Dashboard
Overview of loaded SearchIndex artefacts from
windows.db.
Index Summary
High level statistics for the current dataset.
📌 Total items: —
📁 Files: —
🔗 URLs: —
📧 Emails: —
🖼 Pictures: —
📦 Other: —
⏳ Date range (any timestamp):
• First seen (UTC): —
• Last seen (UTC): —
Quick Forensic Notes
Suggested pivot points for your case.
• Pivot by DateModifiedUTC to align with file system activity.
• Compare GatherTimeUTC vs. created/modified times to show
when Search first saw an artefact.
• Use Timeline view to see bursts of index changes across days.
• Use Item Details to review all timestamps for a single WorkId / DocumentID.
windows.db Explorer
View decoded timestamps, item paths and names derived from the Windows Search index.
Load windows.db
Paste the full path to a copied
windows.db file and process it with your SQL.
Indexed Items
Visible: 0
Page 0 / 0
windows-gather.db Explorer
Inspect gatherer activity, reconstructed scope paths and DocumentID mappings from windows-gather.db.
Load windows-gather.db
Paste the full path to a copied
windows-gather.db file and process it with your SQL.
Gathered Items
Visible: 0
No gather rows loaded yet. Open a
windows-gather.db to begin.
Page 0 / 0
Timeline
Visualise indexed activity per day across all timestamp columns for the current results.
Timeline chart (current view)
Scope:
Usage Hint
• This chart updates automatically based on whatever rows are visible in
windows.db Explorer (including bookmarks-only mode and filters).
• Each line represents a different timestamp type (Accessed, Modified, Created, Gathered, etc.)
with counts per day.
• Use it to spot bursts of email, document edits, web links, or photo activity
and line them up against case events.
Item Details
Full timestamp set and identifiers for a selected record.
Selected Item
WorkId: —
Later we can hook row-click in the grid and load full details here (all timestamps for that WorkId).
Export
Prepare CSV/JSON extracts for reports or further analysis.
Export Options
What will be exported?
📤 Export
• If Current page only is selected, exports only the items currently visible in the results table.
• If All filtered results is selected, exports every row that matches your current keyword filter.
• Applies your format choice (CSV or JSON), field options, and the selected timestamp format (UTC vs Local).
• If Current page only is selected, exports only the items currently visible in the results table.
• If All filtered results is selected, exports every row that matches your current keyword filter.
• Applies your format choice (CSV or JSON), field options, and the selected timestamp format (UTC vs Local).
⭐ Export bookmarked items
• Exports only files you marked as important during review.
• Includes optional notes and selected raw metadata values.
• Best for evidence extraction, case files, or investigation packs.
• Exports only files you marked as important during review.
• Includes optional notes and selected raw metadata values.
• Best for evidence extraction, case files, or investigation packs.
Settings / About
Basic preferences and a quick description of what SearchTrace Explorer is for.
Preferences
Default timestamp column for sorting
Theme
About SearchTrace Explorer
SearchTrace Explorer is a forensic-focused viewer for
windows.db (and later windows-gather.db).
It combines:
- Decoded FILETIME timestamps
- Heuristic path & name reconstruction
- Timeline-style activity overview
- Export-ready result sets for reports
You can safely point it at copies of evidence databases to avoid altering live systems.