This script parses Catalog*.edb Extensible Storage Engine (ESE) database-files maintained by the Windows File History feature.

In addition to the standard ESE system-tables, each Catalog*.edb file will contain the following tables:

• backupset
• file
• global
• library
• namespace
• string

Of these tables, string, namespace, and file are most likely to be of interest to the examiner.

• string - This table is used to deduplicate folder-paths and file-names referenced by the file and namespace tables.
• namespace - This table tracks the path, name, and metadata of files that have been backed-up. Given that File History is aimed at backing-up files in the user's profile, the path of each file will usually be prefixed with ?UP.
• file - This table tracks the path and name of each file contained within the backup-set such that the fileRecordId column in the namespace table is joined to the id column in the file table. For the reasons given below, multiple namespace records may point to the same file record.

Use of the script may prove particularly useful when examining backup disks in isolation. The reasons for this are two-fold.

Firstly, to save time and disk-space, File History does not duplicate or move files unnecessarily. Accordingly, if a file that has already been backed-up is moved to a different folder and/or renamed, its name and physical location in the backup volume won't change albeit a record documenting its new location and/or name will be added to the namespace table in the Catalog*.edb file. That record will include the update sequence number (USN) associated with the change, that logged in the source volume's $UsnJrnl-$J change-log file. If the source volume isn't available, the Catalog*.edb file may prove invaluable in determining the current location/name of the file and its provenance. It might, for example, show that whilst the file had been originally downloaded into the user's Downloads folder, it was then renamed and moved into another profile-folder thus indicating guilty knowledge.

Secondly, File History limits the path-length of files written to the backup volume such that files whose path exceeds the designated limit will be written to an overflow folder called $OF. During this process, the path of the source folder and the name of the file will be replaced by numeric identifiers that each reference a string in the string table of the Catalog*.edb file. Without the latter it may prove difficult if not impossible to identify the paths and names of files stored in the overflow folder.

The script writes its output to a SQLite database file containing replicated copies of the aforementioned tables plus 4-views.

The primary views are as follows. They contain the same information albeit in a different order:

• view_backup_items_order_by_backup_item
• view_backup_items_order_by_fileId_and_usn

The first view makes it easier to browse backed-up items grouped according to path.

The second view makes it easier to determine the provenance of a given file, e.g., whether it has been renamed and /or moved.

It's important to note that the records read from each table are held in memory before being written to the SQLite database file. Accordingly, this script is not suited to parsing very large Catalog*.edb files.

Feedback can be monitored via the console.