Understanding index.dat Files

The meaning of the two 64-bit Windows timestamps in the various index.dat files

Part 2

Return to Main Forensics Help Page

 

The "index.dat" file is a database file used to manage, among other things, MSIE browser functions.  There is an "index.dat" in the cookie folder, one in the "history" folder, one in each daily history folder, one in each weekly history folder, and one sitting at the root of the Content.IE5 folder under Temporary Internet Files (Cache Folder).

The times stored in the various index dot dat files have different meanings depending on where they are found.  At URL record offsets 9 and 17 are two 64-bit Windows time stamps.  There meanings are described in the below table: 

Location of Index.dat

1st Date Located at

Record offset 9

2nd Date Located at

Record offset 17

Comments

Cookie folder

Cookie modified GMT

Cookie file last accessed GMT

 

Main History

Last visited time GMT

Last Visited time GMT

 

Daily History

Last visited time (LOCAL TIME!)

Last visited time GMT

 

Weekly History

Last visited time (LOCAL TIME!)

File created time (GMT)

This means the file creation time of the containing index dot dat file!

Cache

Last modified by web server time(GMT)

Last checked by local host time GMT

 

Some scripts / tools apply the local offset to all dates as most are stored in GMT.  Note that if the local time offset is applied to the first date for daily and weekly history, this timestamp will be incorrect as the offset will have been applied twice, once by MSIE and once again by your tool or script. 

If you are going to be testifying about a timestamp, understand thoroughly its meaning, based on its location, and verify that your tool is reporting the timestamp correctly by going to the raw data.  It is better yet recreate some data on a test box so that you can work through it, understanding both MSIE and your tools.

For information about identifying URL fragments as to their source file, see: 

http://www.stevebunting.org/udpd4n6/forensics/index_dat1.htm

For an example of the meanings of the dates in weekly history index.dat , including the location of the raw data for these timestamps, see the following EnCase mini-report.

 

 

 

This web site was created to provide assistance to computer forensics examiners engaging in cyber-crime investigations.  This field is rapidly evolving and changing as technology marches forward.  It is, therefore, intended to be a growing and evolving resource.  As you conduct your examinations and investigations, if you encounter information, links, or have suggestions that would help others, please let me know so I can add it to this site.  My email address is sbunting@udel.edu .  Thank you.

This site created and maintained by: 
Steve Bunting
Email: sbunting@udel.edu