https://github.com/strozfriedberg/sidr

Search Index Database Reporter
https://github.com/strozfriedberg/sidr

dfir forensics windows

Last synced: 5 months ago
JSON representation

Search Index Database Reporter

• Host: GitHub
• URL: https://github.com/strozfriedberg/sidr
• Owner: strozfriedberg
• License: other
• Created: 2023-03-20T20:52:56.000Z (over 3 years ago)
• Default Branch: main
• Last Pushed: 2025-10-28T22:52:37.000Z (8 months ago)
• Last Synced: 2025-10-29T00:32:45.096Z (8 months ago)
• Topics: dfir, forensics, windows
• Language: Rust
• Homepage:
• Size: 11.4 MB
• Stars: 120
• Watchers: 3
• Forks: 9
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# Search Index DB Reporter (SIDR)

SIDR (Search Index DB Reporter) is a Rust-based tool designed to parse Windows search artifacts from Windows 10 (and prior) and Windows 11 systems.

The tool handles both ESE databases (Windows.edb) and SQLite databases (Windows.db) as input and generates three detailed reports as output.

### Quick Links

* [Usage](#usage)

* [Example](#example)

* [Building](#building)

* [Copyright](#copyright)

### Usage

```

Usage: sidr [OPTIONS] 

Arguments:

  

          Path to input directory (which will be recursively scanned for Windows.edb and Windows.db)

Options:

  -f, --format 

          Output report format

          [default: json]

          [possible values: json, csv]

  -r, --report-type 

          Output results to file or stdout

          [default: to-file]

          [possible values: to-file, to-stdout]

  -o, --outdir 

          Path to the directory where reports will be created (will be created if not present). Default is the current directory

  -h, --help

          Print help (see a summary with '-h')

  -V, --version

          Print version

```

### Example

`> sidr -f json C:\\test`

will scan the C:\test directory for Windows.db and Windows.edb files and will produce 3 logs in the current working directory:

`DESKTOP-12345_File_Report_20230307_015244.json`

`DESKTOP-12345_Internet_History_Report_20230307_015317.json`

`DESKTOP-12345_Activity_History_Report_20230307_015317.json`

Where the filename follows this format:

`HOSTNAME_ReportName_DateTime.json|csv`

`HOSTNAME` is extracted from the database.

### Building

Building SIDR requires [Rust](https://rustup.rs) to be installed.

To build SIDR:

```

$ git clone https://github.com/strozfriedberg/sidr.git

$ cd sidr

$ cargo build --release

$ ./target/release/sidr --version

sidr 0.8.0

```

### Running with cargo

`cargo run --bin sidr -- -f csv --report-type to-file /home//path/to/tests_s`

### Velociraptor Plugin

The `velosidr.yaml` file can be used to configure a Velociraptor plugin that will run SIDR on a target system.

Note: In order to parse the database on the target endpoint, the SIDR plugin must create an empty database and copy the original database to it. Creating the new copy can overwrite multiple gigabytes of data in unallocated clusters, which may result in loss of evidence. Please use the plugin with caution.

### Copyright

Copyright 2025, LevelBlue. SIDR is licensed under the Apache License, Version 2.0.