Scribd
Upload
100 views21 pages

Forensic Analysis of Internet Explorer Activity Files: Keith J. Jones Foundstone

The document discusses the basics of Internet Explorer activity files, specifically the index.dat file. It describes the file header structure, including the version string, file size, hash table location, and activity record pointers. It then explains the different types of activity records stored - URLs, redirects, and temporary files - along with their time stamp and data field information. Forensic analysis of these files can recover deleted browsing history and site visit details.

Uploaded by

Puspal Paul
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
100 views21 pages

Forensic Analysis of Internet Explorer Activity Files: Keith J. Jones Foundstone

The document discusses the basics of Internet Explorer activity files, specifically the index.dat file. It describes the file header structure, including the version string, file size, hash table location, and activity record pointers. It then explains the different types of activity records stored - URLs, redirects, and temporary files - along with their time stamp and data field information. Forensic analysis of these files can recover deleted browsing history and site visit details.

Uploaded by

Puspal Paul
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 21

Forensic Analysis of

Internet Explorer
Activity Files
Based on article by
Keith J. Jones
Foundstone
http://www.foundstone.com/pdf/wp_index_dat.pdf
Basics
 Internet Explorer
 Market Share
 2002 92.9% (WebSideStory)
 2004 81.4% (

www.w3schools.com/browsers/browsers-stats.app
) (user bias towards alternatives)
 2007 58.6% (same source)
Basics
Win9* \Windows\Temporary Internet Files\Content.IE.5
ME \Windows\Cookies
\Windows\History\History.IE5
WinNT \Winnt\Profiles\<user>\Local Settings\Temporary Internet
Files\Content.IE5\
Winnt\Profiles\<user>\Cookies\
Winnt\Profiles\<user>Local Settings\History\History.IE5

Win2K \Documents and Settings\<user>\Local Settings\Temporary


Internet Files\Content.IE5
WinXP
\Documents and Settings\<user>\Cookies
\Documents and Settings\<user>\ Local
Settings\History\History.IE5
index.dat
 File Header
 Contains basic information on the file
index.dat file header
 Null terminated version string.
 Followed by file size.

0x 00 80 00 00 0x 00 00 80 00 (little endian conversion)


 32768
index.dat file header
 Bytes 0x20 – 0x23: Location of hash table.
 Hash table is used to store the actual entries.

Go to byte 0x 00 00 40 00
index.dat file header
 Beginning of hash table
index.dat file header: History
index.dat file header: History
Size: 0x00394000 3751936
Hash Table: 0x00005000
Directories: (null-terminated, 0x50)
index.dat file
 Hash Table:
index.dat file
 Hash Table:
 There can be several hash tables. Each one
contains a pointer to the next one.
 Fields in Hash Table:
 MagicMarker “HASH”
 4B Number of Entries in Hash table.
 Multiply this number by 128B
 Pointer to next hash table
index.dat file
20 entries  Total size of
hash table is 32*128B = 4KB
 Hash Table:
Next hash table at
0x 00 01 80 00
index.dat file
 Hash Table Entries

Field Offset Size Description


Hash Table 4 4 Length of hash table in 0x80 long blocks
Length
Next Hash 8 4 Offset in table to next hash table.
Table Zero values shows that this is the last hash table
Activity 16+8n 4 First byte 0x01: record deleted
Records First byte 0x03:
Flags Else:
Activity 20+*n 4 Offset of activity record
Record
Pointers
index.dat file header

Activity flag 40 03 6C DA
Activity record pointer:
00 03 48 00
Go to 00 03 48 00
index.dat file header
Go to that location:
index.dat file header
 Activity Record
 Type field 4B:
 REDR
 URL

 LEAK

 Length Field 4B:


 Multiply with 0x80
 Data Field
index.dat file header
 URL Activity Record
 Representswebsite visited
 Record Length (4B)
 Time stamps
 8B starting at offset +8 in the activity record:
 Last Modified
 8B starting at offset +16 in the activity record:
 Last accessed
 Organized like file MAC times.
index.dat file header
 REDR Activity Record
 Subject’sbrowser redirected to another site
 Same Type, length, data format
 Followed by URL at offset 16 in activity record
index.dat file header
 LEAK activity record
 Same as URL
index.dat file header
 Deleted Records:
 Willnot show up when consulting IE history.
 But often still there.
 “Delete history” is not rewriting the history file.
index.dat file header
 Tool to sort things out:
 PASCO for index.dat
 Galleta for cookies.

You might also like