Forums
Main Category
General (Technical,...
index.dat question
 
Notifications
Clear all

index.dat question

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by rcw8892 19 years ago
9 Posts
4 Users
0 Reactions
766 Views
RSS
 secret_squirrel
(@secret_squirrel)
Eminent Member
Joined: 20 years ago
Posts: 38
Topic starter 28/12/2006 9:02 pm  

Hi everyone,

I have a question.

I am looking at an INDEX.dat from /localsettings/temp int files/

The file size is 8.19 mb.

I have exported the files to a cvs and I have it in a spreadsheet editor.

the first 10800 lines are from the last 3 days.

there are a total of 41400 lines.

From 10800 to 41400 everyline says BLANK with a size of 128.

My question is,

Does this mean that some history has been deleted or erased some how?

Thanks,

-SS

P.S. If this is a type of question that is not welcome here, please let me know.

P.S.S. Oh yea, IE7


   
Quote
 secret_squirrel
(@secret_squirrel)
Eminent Member
Joined: 20 years ago
Posts: 38
Topic starter 28/12/2006 9:06 pm  

Maybe I should have stated this also.

The reason I ask if it means that the history has been deleted is,

I found East-Tec Eraser 2006 on the PC.

http//www.east-tec.com/consumer/eraser/


   
ReplyQuote
 RedCellSecurity
(@redcellsecurity)
Eminent Member
Joined: 19 years ago
Posts: 37
29/12/2006 4:39 am  

I do not know the answer, but out of curiosity, I'd love to hear what you guys have to say!


   
ReplyQuote
Thomas
 Thomas
(@thomas)
Trusted Member
Joined: 20 years ago
Posts: 59
29/12/2006 5:16 am  

Hi, can you tell which program you used to extract the data?


   
ReplyQuote
 secret_squirrel
(@secret_squirrel)
Eminent Member
Joined: 20 years ago
Posts: 38
Topic starter 29/12/2006 6:22 am  

Index Dat Spy

http//www.stevengould.org/software/indexdatspy/screenshots.html

Thanks

-SS


   
ReplyQuote
 RedCellSecurity
(@redcellsecurity)
Eminent Member
Joined: 19 years ago
Posts: 37
29/12/2006 9:50 am  

Thanks for the link )


   
ReplyQuote
Thomas
 Thomas
(@thomas)
Trusted Member
Joined: 20 years ago
Posts: 59
29/12/2006 6:52 pm  

Hello secret_squirrel,

As you can see in the screenshot on the named site, the blank lines with a size of 128 bytes are referring to redirection URLs (called REDR). You can find more information on "http//en.wikipedia.org/wiki/URL_redirection". It has nothing to do with deleted files. I hope this helps your investigation!


   
ReplyQuote
 secret_squirrel
(@secret_squirrel)
Eminent Member
Joined: 20 years ago
Posts: 38
Topic starter 29/12/2006 8:22 pm  

Hello secret_squirrel,

As you can see in the screenshot on the named site, the blank lines with a size of 128 bytes are referring to redirection URLs (called REDR). You can find more information on "http//en.wikipedia.org/wiki/URL_redirection". It has nothing to do with deleted files. I hope this helps your investigation!

I noticed that.

But in my case they are not preceeded by REDIR.

The first 10,800 lines are visited pages, then for some reason there are another 20,000 lines that are all BLANK with size of 128.

I just thought it was interesting that there 40,000 lines in this .DAT file and only the first 10,800 were occupied.

Then of course I found that East-Tec Eraser software and I had to be sure.

Thanks for the input!!


   
ReplyQuote
rcw8892
 rcw8892
(@rcw8892)
Eminent Member
Joined: 19 years ago
Posts: 27
05/01/2007 12:31 am  

They are not redirects - you do not get REDR entries in history files, only cache.

Secondly, the reason the software is showing blank, is because it is reading the hash table and extracting your entries - those entries have been overwritten. The software is adding the word "blank".

This software has not been written for forensic use?


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: