forensicate.net

notes from the trenches

UTC

CBS Forensic Toolkit

Posted 2026-04-10 by Andrew Prince · 1 min read · updated 2026-04-14 ·

Table of Contents
  1. IndexedDB (LevelDB)
  2. WebView2 disk cache
  3. AppsIndex.db (SQLite)
  4. Investigative Value
  5. References
exfiltrace-labs/cbs_parserPublic

The CBS Forensic Toolkit parses forensic artifacts from the Windows Start Menu search subsystem.

Python00

The Windows 11 Start Menu is not the simple program launcher it once was. It is a search-driven interface powered by a dedicated UWP package, MicrosoftWindows.Client.CBS_cw5n1h2txyewy (the “CBS package”), which maintains its own local data stores to serve search results, track user preferences, and cache web content. In doing so, it quietly produces a collection of forensic artifacts that existing tools do not parse.

CBS Forensic Toolkit extracts three such artifact sources from the CBS package, each with meaningful forensic value.

IndexedDB (LevelDB)

A Chromium IndexedDB store that records Start Menu search interactions: what the user typed, what they launched or previewed, and when. Records include timestamps, cumulative launch counts, and the user’s exact keystrokes (typos included).

WebView2 disk cache

Cached Bing search queries triggered by typing into the Start Menu search box. The cached URLs carry rich query parameters revealing the user’s search terms, the method of query formation (typed vs. suggestion), session identifiers, and geographic metadata, all produced without the user ever opening a browser.

AppsIndex.db (SQLite)

A SQLite database of applications indexed by the Start Menu with cumulative launch counts that reflect execution from any source, not just the Start Menu itself. This provides a distinct vantage point compared to UserAssist, which tracks only Explorer shell-based launches.

Investigative Value

On Windows 11, the long-standing WordWheelQuery registry artifact, which previously recorded user search terms in File Explorer and the Start Menu, is no longer populated.

The CBS package artifacts partially fill that gap, providing insight into user search behaviour that would otherwise be lost on modern Windows systems.

Together, these artifacts can establish evidence of program execution, reveal user search intent, and corroborate or challenge findings from traditional artifacts such as UserAssist, Prefetch, and AmCache.

There is still a lot of research to be done, along with additional testing, validation, and refinement, but early findings and this tool’s early development are promising.

References