Multiple deleted index.dat files from the recent past  


I am thinking that I am seeing evidence of an internet history scrubber having been used because I have a Windows XP user profile that has an index.dat file at the moment but FTK is also showing deleted copies from 5/27, 3/22, 3/21 and 3/08/2011. Is this a reasonable conclusion?

Posted : 29/09/2011 8:24 pm
Junior Member

I wouldn't make that conclusion without quite a bit more artifacts/evidence than the existence of deleted index.dat files. First question would be, what is your definition of "history scrubber"? Have you considered InPrivate browsing mode as an explanation? If the recovered index.dat files are for webcache, this could be an explanation. If you are specifically interested in looking for evidence that an application of this nature was executed, you may want to focus on registry artifacts, prefetch files, jump lists, etc. (depending on the OS).

Posted : 29/09/2011 10:36 pm
Active Member

I see the logic, but if there was a history scrubber then there wouldnt be any index.dat files left. You can of course check the installed programs etc.

Isnt it more likely that a user has used the "delete internet history" button in IE? Check the default browser for a start and then if it is IE, do a little experiment, surf the web and change the clock, surf a little more after a restart and then delete the history and see what happens.

Posted : 29/09/2011 11:34 pm