I've located strings of data in UC which are from the index.dat file (Temp Internet Files) after it had been sent to UC. I've tried using programs like NetAnalysis or Index.dat analyser but haven't had the smoothest experience using these products. I would like to know if any of you can recommend a good tool/process I can use in conjunction with EnCase v6 to parse through UC and get the associated URL's and dates? I can see the URL's plainly but the dates are encoded I think. There are roughly 20/30 entries I'm interested in, so if there's a way to bookmark the string and convert it directly within EnCase, I can always do that. I thought I remembered EnCase having an Index.dat parser but it's not there so I must be mistaken. Thanks for any help you might provide.
OK - so I did more investigation because that's my job and found one solution. After locating the the string "URL" in the UC within EnCase, skip 5 characters and sweep the 9th character for a length of 8. Bookmark the characters as Windows Dates and that gets you the created date. Sweep and bookmark the next 8 and that gives you the modified date. I deduce that the first link is the source location and the second is the file referenced (icon).
This is of course on a Windows XP IE 6/7 example. It might be the same on other environments too.
Chitapett
Unless you are a registered user of NetAnalysis, you will not be able to use the extractor for recovering URLs from unallocated clusters.
The date/time values are not encoded, they are standard 64bit filetimes. The date/times you describe are incorrect.
I am assuming by your description, you are referring to a CACHE INDEX.DAT. At offset 0x10 of a URL record is the Last Visited date/time UTC, at offset 0x08 of the record is the Last Modified UTC value of the resource.
Other INDEX.DAT records have other meanings for the date/time stamps and use a combination of local time and UTC.
Perhaps if you would like to contact me offline, we can explore the issues you had. Recovering full internet history is a simple process, especially with Hstex 3 which recovers directly from an Encase image.
I've tried using programs like NetAnalysis or Index.dat analyser but haven't had the smoothest experience using these products.
Both NetAnalysis and now EnCase offer this feature. Both are exceptionally easy to use and very "smooth". I've used both several times to recover thousands of entries from Unallocated Space.
Craig's product is outstanding (and its popularity is likely why EnCase added this feature).
Hi Chitapett,
I think you might have ruffled Craig's feathers with that one lol To chip in though, I don't understand why you've had no success with Netanalysis? It really is an excellent tool & the well written manual helps explain the information that you've been (commendably) trying to research.
For starters I want to appologize to anyone that I may have offended or for any miscommunication I may have made in my prior posting. I was unsuccessful at using the afformentioned applications because I didn't use them correctly and didn't have the time to really learn them. Not because they don't work. When I have more time to spend on researching these and other tools I will do so.
For now, as was mentioned by another user, my task is fairly simple so I want to use the simplest method that fits my enviornment. I am using EnCase v5 and v6. What is the name of the EnScript (I'm assuming it's an EnScript) that parses the Temporary Internet Cache index.dat entries out of UC? I can't seem to find it in the list of modules…
Thanks to all that have posted.
Sorry for the delay.
Click on the Search (that's where all the good stuff is, right?)
Check "Search for Internet History" to have EnCase parse all index.dat files and check "Comprehensive Search" if you would also like to analyze unallocated space for records.
The results will be output to the Records tab.
Good luck.