mrsjock
asked on
How can I view index.dat?
For corporate & legal reasons, I need to find out as much as I can about the activity on a PC. From what I can see, the index.dat file is going to give me a lot of information. I tried opening it with notepad, and I tried opening it with IE (it didn't give me that option).
I have copied the index.dat file over to a different system, so how do I open/view the contents of the index.dat file?
I (read:the company) would prefer free or cheap. I am not a forensics expert, although I have a very high interest in forensics. I am not programmer type of person, the most I have done is written simple Windows scripts to connect printers and network drives, and some very simple HTML web pages.
Thank you!
I have copied the index.dat file over to a different system, so how do I open/view the contents of the index.dat file?
I (read:the company) would prefer free or cheap. I am not a forensics expert, although I have a very high interest in forensics. I am not programmer type of person, the most I have done is written simple Windows scripts to connect printers and network drives, and some very simple HTML web pages.
Thank you!
This is a free tool (one among many) you can use to view these files:
http://www.stevengould.org/index.php?option=com_content&task=view&id=47&Itemid=88
http://www.stevengould.org/index.php?option=com_content&task=view&id=47&Itemid=88
I used this program before.
http://www.acesoft.net/winspy/
http://www.acesoft.net/winspy/
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Go here: http://www.accessdata.com/efenseproducts.html , on the left there is a download link for Helix. It's a CD image file download. Burn it as an image to a blank CD, boot with it, open this url: http://www.foundstone.com/us/resources/proddesc/pasco.htm . Pasco is on the Helix CD. I have faith in you. Did you know that over 3,000 living in UK claim their religion is Jedi, from The Star Wars series.
I personally wouldn't consider viewing the contents of an index.dat a forensic procedure. just use
http://www.softwarepatch.com/software/indexdat-security.html
free and easy
http://www.softwarepatch.com/software/indexdat-security.html
free and easy
If you are looking to find out specific data on the system the easiest way would be to do a recovery on a bit level copy of the drive. I would not (if it is legal) recommend doing this on the actual drive itself so you do not lose data.
If it were a client of mine this is what I would do for them from a forensic standpoint.
0. Unplug the compromised system from the network immediately to contain any forensic data on it and also make sure if there is malware on the box it cannot spread.
1. Assess the situation and determine if there is a breach in the perimeter
1a. If not an issue I would press on
1b. Determine if there is any data lost
2. If there is a security breach I would lock down the perimeter or the location of the breach first then fix and contain the system.
3. Review the Windows Event Logs if Windows, If Linux review all the VAR\LOGS folder for data.
4. I would view the history window in the browser, and also open the index.dat file in wordpad, by default there is not alot of data but there is some.
5. Look at any anti-virus logs.
6. Check both the program files folder as well as the start menu for obvious applications that will steer you in a direction that tells a story or gives clues ... IE: Limewire, Pirate Bay etc.
7. Look in the recycle bin, a large number of amateur hackers drop clues in there.
8. Recover the image at the bit level to another drive and perform a file recovery on the drive, if it was not cleared with a tool like DBAN then you will be blown away at what comes back.
9. As part of the individual application review look to each application for specific logs, it may not prove anything other then the users personal account was logged into for say LinkedIn but if it is a legal issue it can be the piece that ties a person onto that computer for the time period that you are looking for.
10. If you suspect an insider do all the above off the cuff on the QT. Once the system is copied put it back into production for the user to user again only install a stealth keylogger that reports to you, as well as a stealth session monitoring app that will allow you to view the sessions the user is using. You will need to set up your AV to not alert on this then BAMM you got them.
Hope this all helps.
If it were a client of mine this is what I would do for them from a forensic standpoint.
0. Unplug the compromised system from the network immediately to contain any forensic data on it and also make sure if there is malware on the box it cannot spread.
1. Assess the situation and determine if there is a breach in the perimeter
1a. If not an issue I would press on
1b. Determine if there is any data lost
2. If there is a security breach I would lock down the perimeter or the location of the breach first then fix and contain the system.
3. Review the Windows Event Logs if Windows, If Linux review all the VAR\LOGS folder for data.
4. I would view the history window in the browser, and also open the index.dat file in wordpad, by default there is not alot of data but there is some.
5. Look at any anti-virus logs.
6. Check both the program files folder as well as the start menu for obvious applications that will steer you in a direction that tells a story or gives clues ... IE: Limewire, Pirate Bay etc.
7. Look in the recycle bin, a large number of amateur hackers drop clues in there.
8. Recover the image at the bit level to another drive and perform a file recovery on the drive, if it was not cleared with a tool like DBAN then you will be blown away at what comes back.
9. As part of the individual application review look to each application for specific logs, it may not prove anything other then the users personal account was logged into for say LinkedIn but if it is a legal issue it can be the piece that ties a person onto that computer for the time period that you are looking for.
10. If you suspect an insider do all the above off the cuff on the QT. Once the system is copied put it back into production for the user to user again only install a stealth keylogger that reports to you, as well as a stealth session monitoring app that will allow you to view the sessions the user is using. You will need to set up your AV to not alert on this then BAMM you got them.
Hope this all helps.
I have used Index.dat Analyzer... its a free tool and easy to use... you just need to load the index.dat file into the program and it sorts all visited URLs for you with the accessed dates and times...
here is a link:
http://www.systenance.com/indexdat.php
here is a link:
http://www.systenance.com/indexdat.php
Check out webhistorian. Works wonders on index.dat for IE.
well in my opinion u need to go nuts to decode that file and u will require a lot of programming and scripting!!!
first decode it into md5 format then you will need to convert it into txt array!
hope u will succeed.