Understanding index.dat Files

Determining Source of Fragments in Unallocated Space

Part 1

Return to Main Forensics Help Page

The "index.dat" file is a database file used to manage, among other things, MSIE browser functions.  There is an "index.dat" in the cookie folder, one in the "history" folder, one in each daily history folder, one in each weekly history folder, and one sitting at the root of the Content.IE5 folder under Temporary Internet Files (Cache Folder).

Their location clearly sets forth their function when they exist as a logical file.  However, when these files find their way into the unallocated clusters, it can be difficult to figure out the source.  For any index.dat file fragments found, locate the characters "URL" (see note below).  Starting at "U", sweep 104 bytes.  The byte that follows, byte offset 105, is the beginning of a field that will easily identify the source of your index.dat file fragment.  Here is a listing of the data you may expect to find.  Under each hyperlink is an example of each in EnCase.

Cookie Index.dat
Starting at byte offset 105:   Cookie:[username]@[website URL]. Ends in hex 00

History File
Starting at byte offset 105:   [username]@[website URL]. Ends in hex 00

Daily History Index.dat
Starting at byte offset 105:   :[date range]: [username]@[website URL]. Ends in hex 00  (if date range covers a day, it's a daily history)

Weekly History Index.date
Starting at byte offset 105:   :[date range]: [username]@[website URL]. Ends in hex 00  (if date range covers a week, it's a weekly history)

Cache Index.dat
Starting at byte offset 105:    URL. Ends in hex 00

The easiest way to work with these, as there are often too many to manually decode, is to use EnCase's virtual file system mount feature to mount the drive.  You now have access to the unallocated clusters in Windows.  Run the stand-alone utility "hstex.exe" in the Netanalysis program folder against the unallocated clusters.  This parses out all index.dat entries found in the unallocated space, giving you the file "UC.dat" when completed.  Bring this file into Netanalysis and it will decode everything for you in seconds.

For an example of the meanings of the dates in weekly history index.dat , see the following EnCase mini-report showing this data and its meaning.

See also: A quick summary of the 64-bit Windows timestamps in the URL records (all types), often called first and second date.

Note:  A record may start with "URL", "LEAK" (Microsoft term for an error), or "REDR" (Redirect and not all "redirects" start with REDR - in fact few do, but that's another topic altogether).  Thus if URL, start at "U".  If "LEAK", start at "L", and if "REDR", start at first "R".  REDR will not have the two dates, so there's isn't much point in counting!