Unusually small ind...
 
Notifications
Clear all

Unusually small index.dat file  

  RSS
dj_chiro
(@dj_chiro)
Junior Member

Hi all, it's been a while since I have last posted to this site but you guys always help give me some insight when I am in a jam… That being said here's my problem/question

I am parsing through an index.dat file but I find it to be abnormally small and only containing 1wks worth of history. I've looked at it through Pasco on the linux side and various analysis tools on the windows side only to find the same results. The machine is an XPSP2 machine running IE6. The profile was created 3/30/2005 so there should be much more history in here. I've searched around for evidence of software being installed to delete the index.dat but have not found any. Also, the user does not have any other user accounts that he could log in with in order to delete the index.dat so I can pretty much rule that out as well. Honestly, I don't think he smart enough to know about the index.dat. What could possibly wipe out an index.dat like this?

EDIT One thing I noticed is there are a few thousand lines in my output file that contain the words "BAD FOOD" in the "type" column which normally says "URL".Thanks

Quote
Posted : 31/10/2006 1:14 am
ddow
 ddow
(@ddow)
Active Member

Any chance there's an alternate browser?

ReplyQuote
Posted : 31/10/2006 1:51 am
dj_chiro
(@dj_chiro)
Junior Member

Good idea, I forgot to mention that. I did check for other browsers but did not find any.

ReplyQuote
Posted : 31/10/2006 2:31 am
rocklobster
(@rocklobster)
New Member

dj,

When you looked for software "used to delete the index.dat" file, did you look for a perl or any other scripting tools?

Also, with the words "BAD FOOD" repeated in there, I'm thinking the fellow has set up a script of some sort to overwrite his history entries.

I would check to see if he has perl or anything similar installed. Also, check the last date available in the results you are getting now. Use that date to see what else was installed or copied to that system on or near that date. Odds are that something was set up that overwrites the day's entries in the history file with "BAD FOOD".

Do a string search for "BAD FOOD" paying particular attention to .bat, .pl, .vbs plus any text files that might be the "string file" used in a loop of some sort.

That is where I would look.

ReplyQuote
Posted : 31/10/2006 4:02 am
dj_chiro
(@dj_chiro)
Junior Member

Thanks I will search for what you mentioned. I will be really surprised though if this guy is that savvy, but I guess one should never underestimate. I found this info on another website by googling "index.dat bad food"…

The empty space of index.dat files is filled with junk (most often zeros but it can also be various meaningless sequences) or in some areas - with "magic" sequence 0BADF00Dh (BAD FOOD). Obviously Microsoft developers are not without a sense of humor. BAD FOOD parts of the file are deleted records of other kinds and they aren't privacy threat.

ReplyQuote
Posted : 31/10/2006 6:54 pm
keydet89
(@keydet89)
Community Legend

I'm not a big user of IE, but you might want to check the IE settings for the user. When I open IE, I can go to Tools->Internet Options->General, and click "Settings" under the Temp Internet Files section. You can also change the History settings, as well.

Some other things to think about…since you're on XP (thanks for mentioning the OS, btw), check the Prefetch folder for any evidence of a wiping or privacy utility being used. Also check under the UserAssist key for the user's profile, as well.

HTH,

H

ReplyQuote
Posted : 31/10/2006 10:01 pm
jakec
(@jakec)
New Member

The sequence 0BADF00Dh will exist normally in the index.dat file and is not part of a valid record so it's no need for alarm. It appears that the tool you are using may not understand that, as it should be ignoring those entries.
Did you try running with the "-d" option of Pasco to view records that are not present in the internal HASH table?
Also, take a look at the index.dat file in a hex editor, or use "strings" in Linux. The URLs are stored in ASCII so you can see if there are records imbedded in the file that are not being parsed properly by the tools.
It has been my experience that there are several index.dat files in different locations on a single system with different pieces of history data. Have you retrieved all the index.dat files related to that user?

ReplyQuote
Posted : 31/10/2006 10:08 pm
dj_chiro
(@dj_chiro)
Junior Member

The sequence 0BADF00Dh will exist normally in the index.dat file and is not part of a valid record so it's no need for alarm. It appears that the tool you are using may not understand that, as it should be ignoring those entries.
Did you try running with the "-d" option of Pasco to view records that are not present in the internal HASH table?
Also, take a look at the index.dat file in a hex editor, or use "strings" in Linux. The URLs are stored in ASCII so you can see if there are records imbedded in the file that are not being parsed properly by the tools.
It has been my experience that there are several index.dat files in different locations on a single system with different pieces of history data. Have you retrieved all the index.dat files related to that user?

I'll try the -d option in Pasco. I know there are index.dat files in each of the subdirs under the History.ie5 folder. I have analyzed each of those as well. The strange thing is the index.dat in the roo of the history.ie5 folder is only 600k… This is usually the index.dat that contains all of the history and it should be much larger given the user has been using this box since 3/30/2005…

ReplyQuote
Posted : 31/10/2006 11:41 pm
dj_chiro
(@dj_chiro)
Junior Member

I just started to wonder this…

It appears that the index.dat only retains information as far back as your "Days to keep pages in history" option under internet options. I never thought about this but I just tried looking at my own index.dat and it only goes back 20days which is exactly what my history options are set for in IE. I can't believe I have never noticed that before. I always assumed that the index.dat logged all of the history and that even after clearing the history, it would still continue logging… Regardless of the history setting. Aside from recovering deleted index.dat files is there any way to go back further?

ReplyQuote
Posted : 15/11/2006 12:42 am
ddow
 ddow
(@ddow)
Active Member

You may find LNK files of interest in the recent folder.

ReplyQuote
Posted : 15/11/2006 1:33 am
dj_chiro
(@dj_chiro)
Junior Member

Thanks, I have already done that and found items of interest.

I was also able to recover some deleted subdirectories within the History.IE5 folder which contained some older index.dat files. This is better than just 1 week (I need to prove that the misuse was not just a recent occurance).

ReplyQuote
Posted : 15/11/2006 1:49 am
Share: