Temporary Internet Files vs History

Yep, it is documented here

http//www.forensicswiki.org/wiki/Internet_Explorer_History_File_Format

http//www.forensicswiki.org/wiki/Internet_Explorer_History_File_Format#File_Locations

I am not sure what the question is?

jaclaz

Thanks for the reply jaclaz. However, in the wiki it does not clearly mention the difference between two index.dat file content.

According to the WIKI, for Win XP the following paths should hold the history of the IE browser.
%systemdir%\Documents and Settings\%username%\Local Settings\Temporary Internet Files\Content.ie5
%systemdir%\Documents and Settings\%username%\Cookies
%systemdir%\Documents and Settings\%username%\Local Settings\History\history.ie5
However what is the difference of the content in the following files?

%systemdir%\Documents and Settings\%username%\Local Settings\Temporary Internet Files\Content.ie5
%systemdir%\Documents and Settings\%username%\Local Settings\History\history.ie5

1) username\Local Settings\History\History.IE5\index.dat
2) username\Local Settings\History\History.IE5\MSHist012016061520160616\index.dat
3) username\Local Settings\Temporary Internet Files\Content.IE5\index.dat

1) The main history file

2) The daily history file 2016 june 15-16

3) The Web cache database file

Thanks a lot for the reply Mansiu. So the "Web cache database" may contain stuff that got cached while browsing but won't contain all the URL's which should have been in History file right?

1) username\Local Settings\History\History.IE5\index.dat
2) username\Local Settings\History\History.IE5\MSHist012016061520160616\index.dat
3) username\Local Settings\Temporary Internet Files\Content.IE5\index.dat

1) The main history file

2) The daily history file 2016 june 15-16

3) The Web cache database file

So the "Web cache database" may contain stuff that got cached while browsing but won't contain all the URL's which should have been in History file right?

Yes and no.

The URL's in one of the databases may be (or may be not) overlapped.

History is a file containing (more or less) the addresses that the browser reached.

Temporary Internet Files is a cache of the files actually downloaded or viewed, the latter can be seen normally as a superset of the former.

On the other hand History will also contain addresses of file// and res// objects accessed through Explorer

To give you an example, in history (at a given date/time) I have this URL
hxxp//help.sketchup.com/it/in-product/2014/make/ww/upgrade
In the cache I find on the same date/time
hxxp//help.sketchup.com/sites/all/themes/sketch_help/images/welcome_win-bkg-02.jpg
hxxp//help.sketchup.com/sites/all/themes/sketchup_knowledgecenter/bootstrap/js/bootstrap.min.js
hxxp//www.googletagmanager.com/gtm.js?id=GTM-KBJJH3
hxxp//help.sketchup.com/sites/all/libraries/jquery/jquery-1.11.1.min.js
hxxp//help.sketchup.com/sites/all/themes/sketch_help/css/product-notification.css
hxxp//fonts.gstatic.com/s/opensans/v13/cJZKeOuBrn4kERxqtaUH3fY6323mHUZFJMgTvxaG2iE.eot
hxxp//fonts.googleapis.com/css?family=Open+Sans300italic,400,300
hxxp//help.sketchup.com/sites/help.sketchup.com/files/css/css_VTgitS-kf47PwslqPe8B-C8pI_7PEZE1NlgJ2xyi_yY.css
hxxp//help.sketchup.com/it/in-product/2014/make/ww/upgrade
In history, right before that URL, I find this
hxxp//help.sketchup.com
And not much before that, also
file///C/Programmi/Google/Google%20SketchUp%208/resources/it/welcomescreen/learntab.htmland
file///D/<redacted>/Senza%20titolo.skp
So what I did at the time was probably running Sketchup and creating a new file in it, and was prompted to upgrade to a new version.

jaclaz

Great. Thanks for the detailed description jaclaz. The user seems to have deleted the IE history since the index.dat folder inside the history folder is empty. However the index.dat inside "Temporary Internet Files" had some information. I was wondering the difference between those two since then. Thank you.