esedb-records

Retrieves records from a specified table in an ESE (Extensible Storage Engine) database file. Assigns values from each record to output fields based on the column definitions of the table.

Command properties

Syntax

Options

table=STR

Name of the ESE database table whose records to retrieve

Target

FILE_PATH

Path to the ESE database file to query. You can use a wildcard (*) to specify multiple files.

Output fields

Error codes

Parse errors

Runtime errors

Description

The esedb-records command opens an ESE database file and retrieves all records from the specified table. ESE is the built-in database engine used in Windows operating systems, and is used in various Windows artifacts such as the Internet Explorer browsing history (WebCacheV01.dat) and the Windows Search index (Windows.edb).

Output fields are generated dynamically based on the table's column definitions, in addition to the fixed _file and _table fields. Fields follow the order of _file, _table, and then the columns in the table.

Use the esedb-columns command to check the column structure of a table before querying its records.

Examples

1. Retrieve records from a table in an ESE database

   esedb-records table=Containers /opt/logpresso/evidence/WebCacheV01.dat
   

   Retrieves all records from the Containers table in the WebCacheV01.dat file.

2. Retrieve records from multiple ESE database files

   esedb-records table=SystemIndex_PropertyStore /opt/logpresso/evidence/*.edb
   

   Retrieves records from the SystemIndex_PropertyStore table in all EDB files in the specified directory.

3. Filter records by a specific condition

   esedb-records table=Containers /opt/logpresso/evidence/WebCacheV01.dat
   | search Name == "*History*"
   

   Filters only records whose name contains History from the Containers table.