• 0Shopping Cart
Digital Detective
  • Home
  • Corporate
    • About Us
      • Executive Team
      • Our Clients
      • Testimonials
    • News and Events
      • Latest News
      • Press Release
    • Legal
      • Privacy Policy
      • Cookie Policy
      • Returns Policy
  • Products
    • Forensic Software
      • NetAnalysis®
      • HstEx®
      • Blade®
    • Downloads
      • Evaluation Request
      • Free Digital Forensic Tools
    • Product Documentation
      • NetAnalysis® Documentation
      • HstEx® Documentation
      • Blade® Documentation
  • Careers
  • Support
    • Knowledge Base
    • Support Portal
    • Digital Forensics Forum
  • Store
    • Forensic Software
    • View Shopping Cart
  • Blog
  • Contact Us
  • Search
  • Menu Menu

Microsoft Internet Explorer Daily/Weekly INDEX.DAT Files

Digital Forensics, Digital Foresnsic Software, Forensic Analysis, NetAnalysis®, Web Browser Forensics

Introduction

Microsoft Internet Explorer maintains a number of INDEX.DAT files to record visits to web sites as well as to maintain cache and cookie data.  In this article, we will look at the Daily and Weekly files.

Daily INDEX.DAT Entries

The Daily INDEX.DAT file maintains a Daily record of visited pages.  This INDEX.DAT file has an unusual HOST record entry which helps the investigator analyse the pattern of visits to a particular web site.

The HOST record entry is used by Internet Explorer to display the hierarchical history structure when showing the user which web sites have been visited.  Each record contains a number of timestamps with the important data being stored in a FILETIME structure.  This timestamp structure contains a 64-bit value representing the number of 100-nanosecond intervals since 1st January 1601 (UTC).  The Digital Detective DCode utility can be used to convert these and other timestamp formats.

On the first daily visit to a particular web site, Internet Explorer creates a HOST entry in the INDEX.DAT record.  In effect, this entry represents the first visit to a particular HOST on specific day.  With further visits to the same web site, the HOST entry remains unchanged.  Examining the entries for the Daily INDEX.DAT will show when a web site was first and last visited during the period.  Figure 1 below shows an example of this when using the HOST filter view in NetAnalysis® v1 to look for visits to the Digital Detective web site.

NetAnalysis_Daily_Index.dat_Entries

Figure 1

Daily INDEX.DAT Timestamps

The Last Visited timestamp information is stored as two 64-bit FILETIMES located at offset 0x08 and 0x10 (Decimal 8,16).  They are stored as UTC and Local time values.  As there is no requirement to alter these timestamps, they are presented in an unaltered state in NetAnalysis® v1 as the “Last Visited [UTC]” and “Last Visited [Local]” columns.  Figure 2 and 3 summarise these timestamp values.

Digital_Detective_NetAnalysis_Daily_Timestamp_1

Figure 2

Digital_Detective_NetAnalysis_Daily_Timestamp_2

Figure 3

Establishing the Time Zone ActiveBias

As the URL records contain UTC and Local timestamps, it is possible to establish the Time Zone ActiveBias by establishing the time difference between both timestamps.  We discussed in a previous article on manually establish the system Time Zone settings.  The calculated ActiveBias information is represented in NetAnalysis® v1 by the ActiveBias column as shown in Figure 4.

Digital_Detective_NetAnalysis_ActiveBias_Column

Figure 4

NetAnalysis further uses this information to confirm the selected Time Zone is correct.  If the Time Zone ActiveBias is in conflict with the Time Zone setting in NetAnalysis®, the resulting timestamps may not be represented accurately.  The calculated ActiveBias is logged to the Audit Log as shown in Figure 5.

Digital_Detective_NetAnalysis_Audit_Log

Figure 5

If NetAnalysis® detects that the Time Zone settings for the current forensic investigation are not correct, a warning dialogue will be shown immediately after the data has been imported.  Figure 4 shows the warning dialogue.

Digital_Detective_NetAnalysis_Time_Zone_Warning

Figure 4

Examination of the ActiveBias column will show which entries are in conflict with the Time Zone Settings.

Weekly INDEX.DAT Entries

At the commencement of a new browsing week, the content from the Daily INDEX.DAT files is archived into a single Weekly INDEX.DAT file.  The actual timestamp information within the binary file changes for this file type when compared to the other files.

When the Weekly INDEX.DAT file is generated, the file created timestamp is saved at offset 0x10 of every URL record.  This is different to the other INDEX.DAT records as this location usually represents the Last Visited UTC Timestamp.  Many applications (including some software which claim to be for forensic purposes) get this wrong and misrepresent this timestamp as the “Last Visited Date”.

This timestamp is in FILETIME format and is saved as a UTC value.  This timestamp is presented within NetAnalysis in the “Date Index Created [UTC]” column.

The last visited timestamp is saved at offset 0x08 within the record as a LOCAL timestamp.  This is unusual, as FILETIME timestamps are normally saved as UTC values and the other INDEX.DAT files all contain a Last Visited timestamp with a UTC value.  With this timestamp, NetAnalysis takes the unaltered LOCAL time and saves it to the “Last Visited [Local]” column.  Unfortunately, the Last Visited UTC FILETIME value which was present in the Daily INDEX.DAT is not saved within the record and therefore has to be converted from a Local timestamp.

To calculate the UTC timestamp for the “Last Visited [UTC]” column, NetAnalysis takes the LOCAL timestamp at record offset 0x08 and converts it to UTC.  This conversion is calculated using the Time Zone value set in NetAnalysis prior to importing any data.  In doing so, dynamic daylight settings are also taken into account (as well as any year on year differences).

If a Weekly record is imported with the “No Time Zone Date/Time Adjustment” setting activated, NetAnalysis will show the LOCAL Last Visited timestamp but will not attempt to calculate the UTC timestamp.  In this case, the “Last Visited [UTC]” column will remain empty.  The “Last Visited [Local]” timestamp for Weekly entries is not changed or affected by NetAnalysis Time Zone settings.  It is left in an unaltered state.

Weekly INDEX.DAT Timestamps

The timestamp representation in NetAnalysis is shown in Figure 5 and 6 below.

Digital_Detective_NetAnalysis_Weekly_Timestamp_1

Figure 5

Digital_Detective_NetAnalysis_Weekly_Timestamp_2

Figure 6

Useful Links

  • NetAnalysis Home Page
  • Digital Detective DCode Utility
  • Daylight Saving Time Help and Support Center
  • Digital Detective Time Zone Testing Tool
15th June 2010/by Craig Wilson
Tags: Browser Evidence, Internet Explorer
Share this entry
  • Share on Facebook
  • Share on Twitter
  • Share on WhatsApp
  • Share on Pinterest
  • Share on LinkedIn
  • Share on Tumblr
  • Share on Vk
  • Share on Reddit
  • Share by Mail
You might also like
Cookies next to a laptop keyboard Random Cookie Filenames
Clock dial showing hands approching 12 o' clock NetAnalysis® Date and Time Fields
Random binary data with magnifying glass showing the text REDIRECT in red Understanding Redirects
Hands typing on computer keyboard Userdata History Type in Internet Explorer
Casey Anthony and Jose Angel Baez standing during the murder trial Digital Evidence Discrepancies – Casey Anthony Trial
Computer keyboard with red enter key being pressed NetAnalysis® v1.52 – USB Dongle, Google Chrome Support and Export/Rebuild Entire Cache Option
Internet Explorer logo over a computer keyboard Understanding Microsoft Internet Explorer Cache
Keyboard with chain and palock Microsoft Internet Explorer PrivacIE Entries

Categories

Recent Posts

  • DataDump™ – Data Extractor
  • NetAnalysis® v3.3 and HstEx® v5.3 Released
  • NetAnalysis® v3.2 and HstEx® v5.2 Released
  • Forensic Analysis of the Zone.Identifier Stream
  • NetAnalysis® v3.1 Released

Tags

ACPO AOL Big Endian Browser Evidence Byte Order Cache Case Study Change Log Cookies Data Extraction Data Recovery Data Recovery Profiles Date & Time Digital Evidence Discount Dongles Email Recovery Endianness File System Find Panel Free Good Practice Guidelines Hard Disk Head Swap Image Mounting Intelli-Carve Internet Explorer Junction Points Legal Licensing Little Endian Microsoft Windows Mozilla Firefox News NTFS Offer PFC Release Notes Seagate Search Syntax Timestamps Tools Tutorial

About Us

Digital Detective enhances digital forensic science though cutting edge research and development. We offer a range of products and services for digital forensic analysis and advanced data recovery.

Recent Tweets

Exciting news! Our popular #DataDump tool just got even better with the release of v2.1. Download now for free and experience the difference! #freetool #dataextraction digital-detective.ne…

About 3 weeks ago from Digital Detective's Twitter via Twitter Web App

Nothing seems to have changed in the last 13 years. lbc.co.uk/news/polic…

About 2 months ago from Digital Detective's Twitter via Twitter Web App

This has been a lot of work; hope you like it. NetAnalysis® v3.3 and HstEx® v5.3 have been released. Lots of new functionality! digital-detective.ne…

About 3 months ago from Digital Detective's Twitter via Twitter Web App

Her Majesty The Queen Elizabeth II 1926 - 2022 pic.twitter.com/sWSC…

About 5 months ago from Digital Detective's Twitter via Twitter for iPad

Recovery and analysis of MFT resident Zone.Identifier alternate data streams and how they are helpful in a forensic investigation. #DFIR #DigitalForensics #BrowserForensics #FileSystemAnalysis digital-detective.ne…

About a year ago from Digital Detective's Twitter via Twitter Web App

Follow @DigitalDetectiv

Select Language

Translate our site by selecting your language from the option below.

en English
ar Arabiczh-CN Chinese (Simplified)nl Dutchen Englishfr Frenchde Germanit Italianpt Portugueseru Russianes Spanish

Contact Us

Digital Detective Group
Motis Business Centre
Cheriton High Street
Folkestone
KENT, CT19 4QJ
United Kingdom

///courts.endearing.bulbs
+44 (0) 20 3384 3587

Copyright © 2001 - 2023 Digital Detective Group Limited
  • Facebook
  • Twitter
  • Youtube
  • Mail
  • Home
  • Sitemap
  • Corporate
  • Products
  • Store
  • Blog
  • Contact
Scroll to top

This site uses cookies. By continuing to browse the site, you are agreeing to our use of cookies.

OKLearn more

Cookie and Privacy Settings



How we use cookies

We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.

Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.

Essential Website Cookies

These cookies are strictly necessary to provide you with services available through our website and to use some of its features.

Because these cookies are strictly necessary to deliver the website, refuseing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.

We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.

We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.

Google Analytics Cookies

These cookies collect information that is used either in aggregate form to help us understand how our website is being used or how effective our marketing campaigns are, or to help us customize our website and application for you in order to enhance your experience.

If you do not want that we track your visit to our site you can disable tracking in your browser here:

Other external services

We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.

Google Webfont Settings:

Google Map Settings:

Google reCaptcha Settings:

Vimeo and Youtube video embeds:

Other cookies

The following cookies are also needed - You can choose if you want to allow them:

Privacy Policy

You can read about our cookies and privacy settings in detail on our Privacy Policy Page.

Privacy Policy
Accept settingsHide notification only