How can I view index.dat?

mrsjock
mrsjock used Ask the Experts™
on
For corporate & legal reasons, I need to find out as much as I can about the activity on a PC.  From what I can see, the index.dat file is going to give me a lot of information.  I tried opening it with notepad, and I tried opening it with IE (it didn't give me that option).
I have copied the index.dat file over to a different system, so how do I open/view the contents of the index.dat file?
I (read:the company) would prefer free or cheap.  I am not a forensics expert, although I have a very high interest in forensics.  I am not programmer type of person, the most I have done is written simple Windows scripts to connect printers and network drives, and some very simple HTML web pages.  
Thank you!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Aman SubhanOracle Database Administrator

Commented:
Well dat files are used widely... form movie files to game libraries.... so the decompiler for windows file index.dat may seems to be challenging.!
well in my opinion u need to go nuts to decode that file and u will require a lot of programming and scripting!!!

first decode it into md5 format then you will need to convert it into txt array!

hope u will succeed.

Commented:
This is a free tool (one among many) you can use to view these files:
http://www.stevengould.org/index.php?option=com_content&task=view&id=47&Itemid=88
I used this program before.
http://www.acesoft.net/winspy/
Introduction to R

R is considered the predominant language for data scientist and statisticians. Learn how to use R for your own data science projects.

Exec Consultant
Distinguished Expert 2018
Commented:
This paper (though old) is still useful ref to understand index.dat - checkout the hash, url activity, redirect, leakage activity table interpretation
@ http://www.foundstone.com/us/pdf/wp_index_dat.pdf

There is also suggestion of tools such as PASCO. It will parse the information in an index.dat file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program.
@ http://www.foundstone.com/us/resources/proddesc/pasco.htm

Furthermore, since you are looking for for traces and hints, you may want to take a look at this link that shared some more "repository" to sieve out more - it is tedious though but the timeline will be a bigger picture of what is happening
@ http://www.forensicfocus.com/timeline-analysis-one-page-guide

If you are interested in opensource forensic tools, you can check out this site - pasco is also mentioned in it. The recycle bin is another area to find out more, check out the tool Rifiuti (may be different for Vista and above)
@ http://www.opensourceforensics.org/tools/windows.html

hope it helps
Go here: http://www.accessdata.com/efenseproducts.html , on the left there is a download link for Helix. It's a CD image file download. Burn it as an image to a blank CD, boot with it, open this url: http://www.foundstone.com/us/resources/proddesc/pasco.htm . Pasco is on the Helix CD. I have faith in you. Did you know that over 3,000 living in UK claim their religion is Jedi, from The Star Wars series.    
I personally wouldn't consider viewing the contents of an index.dat a forensic procedure. just use
http://www.softwarepatch.com/software/indexdat-security.html

free and easy

Commented:
If you are looking to find out specific data on the system the easiest way would be to do a recovery on a bit level copy of the drive. I would not (if it is legal) recommend doing this on the actual drive itself so you do not lose data.
If it were a client of mine this is what I would do for them from a forensic standpoint.

0. Unplug the compromised system from the network immediately to contain any forensic data on it and also make sure if there is malware on the box it cannot spread.
1. Assess the situation and determine if there is a breach in the perimeter
    1a. If not an issue I would press on
    1b. Determine if there is any data lost
2. If there is a security breach I would lock down the perimeter or the location of the breach first then fix and contain the system.
3. Review the Windows Event Logs if Windows, If Linux review all the VAR\LOGS folder for data.
4. I would view the history window in the browser, and also open the index.dat file in wordpad, by default there is not alot of data but there is some.
5. Look at any anti-virus logs.
6. Check both the program files folder as well as the start menu for obvious applications that will steer you in a direction that tells a story or gives clues ... IE: Limewire, Pirate Bay etc.
7. Look in the recycle bin, a large number of amateur hackers drop clues in there.
8. Recover the image at the bit level to another drive and perform a file recovery on the drive, if it was not cleared with a tool like DBAN then you will be blown away at what comes back.
9. As part of the individual application review look to each application for specific logs, it may not prove anything other then the users personal account was logged into for say LinkedIn but if it is a legal issue it can be the piece that ties a person onto that computer for the time period that you are looking for.
10. If you suspect an insider do all the above off the cuff on the QT. Once the system is copied put it back into production for the user to user again only install a stealth keylogger that reports to you, as well as a stealth session monitoring app that will allow you to view the sessions the user is using. You will need to set up your AV to not alert on this then BAMM you got them.

Hope this all helps.

Commented:
I have used Index.dat Analyzer... its a free tool and easy to use... you just need to load the index.dat file into the program and it sorts all visited URLs for you with the accessed dates and times...

here is a link:
http://www.systenance.com/indexdat.php

Commented:
Check out webhistorian. Works wonders on index.dat for IE.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial