Hello,
I am trying to figure out how to parse the ie7 history on a windows xp system. I would like to write a perl script to do the work. I already have a script which will (sort of) parse the firefox 3.6 history for me, but want to add a script for IE7 to my toolbox.
I looked for an index.dat file under documents and settings\username\local settings\history, but there doesn't seem to be one, rather it looks like a series of folders for the past 3 weeks on a weekly basis until this week where it is by day. under each of those are folders for each site visited and inside that it seems like a simple windows shortcut to the site.
Does anyone know of a "simple" way to conglomerate all this data into a single output file for review?
At present I am just trying to get my feet wet in the forensics world. I am blind and trying to figure out what tools work, and which I need to write myself to make them accessible.
Hey dnraikes….. wow, thats a mouthful. Kudos to for writing your own scripts, its the best way to learn and know what your tool is doing. But computer forensics is like reverse engineering. There will always be lots of people out there who understand it better or designed the system you are trying to understand, so if you can find that info, it can really fast track the learning process.
In that spirit, here's a few pointers. The two top cache analysis tools, Cacheback and NetAnalysis both have free demos you can download and play with. Give them a go, they do quite a good job at not only parsing the index.dat files, but reconstructing the web pages too. Further to that, they have excellent documentation which explains how the different browsers manage the cache and the structure of the index.dat files which will help you a lot in furthering your own scripts.
If you are after a tool to just parse the index.dat files, x-ways trace does it really nicely and outputs to a spreadsheet.
In relation to your IE7 problem, if there are no index.dat files in the history or any of the subfolders, MOST likely there either
- hasn't been any browsing using IE7 under this user profile
- browsing history has been deleted from within IE
- the setting 'Delete history on exit' is checked
There should be a main index.dat under the history folder, and daily, weekly, monthly index.dat files in each sub-folder. The advantage of using the established tools is that they will put all this together for you in one interface and also allow you to carve for deleted index.dat files, which is getting a lot more involved for a humble perl script.
Hope thats a help.
lDoes anyone know of a "simple" way to conglomerate all this data into a single output file for review?
At present I am just trying to get my feet wet in the forensics world. I am blind and trying to figure out what tools work, and which I need to write myself to make them accessible.
Get thee to Craig Wilson.
My all time favorite tool for web browser investigations like this is the Net Analysis and HSTEX combo from
The price is very reasonable and the manual that Craig gives you with your purchase of Net Analysis makes the whole package a great deal.
HSTEX will crawl an image looking for web history (even in unallocated space) which you can then load into Net Analysis for your examination.
Between Eric's reply and my PM think you know where to go 😉
Mr. Craig Wilson has done a lot of work on this subject.
Hi all,
Wow, thanks for all the info.
I am running the analysis on my own windows xp system (So I know which users have done browsing and not ) -)
I am hoping to get dd images of several other systems from family members to do some investigating/practicing on as well. Unfortunately, I believe I am the only one who uses IE. My wife uses firefox and my daughter uses google crome, so I will have plenty of variety.
So far this is just a "hobby" but I am considering getting my cce certification, and venturing into this interesting world as a second career over the next few years, so want to know what I can do and not with my blindness as a factor.
Thanks for all the info and tips.
Cheers and I will let you all know how the investigation progresses and if I come up with any usable tools for others to test/use.
For disk images SANS have a recent post by Ken Pryor
That links to some samples you can use.