Browsing Reconstruction
May 25, 2006
We are all weary about people who invades our privacy, mostly when it comes to our browsing habits. Most people using IE just clears the cookies, temporary internet files and the browsing history under Tools -> Internet Options. But does that really clears off everything. Answer is NO. It does not.
Welcome to Index.dat
IE maintains index.dat files for your temporary internet files, cookies and browser history. The location are as below:
- \Documents and Settings\\Local Settings\Temporary Internet Files\Content.IE5\
- \Documents and Settings\\Cookies\
- \Document and Settings\\Local Settings\History\History.IE5\
Index.dat is a binary (non-human readable) file. These files indexes your temp inet files and cookies to the urls you visited. The format is proprietary to Msoft, but there are some tools out there that can help you parse it and put it in human readable form. The best open source tool in the market is pasco which is developed by Keith Jones, author of Real Digital Forensics. In this blog, we will take a closer look at format of index.dat and how to use the successor of pasco, Web Historian.
Index.dat: Header
The header consists of the following:
- First 27 bytes: Client UrlCache MMF Ver 5.2
- 28th byte: 0×00 (NULL terminated string)
- 29-32th byte is the file size ( you need to convert it to little endian)
- 32-36th byte is the offset for the HASH table (more on that later)
- directory listing of all the directories containing the temp inet files. Offset 0×50. 12 bytes in size
As an example, look at the picture below:
The first 28 bytes is the null terminated string Client UrlCache MMF Ver 5.2
The next four bytes is the hex string 00C0 0100, which when converted to little endian gives 0001 C000 equivalent to 114688 bytes.
The next four is the offset to the hash table which is 0050 000 which gives 0×5000
The comes the directory names: N2L6K2BN, 0PE341MV, CD1JKLMN, S9MJSH6B
Index.dat: Hash table
to be continued…
References: Whitepaper from Keith jones,
