extensive metadata, partial content extracts, and interaction artifacts across supported file types, emails, URLs, and application-specific data (e.g., Outlook, OneNote, SharePoint, Edge/IE history). By default, it targets user profile directories (C:\Users\<profile>, excluding AppData by default) and Start Menu locations, though protocol handlers registered by applications extend its reach. Over 900 file extensions are indexed by default, with content indexing (partial excerpts) enabled for numerous formats from Windows 8 onward. In Windows 10+, "Enhanced" mode broadens scope to the entire volume and mounted drives, indexing filenames and metadata system-wide while limiting full content extraction in non-profile locations.

Through Windows 10, indexed data resides in a single Extensible Storage Engine (ESE) database:

• Windows Vista – 10: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
• Windows XP: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb

This database routinely encompasses tens to hundreds of thousands of records (scaling toward a million items), incorporating file system metadata (MACB timestamps, size, attributes, owner, full paths), partial content, URLs visited, email details, and interaction timestamps (including System_Search_GatherTime). Key tables include:

• SystemIndex_Gthr and SystemIndex_GthrPth: Facilitate path reconstruction via ScopeID/DocumentID linkages.
• SystemIndex_PropertyStore: The forensic cornerstone, housing rich metadata, content snippets, and recoverable deleted records.

Windows 11 marks a structural migration to SQLite databases in the same directory:

• Windows-gather.db (SystemIndex_Gthr / GthrPth equivalents for file/folder metadata and path reconstruction).
• Windows.db (SystemIndex_1_PropertyStore and associated metadata tables).
• Windows-usn.db (generally lower forensic value).

This artifact excels in recovering evidence of deleted files/folders (via carving slack space, unallocated areas, transaction logs, or shadow copies), validating user activity, corroborating timelines, identifying external/removable media interactions, and surfacing browser history or exfiltration indicators. Records persist even after file deletion if indexed prior, offering resilience against anti-forensic tampering. Registry controls (e.g., HKLM\SOFTWARE\Microsoft\Windows Search) govern scope, encrypted content indexing, and database locations.

Recommended analysis tools

• WinSearchDBAnalyzer: GUI parser with robust deleted record recovery and multi-view analysis (GitHub).
• SIDR (Search Index DB Reporter): Open-source CLI tool supporting both ESE and SQLite; excels at scalable batch processing and CSV/JSON export (Stroz Friedberg/LevelBlue).
• WinEDB_Browser (kacos2000): GUI ESE explorer.
• Thumbcache Viewer: For cross-referencing thumbnails.
• Libesedb (eseinfo/eseexport): Raw table export and carving.
• NirSoft ESE Database View: Raw browsing and CSV export.
• Additional: Windexter, esentutl for dirty shutdown recovery/repair, and custom carving scripts for logs (MSS.log*), unallocated space, and memory.

A recommended entry point remains the SystemIndex_PropertyStore (or equivalent SystemIndex_1_PropertyStore in Windows 11), which encapsulates the preponderance of evidentiary metadata. When handling raw ESE databases, practitioners should first validate shutdown state with esentutl and consider both clean and "dirty" versions for maximal deleted record recovery. This artifact substantially augments traditional DFIR sources such as LNK files, Prefetch, SRUM, and AmCache.

The Extensible Storage Engine (ESE) remains a foundational database technology pervasive across modern Windows operating systems. It underpins critical forensic artifacts including the Windows Search Index (Windows.edb), System Resource Usage Monitor (SRUM – SRUDB.dat), legacy Internet Explorer/EdgeHTML web caches, Microsoft Exchange (*.dit files), and numerous ancillary components such as Windows Update (DataStore.edb), BITS, and User Access Logging (UAL). Unlike legacy Microsoft database formats, ESE was architected for high-concurrency environments with robust crash recovery. It employs a write-ahead logging (WAL) paradigm: transactions are first recorded in memory-resident log buffers, flushed to transaction log files (typically MSS.log, MSSnnnnnn.log, checkpoint MSS.chk, and reserved .jrs files), and eventually merged into the primary database file during checkpoint operations. This design prioritizes performance and recoverability, enabling the engine to handle thousands of simultaneous read/write operations — a necessity for Exchange Server but equally relevant to client-side indexing workloads.

Forensically, this architecture carries profound implications. The transaction logs and in-memory cache frequently represent the most current state of the database, potentially retaining records for hours or days before checkpointing. Logs contain sufficient information to replay transactions and restore the database to a consistent state following crashes, abrupt shutdowns, or live acquisitions. Consequently, ESE databases acquired from live systems or sudden power loss are commonly in a "Dirty Shutdown" state, where uncommitted pages and pending transactions reside outside the main database file. Failure to incorporate these logs results in incomplete evidentiary datasets, particularly missing recent file indexing events, deletions, or metadata updates. Windows ships with the native esentutl.exe utility (located in System32) for diagnosis and remediation:

• esentutl /mh <database>: Dumps the database header, revealing version information, signature, creation/modification timestamps, and crucially, the shutdown state ("Clean Shutdown" vs. "Dirty Shutdown"). It also identifies required log file generations.  
  
  
  
• esentutl /r <logbase> /d: Performs soft recovery (replay of transaction logs) to bring the database to a consistent state. Requires the full complement of relevant log files, checkpoint, and often the database in the same working directory. This is the preferred forensic method as it preserves maximum data fidelity. 
  
  
  
• esentutl /p <database>: Hard repair mode — a destructive last resort that fixes corruption by discarding unreadable pages but explicitly does not replay transaction logs. This results in irreversible loss of records still resident only in logs. 
  
  
  
• Additional switches support integrity checking (/g), checksum verification (/k), defragmentation (/d), and metadata dumping.

Key forensic considerations and best practices

• Always work on working copies; never modify original evidence without documented justification and hashing.
• Collect the entire database directory (.edb, all .log files, .chk, .jrs, temporary files) to maximize recovery potential.
• Perform recovery using esentutl from a matching or compatible Windows version (e.g., Windows 10 analysis machine for a Windows 10-sourced database) to avoid format incompatibilities.
• Dilemma of modification: Traditional read-only forensic workflows conflict with ESE requirements. Analysts must balance completeness against evidence integrity — options include:
  1. Do not fix the database: This approach preserves the original evidence in its acquired state, allowing direct analysis of artifacts such as Windows.edb. However, examiners must acknowledge inherent limitations: the database will lack any uncommitted transactions still resident in the associated transaction logs (.log files), potentially omitting the most recent indexing events, deletions, metadata updates, or content extracts. Many forensic parsers and GUI tools (including certain versions of WinSearchDBAnalyzer or NirSoft utilities) will outright reject dirty-shutdown databases or produce incomplete results. While transaction logs contain recoverable record-level deltas, deletions, and prior versions of PropertyStore entries, no mature, automated open-source tools currently exist for parsing individual ESE log files. Analysts are generally limited to manual inspection via hex editors or low-level carving techniques. In some scenarios, even basic parsing may require at least a soft recovery before tools can reliably interact with the database..
  2. Export a working copy of the complete database directory (including all transaction logs, checkpoint files, and reserved logs) and perform recovery: This method yields the most comprehensive and temporally current dataset by replaying pending transactions into the database, restoring it to a consistent ("Clean Shutdown") state. It enables full compatibility with tools that mandate clean databases, such as Thumbcache Viewer for cross-referencing, advanced ESE parsers, or applications relying on proper table navigation.

Transaction logs themselves hold significant evidentiary value, including historical versions of records and deletion events not yet merged. Advanced practitioners supplement API-based parsing with carving (e.g., from slack space or shadow copies) to recover a more complete timeline. This nuanced handling of ESE artifacts substantially enhances the recovery of deleted files, user activity, browser history, and system telemetry when integrated with complementary sources such as Prefetch, AmCache, SRUM, and LNK files.

One of the most compelling open-source utilities for interrogating the Windows Search Index is WinSearchDBAnalyzer, developed by Jeonghyeon Kim (moaistory). This GUI-based parser excels at surfacing the rich evidentiary payload resident within the ESE database (Windows.edb), rendering otherwise opaque indexed records accessible for comprehensive digital forensic examination. The tool natively supports the ESE format through Windows 10 and is capable of processing both pre-exported database files and performing on-the-fly extraction directly from live systems. It offers granular control over metadata field selection during ingestion, thereby optimizing analysis workflows for specific investigative needs. Notably, WinSearchDBAnalyzer demonstrates significant tolerance for dirty-shutdown ESE databases, although best forensic practice recommends performing a soft recovery with esentutl /r beforehand to maximize data completeness and analytical control.

Following ingestion, the interface provides multiple sophisticated navigation modalities for triaging potentially hundreds of thousands of records:

• Categorization View: Groups entries by file extension, enabling rapid pivoting to high-value formats such as .docx, .pptx, .xlsx, .pdf, .eml, .zip, or .one.
• Folder Hierarchy View: Reconstructs the original logical file system structure, facilitating contextual analysis of directory contents and user organization patterns.
• Tabular Metadata Browser: Displays extensible columns of system and application metadata (e.g., MACB timestamps, System_ItemPathDisplay, System_FileOwner, attributes, and more) that support multi-level sorting and filtering.
• Preview Pane: Renders selected record details, including file system metadata and embedded content excerpts upon selection.
• Keyword Search Functionality: A robust search bar conducts full-text queries across filenames, paths, and crucially, the System_Search_AutoSummary field—the repository of partial file contents. This capability constitutes a significant forensic force multiplier, allowing investigators to surface relevant artifacts from pre-indexed textual content without manually processing each source file.

Content indexing caveats remain operationally significant. The indexer captures only partial content — typically the leading ~1024 bytes for larger files, with fuller extraction reserved for smaller documents and emails. Content indexing is enabled by default for a curated subset of high-value, primarily text-based formats, including .bat, .eml, .xlsx, .js, .one, .pdf, .txt, .docx, .xml, and others. While this represents a powerful capability for recovering fragments of deleted or altered documents, examiners must remain cognizant of these scope limitations when formulating search strategies.

A standout forensic feature is deleted record recovery. The Windows Search service promptly purges entries for deleted files from active tables; however, residual records frequently persist in unallocated space, slack pages, or transaction logs within the ESE database. WinSearchDBAnalyzer’s carving functionality recovers these artifacts, often uncovering metadata, paths, and content snippets associated with long-purged files that are absent from traditional file system artifacts.

In the figure above, a targeted keyword search for “financial” was conducted across the entire corpus of indexed records, encompassing filenames, paths, system metadata, and partial content extracts. This query successfully surfaced a relevant entry corresponding to the file “2024 financial audit.pptx”.

Upon selection of the record, the preview pane populates with comprehensive evidentiary details. These include full file system MACB timestamps (creation, modification, access, and birth/MFT times where available), logical file path (System_ItemPathDisplay), size, attributes, ownership data, and other indexed properties. Most critically, the pane displays the System_Search_AutoSummary field containing the partial content excerpt from the document. Within this indexed content, the search term “financial” is clearly highlighted in context, demonstrating the tool’s ability to leverage Microsoft’s pre-processed textual data for rapid triage.

This integrated presentation of metadata and content snippets exemplifies the forensic value of the Windows Search Index. It enables examiners to corroborate file existence and activity timelines, recover fragments of potentially deleted or altered documents, and efficiently identify high-relevance artifacts without parsing the original source files—particularly advantageous when dealing with large volumes of data or files no longer resident on the active file system. Such capabilities, when combined with deleted record carving, position WinSearchDBAnalyzer as a powerful asset in modern Windows digital forensic examinations.

Jeonghyeon Kim (moaistory) includes several high-value investigative tips—along with an accompanying instructional video — in the tool’s documentation and introduction. These practical heuristics significantly enhance an examiner’s efficiency when interrogating the Windows Search Index:

• Browser and web activity recovery: To surface URLs visited by the user, conduct a keyword search for "http://" or "https://". This reliably uncovers entries originating from Internet Explorer, EdgeHTML, and other applications that feed into the indexer.
• Search engine query extraction: Internet search queries can be efficiently isolated by searching for "q=" or "query=", revealing artifacts from major search providers and internal application queries.
• Temporal filtering: To focus on records associated with a specific timeframe, search for date fragments in ISO-like format, such as "2021-11-" (or analogous patterns for the target period). This leverages the timestamped nature of indexed metadata for rapid timeline scoping.
• Comprehensive review: To display the full dataset without filtering, simply select the “ALL” option. This is particularly useful during initial triage or when establishing baseline corpus size.
• Deleted record recovery: When performing carving operations, ensure the “Unknown” category is explicitly checked. This setting is essential for surfacing records residing in unallocated space or slack areas that lack standard classification.

Analysts should exercise patience when processing a mature Windows Search Database. These artifacts routinely contain hundreds of thousands to over a million records, each carrying extensive metadata fields, partial content, and relational linkages. Regardless of the chosen tool — whether WinSearchDBAnalyzer, SIDR, or raw ESE parsers — operations may exhibit noticeable latency. Pre-recovery of the database with esentutl and selective field extraction can help mitigate resource demands during large-scale analysis.

These techniques, when applied judiciously, transform the Windows Search Index from a passive background service into a potent source of behavioral intelligence, deleted file artifacts, web history, and content remnants.

Windows 11 Search Index Database Changes

Microsoft’s transition to SQLite for the Windows Search Index in version 22H2 (and subsequent builds) represents a notable evolution in artifact architecture. Departing from the proprietary Extensible Storage Engine (ESE) format used through Windows 10, the new implementation leverages SQLite — a format widely regarded as highly forensic-friendly due to its simplicity, structured query support, and robust Write-Ahead Logging (WAL) mechanisms. Research confirms parity in evidentiary fidelity between the legacy and modern schemas, with no substantive loss of metadata, content excerpts, or behavioral artifacts, rendering the change advantageous for digital forensic practitioners.

Deleted records and recent modifications frequently persist in the associated WAL files (Windows.db-wal and Windows-gather.db-wal), offering examiners additional opportunities for recovery even after checkpointing or file system deletions. The standardized, human-readable nature of SQLite further enables manual validation and ad-hoc querying using tools such as DB Browser for SQLite, supplementing automated parsers.

Primary Databases (Windows 11+)

Indexed data resides in the following location: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\

1. Windows-gather.db — Path and Hierarchy Reconstruction

This database furnishes a high-level inventory of all indexed files and folders, supporting full logical path reconstruction through relational linkages.

Key tables and fields in SystemIndex_Gthr:

• ScopeID: Foreign key linking to the SystemIndex_GthrPth table for parent folder resolution.
• DocumentID: Unique sequential identifier for the item; serves as a foreign key to WorkID in the Windows.db SystemIndex_1_PropertyStore table.
• FileName: The name of the indexed file or folder.
• LastModified: Timestamp (Windows FILETIME format, often stored as little-endian hex) reflecting the last modification of the indexed record.

Key fields in SystemIndex_GthrPth:

• Scope: Links back to ScopeID in the Gthr table.
• Parent: Identifier for the immediate parent directory.
• Name: Folder name, enabling hierarchical traversal and full path derivation by recursively resolving parent relationships.

2. Windows.db — Rich Metadata Repository

This database houses the bulk of property-specific metadata for indexed items.

Key tables and fields:

• SystemIndex_1_PropertyStore:
  • WorkID: Unique item identifier (links to DocumentID from gather database).
  • ColumnID: Property type identifier; foreign key mapping to the Metadata table.
  • Value: The actual metadata payload (can be text, integers, blobs, etc.).
• SystemIndex_1_PropertyStore_Metadata:
  • Id: Corresponds to ColumnID; defines the property type.
  • UniqueKey: Descriptive name of the metadata property (e.g., System.ItemPathDisplay, System.DateModified, System.Search.AutoSummary, etc.).

Unlike the flattened column structure in the legacy ESE SystemIndex_PropertyStore, the Windows 11 schema employs a normalized, row-based design where each property for an item appears as a separate row, joined via WorkID and ColumnID. This requires JOIN operations or specialized parsers for comprehensive record reconstruction.

Note: A third database, Windows-usn.db, exists but generally offers limited forensic value and is typically deprioritized.

Forensic advantages of the SQLite implementation include straightforward querying, WAL-based deleted record persistence, and broad tool compatibility (including SIDR for scalable export and manual SQLite viewers for validation). When combined with tools like WinSearchDBAnalyzer (for legacy ESE) or SIDR (cross-version support), examiners gain powerful access to file existence, content fragments, web history, and activity artifacts across Windows 10 and 11 environments.

The figure above originates from the Windows.db database, specifically the SystemIndex_1_PropertyStore table. Observe that multiple rows share an identical WorkID value. This normalized structure indicates that a single indexed item (in this case, the file Katy_letter.docx with WorkID 1392) is represented across numerous records, with each row capturing a distinct metadata property or attribute.

This design yields a rich, multi-faceted evidentiary profile for each item, frequently encompassing file type identifiers, the fully qualified logical path (System.ItemPathDisplay), MACB timestamps, ownership details, attributes, and partial content extracts stored within the System.Search.AutoSummary field.

To decode the semantic meaning of each property, the ColumnID value in SystemIndex_1_PropertyStore must be cross-referenced against the corresponding Id field in the SystemIndex_1_PropertyStore_Metadata table (also resident in Windows.db). The UniqueKey column in the Metadata table provides the human-readable property name (e.g., System.FileExtension, System.ItemPathDisplay, System.Search.AutoSummary, System.DateModified, etc.). This relational mapping is essential for reconstructing complete records and requires JOIN operations or specialized parsing logic.

Costa K. was among the first researchers to publicly document and analyze these architectural changes in Windows 11. Within the README.md of the WinEDB project on GitHub, Costa published several practical SQL queries tailored for the new SQLite schemas. These queries can be directly imported and executed in tools such as DB Browser for SQLite (via the Execute SQL tab), transforming the normalized, row-oriented data into more investigator-friendly, denormalized output suitable for rapid triage and reporting.

This combination of normalized metadata storage and community-provided SQL resources significantly enhances forensic accessibility of the Windows 11 Search Index, enabling precise extraction of file existence, content fragments, web activity, and behavioral artifacts while maintaining compatibility with manual validation workflows.

SIDR (Search Index Database Reporter) stands as a highly effective, production-grade utility for systematically parsing the Windows Search Index artifact. Developed and open-sourced by the Stroz Friedberg (Aon/LevelBlue) DFIR team, it delivers an optimal balance of performance, scalability, and actionable output tailored specifically for digital forensic and incident response workflows.

Written in Rust for speed and reliability, SIDR seamlessly processes both legacy Extensible Storage Engine (ESE) databases (Windows.edb through Windows 10) and the modern SQLite implementations (Windows.db and Windows-gather.db) introduced in Windows 11 22H2+. Its command-line architecture makes it exceptionally well-suited for batch processing across single hosts, enterprise-scale acquisitions, or network-wide collections. The tool integrates natively with the open-source Velociraptor framework, enabling automated, distributed extraction of search index artifacts at scale.

Rather than performing an exhaustive raw dump of every table and property (which can overwhelm analysts with hundreds of thousands of records), SIDR intelligently curates high-value evidentiary data. It generates three focused, investigator-centric reports:

• File Report: This report presents a curated inventory of indexed items, enriched with high-priority metadata. For each entry, it includes the fully qualified logical path (System.ItemPathDisplay), MACB timestamps (creation, modification, access), file size, file owner/SID, partial content excerpts from the System.Search.AutoSummary field, and crucially, the System.Search.GatherTime — the timestamp when the indexer recorded the item in the database. The GatherTime provides an independent temporal anchor, often revealing when a file was first present or last observed on the system, supplementing traditional file system timestamps. The report selectively extracts approximately ten high-value metadata properties out of the hundreds potentially available in the underlying database. Fields such as EXIF GPS coordinates, document author information, word counts, embedded OLE timestamps, or application-specific properties are intentionally omitted for brevity and focus. In cases requiring deeper metadata, examiners should supplement SIDR output with interactive tools such as WinSearchDBAnalyzer (for Windows 10 ESE databases) or direct SQL queries against the normalized SystemIndex_1_PropertyStore tables in Windows 11 SQLite databases.
  
  
  
• Activity History Report: This report delivers one of the richest behavioral insights available from the Search Index. It aggregates multiple System_Activity* metadata properties to reconstruct user interactions, including files opened, the associated application, start and end timestamps, and derived session duration.
  
  As an example, the figure below indicates that specific Microsoft Office documents were accessed via their native applications for brief durations (seconds), painting a nuanced picture of user engagement. User attribution requires extracting the Security Identifier (SID) from the System.ItemUrl field and cross-referencing it with registry hives (e.g., SAM, SOFTWARE) or Security Event Logs to resolve the corresponding account name. Research by the Stroz Friedberg team indicates that Activity History records are not promptly purged when the underlying file is deleted, renamed, or when applications are uninstalled. This persistence can reveal prior file interactions even after deliberate anti-forensic actions, providing resilience in investigations involving data destruction attempts.
  
  
  
• Internet History Report: This report aggregates browser-related artifacts captured by the Search Indexer. Currently, coverage is limited to Internet Explorer and EdgeHTML (via registered protocol handlers), though future expansion could encompass additional applications.

  Key extracted fields include the visited URL, page title, visit timestamp, and the corresponding GatherTime. The report offers an efficient mechanism to survey web activity, particularly valuable when primary browser stores (e.g., WebCachev01.dat or Edge SQLite databases) are unavailable, corrupted, or deleted.

  
  Notable caveat: InPrivate (private browsing) sessions are not indexed, limiting visibility into privacy-conscious user behavior.

Output is available in clean, machine- and human-readable formats (CSV or JSON), with filenames incorporating hostname, report type, and timestamp for streamlined evidence management and multi-system correlation. For advanced users, the report definitions are configurable via a YAML specification within the source code. Customizing output requires recompilation, providing flexibility for specialized investigative requirements while maintaining the tool’s core efficiency.

SIDR’s design philosophy — rapid, scalable, and focused extraction — makes it an indispensable complement to GUI tools such as WinSearchDBAnalyzer (for deep interactive exploration) and manual SQL querying of SQLite schemas. When incorporated into a layered DFIR methodology alongside carving, transaction log analysis, and cross-referencing with SRUM, Prefetch, and AmCache, it substantially strengthens an examiner’s ability to reconstruct user activity, recover deleted file evidence, and uncover behavioral intelligence from the Windows Search Index.

The Gatherer component forms a critical operational pillar of the Windows Search service. It is responsible for enumerating and queuing candidate items for subsequent indexing. The gatherer leverages the NTFS USN Journal (Update Sequence Number Journal) to efficiently detect file system modifications in real time, identifying new, modified, or deleted items that warrant processing.

Candidate items are those residing within user-configured indexing scopes (primarily the user profile and application-specific locations) and lacking the FANCI (File Attribute Not Content Indexed) flag. Once identified, these candidates are serialized into Gather Logs—plaintext files with a .gthr extension—serving as a transactional to-do list for the indexer. Gathered logs are stored in:

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\

• Each .gthr file typically captures approximately 24 hours of gatherer activity.
• The folder generally retains logs covering a rolling window of less than one week.
• Deleted or older logs can often be recovered through carving of unallocated space or Volume Shadow Copies, extending their forensic utility.

While relatively lightweight compared to the primary ESE or SQLite databases, Gather Logs offer targeted evidentiary insights:

• Full logical paths of files queued for indexing (including transient or deleted items that may no longer exist on the active file system).
• Temporal inference of file system activity via the creation and modification timestamps of the .gthr files themselves, providing a coarse timeline of when batches of items entered the indexing pipeline.
• Limited additional metadata, making them a supplementary rather than primary artifact.

Sophisticated malware often employs staging techniques — dropping an initial payload into a temporary directory within the user profile, downloading a secondary stage to a more persistent location, and subsequently deleting the original files to evade detection. The Gather Logs can capture the transient staging activity, revealing file paths and timing that might otherwise be absent from the main Windows.edb / Windows.db indexes or traditional file system artifacts.

In practice, examiners should incorporate Gather Log analysis into a layered approach alongside the primary Search Index databases, USN Journal parsing ($UsnJrnl), transaction logs, and deleted record carving. Although modest in scope, these logs frequently serve as a valuable corroborative source for reconstructing short-lived file system events and identifying anti-forensic behaviors.