IE7 - Delete Browsi...
 
Notifications
Clear all

IE7 - Delete Browsing History

4 Posts
2 Users
0 Reactions
503 Views
(@cults14)
Reputable Member
Joined: 17 years ago
Posts: 367
Topic starter  

IE7 on XP SP3, select "Internet OptionsGeneralBrowsing HistoryDeleteDelete All"

Looks as if the contents of all the Index.dat files gets emptied, which wasn't what I remembered happening. I've been analysing an E01 image, exported all the Local Settings for the user from FTK Imager, ran NetAnalysis 1.5 (Open All History From Folder) and got minimal results - so far nothing unexepected. Then I used FTK Imager to export my own Index.Dat files, went through the mouse-clicks described above, again used NetAnalysis 1.5, again minimal results (158 records)

But it's weird, because the Index.dat entry in \Content.IE5 is 2.5MB, and the one in \History.IE5 is only lightly smaller. So I logged off and back on again as a different user to look at the Index.DAT files in NetAnalysis again, same thing.

I was under the impression that using the mouse-clicks above didn't impact the Index.DAT files - otherwise why would all those Eraser-type products make such a thing of their ability to wipe Index.DAT files?

Then I checked against an old \Content.IE5\Index.DAT file which I had skulling around (just over 3MB) - and NetAnalysis 1.5 returns 6809 records which is much more like what I would expect.

And I've done all the same stuff on another Index.DAT file (1.8MB), again over 5,000 records.

I've looked again at my original \Content.IE5\Index.DAT file (2.5MB) in FTK, Natural/Filtered/Text Views says "Nothing to View File is Empty", Hex view is blank.

Deduction is that following the mouse-clicks described above empties the Index.DAT files BUT does so without changing the size of the file (or at least, not very much). Or I've somehow got corruption going on. Or missed something blatantly obvious.

This is relevant for the investigation I'm working on - the user had run wiping software but if \Content.IE5\Index.Dat can be legitimately "nuked" from IE's Options, I need to make the point in my report.

Comments anyone? ?


   
Quote
(@douglasbrush)
Prominent Member
Joined: 16 years ago
Posts: 812
 

See
http//support.microsoft.com/kb/322916
&
http//blogs.msdn.com/b/wndp/archive/2006/08/04/wininet-index-dat.aspx
&
http//wordpress.bladeforensics.com/?p=204


   
ReplyQuote
(@cults14)
Reputable Member
Joined: 17 years ago
Posts: 367
Topic starter  

Thanks Douglas, will add these to my Favourites.


   
ReplyQuote
(@cults14)
Reputable Member
Joined: 17 years ago
Posts: 367
Topic starter  

Douglas - and others - I also came across the following which I've since found to be useful. And it contains the answer to the question I asked

http//www.browserforensics.org/wp-content/uploads/2010/03/BrowserForensics-v1-03-03-2010.pdf

Cheers


   
ReplyQuote
Share: