I'm doing some forensics on a bot infected computer and was hoping to use Foundstone's pasco to view their IE history. The index.dat file in the user's IE.Content folder is about 5MB. However, when I use pasco to try and read the index.dat file, it grinds on it for about 2 seconds and comes back with no data. I've tried to look at other index.dat files in other directories and simply can't get it to give me any meaningful data.
The system in question is an XP Professional system running SP2.
Any thoughts? I'm just trying to determine how the bot may have gotten on the system and hoping it may have been recorded here.
Maybe the file's in a format that Pasco doesn't recognize. Was the user using IE 6 or 7? Have you tried opening the index.dat file in a hex editor and see if it meets the format specs?
Also, what bot are you dealing with? Many times, the bot may be tied to a particular infection vector.
Hi,
why don't you try to process your file with NetAnalysis? You can download a trial version from the Digital Detective web site. I believe that the trial version hides a few records (1 every 5), but displays all the other ones. Moreover, it is able to distinguish among the various types of .dat files (e.g., host, daily and weekly ones). In this way, you can figure out whether you .dat files actually contains IE browsing history data or not.
Thanks for the replies. The browser used with either IE 6 or 7 (I think 7). Is pasco unable to read one vs. the other? I thought for sure it would be capable of both.
I've not tried to read it with any other hex editor yet. I wanted to figure out the issue with pasco (hoping it was something easy I just didn't know).
At work, we use this tool
I am fairly sure that Pasco works with all versions of IE. To see if there is any data in the index.dat files you can export them and view in notepad. If there is no data in them, check the programs folder for programs such as "CCleaner" or similar which zeros out the contents of the index.dat files.