Understanding index.dat FilesThe meaning of the two 64-bit Windows timestamps in the various index.dat files Part 2 |
||||||||||||||||||||||||||
Return to Main Forensics Help Page
|
||||||||||||||||||||||||||
The "index.dat" file is a database file used to manage, among other things, MSIE browser functions. There is an "index.dat" in the cookie folder, one in the "history" folder, one in each daily history folder, one in each weekly history folder, and one sitting at the root of the Content.IE5 folder under Temporary Internet Files (Cache Folder). The times stored in the various index dot dat files have different meanings depending on where they are found. At URL record offsets 9 and 17 are two 64-bit Windows time stamps. There meanings are described in the below table:
Some scripts / tools apply the local offset to all dates as most are stored in GMT. Note that if the local time offset is applied to the first date for daily and weekly history, this timestamp will be incorrect as the offset will have been applied twice, once by MSIE and once again by your tool or script. If you are going to be testifying about a timestamp, understand thoroughly its meaning, based on its location, and verify that your tool is reporting the timestamp correctly by going to the raw data. It is better yet recreate some data on a test box so that you can work through it, understanding both MSIE and your tools. For information about identifying URL fragments as to their source file, see: http://www.stevebunting.org/udpd4n6/forensics/index_dat1.htm For an example of the meanings of the dates in weekly history index.dat , including the location of the raw data for these timestamps, see the following EnCase mini-report.
|
||||||||||||||||||||||||||
|
This web site was created to provide assistance to computer forensics examiners engaging in cyber-crime investigations. This field is rapidly evolving and changing as technology marches forward. It is, therefore, intended to be a growing and evolving resource. As you conduct your examinations and investigations, if you encounter information, links, or have suggestions that would help others, please let me know so I can add it to this site. My email address is sbunting@udel.edu . Thank you.
This site created and maintained by:
|
||
Steve Bunting |
||
Email: sbunting@udel.edu
|