An important location in Windows to look for deleted records. Windows search index database forensics.

Analyse Windows.edb to parse normal records and recover deleted records.

Step 1 : (Stop SearchIndexer in order to copy windows.edb file):Run PowerShell as Administrator and run this command:Get-Process | Stop-Process | SearchIndexer

Select [A]

Step 2:In PowerShell Copy the windows.edb file to an external drive or other locationcopy C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb D:\FolderName

Step 3:Download WinSearchDBAnalyzer by Jeonghyeon Kim (Get link from google)