Windows 98 Cookie Folder and index.dat file
First of all apologies for this being rather long.
Currently doing assignment for course into the operation of Internet Explorer when visiting websites.
Question is re the cookies folder and index.dat files. I created a basic Win98 disk and after getting it set up for use imaged it and created a hash library of the files it contained for comparison purposes. This was on 5th October.
On 7th October put it back into machine and accessed one small non commercial site for 5 pages and then withdrew and knocked machine off.
I then imaged machine in Encase and ran hash values to see the changes that had taken place. (All sorts of other loggin software used as well like RegMon, FileMon and Inctrl5 so I wasn't relying solely on EnCase)
I then found the strangest thing.
The Cookies folder hash value was the same as it was before Internet usage and a check revealed the site had not used cookies at all (as expected) and it was no different to when I started. The created, last accessed and last written to details of the Cookies Folder were 5th October 2005.
The Index.dat file however showed a last written to date and time of 7th October 2005 at 18.45 which was when I knocked the machine off after the Internet session. Checking the Index.dat file however showed it to be exactly the same as the base drive and the hash value had not changed.
I cannot figure out why, if nothing is added to it or changed and the hash value is the same as the specimen one why it shows being last written to at the time I closed the computer down.
The only thing I can think of is that if you are on the Internet but no cookies are used etc the computer just rewrites the index.dat file with the same data as was already in it for some reason but this just sounds to silly to be anywhere near reality.
If anyone has any ideas I would greatly appreciate it and for any UK gents who are going to the F3 conference next week it would be worth a couple of beers if you know.
A couple of things…
First off, if you had been running Filemon and Regmon (from SysInternals) on the live system while you were accessing the 'Net, you'd get a more complete picture of what was going on.
I think that your analysis, however, is pretty close to being on target. I think that what you really need to look at is how IE uses the index.dat file, from start to finish. You may be right…the file was opened, nothing was added or removed (no changes were made) and the file was closed. That would account for both the changes in the last modification time, as well as the fact that the hashes are the same.
"Windows Forensics and Incident Recovery"
Thanks for that. I think I need to do a couple of more sessions just to try and figure out a little bit more about what is going on.
For info - FileMon, Regmon and Inctrl5 were all active on the machine during the Internet session and logs from all three have been saved for examination. Suffice to say that the FileMon log for one session from start to finish was over 800 pages long. I have 4 sessions with 3 onboard software logs from each session plus the Encase and FTK data plus all the registry data but only 3 weeks left to sort them out into order.
It seemed a good idea when i started the course!!!!!!!!!
thanks again for the reply.