I'm looking at a Index.dat file found in the recent folder of a Windows 7 machine. I'm trying to figure out the order that the accessed files are listed. Is it reverse chronological? It looks like the first viewed files are at the top.
I've done some testing and it looks like its sometimes in no order at all. Does anyone have some insight into this?
Example
[folders]
work_stuff.LNK=0
File possessing[1].LNK=0
Work plan_v2___.LNK=0
43954_FILE.LNK=0
FIle_Name_123.LNK=0
Tetris.LNK=0
File_Name_v2.LNK=0
[xls]
Word analysis.LNK=0
2567 analysis.LNK=0
example analysis_65.LNK=0
Company Name Audit Rev A (2).LNK=0
Untitled.LNK=0
[misc?????]???????????]
Bingo Bango.LNK=0
[misc?????]???????????]
abcdef def.LNK=0
[misc]
Company plan_v2.LNK=0
Document File.LNK=0
Some File Name.LNK=0
test results summary.LNK=0
[misc??????]???????????]
Computername.rdp.LNK=0
[misc??????]???????????]
Computer.rdp.LNK=0
I'm looking at a Index.dat file found in the recent folder of a Windows 7 machine.
Under which path?
What tool/program did you use to open that file?
I mean, it seems like the "plain text" format that some versions of Microsoft Office use, like
http//
jaclaz
Its located at the below path. Its just plain text. Non of the Index.Dat analyzer tools will parse it. I'm just trying to understand which order the files are listed in the log since there isnt much to go on.
\C\Documents and Settings\Joe-Schmo\Application Data\Microsoft\Office\Recent\index.dat
Its located at the below path. Its just plain text. Non of the Index.Dat analyzer tools will parse it. I'm just trying to understand which order the files are listed in the log since there isnt much to go on.
\C\Documents and Settings\Joe-Schmo\Application Data\Microsoft\Office\Recent\index.dat
Yep, as expected, it is not the "common" index.dat, buit rather the .ini-like Microsoft Office uses.
The behaviour of that is not (AFAIK) documented (with the exception of the previously given page), yes, it is seemingly "sequential", but there is no "definite study" on this.
BUT in "normal operation", in that same folder there should be an actual link correspondent to each item in index.dat, and these will have "normal" filesystem properties (created/Modified/Accessed).
As an example, this is a (reduced) set from my machine[misc]and this is the same with added created/modified timestamp
Logoarianuova.jpg.LNK=0
Diagramma1.jpeg.LNK=0
USBSpeedDP.csv.LNK=0
[folders]
Old.LNK=0
Targa.LNK=0
7zO0C21DF23.LNK=0
[xls]
somedata.xls.LNK=0
Romcompare.xls.LNK=0
f167.xls.LNK=0
CHS_LBA_v3.xls.LNK=0
[html]
USBstick.html.url=0
[doc]
Risolto.doc.LNK=0
Fake_Submission.doc.LNK=0
BDC_v2.doc.LNK=0
[htm]
testing.htm.LNK=0
hallo.htm.LNK=0[misc]
Logoarianuova.jpg.LNK=0 lunedì 3 marzo 2014, 11.26.06/lunedì 3 marzo 2014, 11.26.06
Diagramma1.jpeg.LNK=0 lunedì 3 marzo 2014, 17.57.12/lunedì 3 marzo 2014, 17.57.12
USBSpeedDP.csv.LNK=0 mercoledì 5 marzo 2014, 19.28.16/mercoledì 5 marzo 2014, 19.28.16
[folders]
Old.LNK=0 lunedì 18 novembre 2013, 16.26.17/mercoledì 18 dicembre 2013, 18.32.08
Targa.LNK=0 mercoledì 8 gennaio 2014, 17.17.28/mercoledì 8 gennaio 2014, 17.59.25
7zO0C21DF23.LNK=0 mercoledì 12 marzo 2014, 18.58.21/mercoledì 12 marzo 2014, 18.58.21
[xls]
somedata.xls.LNK=0 giovedì 28 novembre 2013, 19.02.05/sabato 30 novembre 2013, 13.00.17
Romcompare.xls.LNK=0 lunedì 16 dicembre 2013, 13.39.02/lunedì 16 dicembre 2013, 13.39.02
f167.xls.LNK=0 sabato 1 marzo 2014, 13.01.17/sabato 1 marzo 2014, 13.08.39
CHS_LBA_v3.xls.LNK=0 sabato 23 novembre 2013, 13.39.38/mercoledì 5 marzo 2014, 18.00.28
[html]
USBstick.html.url=0 sabato 20 agosto 2011, 16.05.11/sabato 20 agosto 2011, 16.05.11
[doc]
Risolto.doc.LNK=0 mercoledì 5 febbraio 2014, 18.44.21/mercoledì 5 febbraio 2014, 18.44.21
Fake_Submission.doc.LNK=0 mercoledì 5 febbraio 2014, 20.25.53/mercoledì 5 febbraio 2014, 20.25.53
BDC_v2.doc.LNK=0 martedì 4 marzo 2014, 15.34.45/martedì 4 marzo 2014, 15.34.45
[htm]
testing.htm.LNK=0 mercoledì 14 settembre 2011, 9.53.41/mercoledì 14 settembre 2011, 9.53.41
hallo.htm.LNK=0 martedì 4 ottobre 2011, 16.58.28/martedì 4 ottobre 2011, 16.58.28
Clearly it is "sequential" and it is sequential on "creation date/time", but different filetypes are also grouped, so that there is no real way to establish a (anyway very rough) timeline if not within a "same" file type, and if a file is re-opened, obviusly the "created" timestamp loses every relevance, i.e. the index.dat file without the corresponding links is only useful to affirm that "at least once file xxxxx.yyy has been opened/accessed by a program belonging to the MS Office Suite".
jaclaz
Thanks for the response and examples this is helpful. Which directory had the Index.Dat file with the MAC times? I've yet to locate a corresponding Index.Dat with the MAC info for this case.
Thanks for the response and examples this is helpful. Which directory had the Index.Dat file with the MAC times? I've yet to locate a corresponding Index.Dat with the MAC info for this case.
No, maybe I did not make myself clear.
In the SAME directory where the index.dat is, which is normally in an English OS
%USERPROFILE%\Application Data\Microsoft\Office\Recent
but that - as example - in my case Italian is
%USERPROFILE%\Dati applicazioni\Microsoft\Office\File recenti
there is a LINK file for each and every entry listed in index.dat.
i.e., if I do a dir *.lnk in that folder I get something like12/03/2014 18.58 797 7zO0C21DF23.LNK(in the meantime I did some experiments and deleted a few .lnk files).
04/03/2014 15.34 720 BDC_v2.doc.LNK
03/03/2014 17.57 728 Diagramma1.jpeg.LNK
01/03/2014 13.08 863 f167.xls.LNK
05/02/2014 20.25 688 Fake_Submission.doc.LNK
04/10/2011 16.58 629 hallo.htm.LNK
03/03/2014 11.26 774 Logoarianuova.jpg.LNK
18/12/2013 18.32 602 Old.LNK
16/12/2013 13.39 764 Romcompare.xls.LNK
30/11/2013 13.00 576 somedata.xls.LNK
08/01/2014 17.59 610 Targa.LNK
14/09/2011 09.53 610 testing.htm.LNK
05/03/2014 19.28 728 USBSpeedDP.csv.LNK
13 File 9.089 byte
To show you the actual "order" in which the index.dat is written, I simply extracted the timestamps from the actual .LNK files and pasted them beside the corresponding index.dat entries.
If you prefer, the actual index.dat I posted as first snippet in my previous post is plain text and has NO dates/times, the second one I posted was handmade to explain the behaviour of the index.dat and the structure of the "Recent" folder contents.
jaclaz
I understand about the link files. I thought there was another Index.Dat file that had the actual MAC date/time information.
The LNK files don't help me in this particular instance because I'm trying to figure out the amount of times a particular file has been opened. The order of the files in the Index.Dat would help me to determine if it fits with the timeline I've been provided also.
Thanks
I understand about the link files. I thought there was another Index.Dat file that had the actual MAC date/time information.
The LNK files don't help me in this particular instance because I'm trying to figure out the amount of times a particular file has been opened. The order of the files in the Index.Dat would help me to determine if it fits with the timeline I've been provided also.
Thanks
NO , it won't ( .
When a file is opened the FIRST time, a .LNK file to it is created in the "Recent" folder AND an entry to this .LNK file is created in index.dat (under the corresponding "tag", like, for example "[doc]" or "[xls]").
If a file is re-opened the .LNK file to it is ALREADY there (but it's "modified" date will change) and NOTHING will change in index.dat, if not the order of the entries (with the more recent files towards the end), this doesn't tell you anything about "the amount of times a particular file has been opened"
The ONLY info that you can gather from just the index.dat is that a certain filename (WITHOUT it's full path) has been opened ONCE, and that it was last (or the one before last, etc) file opened for a given "filetype"/[tag].
If you have also the corresponding .LNK file you have additionally
- the date/time when it was opened the FIRST time
- the date/time when it was opened LAST time.
- the FULL PATH to the file
[/listo]
Additionally since .LNK files are not "classified by tags", these data can provide a more "complete" timeline of the activities of *all* Office apps.
And the above is the theory, that still needs to be confirmed in practice through experiments.
jaclaz
If there's only one entry made to the Index.Dat file, and the MAC date/times are updated accordingly, how do you explain multiple entries for the same LNK file? The file I'm investigating has 5 instances in the Index.Dat file. Several are in a row but there are instances where another LNK file comes in between. Does this not show that the file was accessed multiple times? I've only located one instance of the file on the computer so they aren't links to multiple versions of the same file. I'm still referring to the Index.dat file located in the Recent folder.
If there's only one entry made to the Index.Dat file, and the MAC date/times are updated accordingly, how do you explain multiple entries for the same LNK file?
Here there is a misunderstanding.
It is not like I am an expert on index.dat's made by MS Office, and not necessarily I can "explain" the genesis of your particular index.dat file.
I am just telling you what I can see and the result of the quick tests I made.
In "normal" operation I am not able to have index.dat with two occurrences of the same .LNK file.
What happens when (say) Excel crashes or (say) multiple Office apps are used (to attempt) opening a file, etc., etc. I cannot really say.
The file I'm investigating has 5 instances in the Index.Dat file. Several are in a row but there are instances where another LNK file comes in between. Does this not show that the file was accessed multiple times?
Not to me, since - as said - in "normal" operation I cannot manage to have any duplicate, but it is entirely possible that a different version of MS Office behaves differently.
I've only located one instance of the file on the computer so they aren't links to multiple versions of the same file.
Allow me to doubt that.
Since ONLY the file name is recorded in index.dat, for all you know there could be several instances of the same named file in several different USB sticks or CD's or even Network locations.
jaclaz