Microsoft Internet Explorer maintains a number of INDEX.DAT files to record visits to web sites as well as to maintain cache and cookie data. In this article, we will look at the Daily and Weekly files.
Daily INDEX.DAT Entries
The Daily INDEX.DAT file maintains a Daily record of visited pages. This INDEX.DAT file has an unusual HOST record entry which helps the investigator analyse the pattern of visits to a particular web site.
The HOST record entry is used by Internet Explorer to display the hierarchical history structure when showing the user which web sites have been visited. Each record contains a number of timestamps with the important data being stored in a FILETIME structure. This timestamp structure contains a 64-bit value representing the number of 100-nanosecond intervals since 1st January 1601 (UTC). The Digital Detective DCode utility can be used to convert these and other timestamp formats.
On the first daily visit to a particular web site, Internet Explorer creates a HOST entry in the INDEX.DAT record. In effect, this entry represents the first visit to a particular HOST on specific day. With further visits to the same web site, the HOST entry remains unchanged. Examining the entries for the Daily INDEX.DAT will show when a web site was first and last visited during the period. Figure 1 below shows an example of this when using the HOST filter view in NetAnalysis® v1 to look for visits to the Digital Detective web site.
Daily INDEX.DAT Timestamps
The Last Visited timestamp information is stored as two 64-bit FILETIMES located at offset 0x08 and 0x10 (Decimal 8,16). They are stored as UTC and Local time values. As there is no requirement to alter these timestamps, they are presented in an unaltered state in NetAnalysis® v1 as the “Last Visited [UTC]” and “Last Visited [Local]” columns. Figure 2 and 3 summarise these timestamp values.
Establishing the Time Zone ActiveBias
As the URL records contain UTC and Local timestamps, it is possible to establish the Time Zone ActiveBias by establishing the time difference between both timestamps. We discussed in a previous article on manually establish the system Time Zone settings. The calculated ActiveBias information is represented in NetAnalysis® v1 by the ActiveBias column as shown in Figure 4.
NetAnalysis further uses this information to confirm the selected Time Zone is correct. If the Time Zone ActiveBias is in conflict with the Time Zone setting in NetAnalysis®, the resulting timestamps may not be represented accurately. The calculated ActiveBias is logged to the Audit Log as shown in Figure 5.
If NetAnalysis® detects that the Time Zone settings for the current forensic investigation are not correct, a warning dialogue will be shown immediately after the data has been imported. Figure 4 shows the warning dialogue.
Examination of the ActiveBias column will show which entries are in conflict with the Time Zone Settings.
Weekly INDEX.DAT Entries
At the commencement of a new browsing week, the content from the Daily INDEX.DAT files is archived into a single Weekly INDEX.DAT file. The actual timestamp information within the binary file changes for this file type when compared to the other files.
When the Weekly INDEX.DAT file is generated, the file created timestamp is saved at offset 0x10 of every URL record. This is different to the other INDEX.DAT records as this location usually represents the Last Visited UTC Timestamp. Many applications (including some software which claim to be for forensic purposes) get this wrong and misrepresent this timestamp as the “Last Visited Date”.
This timestamp is in FILETIME format and is saved as a UTC value. This timestamp is presented within NetAnalysis in the “Date Index Created [UTC]” column.
The last visited timestamp is saved at offset 0x08 within the record as a LOCAL timestamp. This is unusual, as FILETIME timestamps are normally saved as UTC values and the other INDEX.DAT files all contain a Last Visited timestamp with a UTC value. With this timestamp, NetAnalysis takes the unaltered LOCAL time and saves it to the “Last Visited [Local]” column. Unfortunately, the Last Visited UTC FILETIME value which was present in the Daily INDEX.DAT is not saved within the record and therefore has to be converted from a Local timestamp.
To calculate the UTC timestamp for the “Last Visited [UTC]” column, NetAnalysis takes the LOCAL timestamp at record offset 0x08 and converts it to UTC. This conversion is calculated using the Time Zone value set in NetAnalysis prior to importing any data. In doing so, dynamic daylight settings are also taken into account (as well as any year on year differences).
If a Weekly record is imported with the “No Time Zone Date/Time Adjustment” setting activated, NetAnalysis will show the LOCAL Last Visited timestamp but will not attempt to calculate the UTC timestamp. In this case, the “Last Visited [UTC]” column will remain empty. The “Last Visited [Local]” timestamp for Weekly entries is not changed or affected by NetAnalysis Time Zone settings. It is left in an unaltered state.
Weekly INDEX.DAT Timestamps
The timestamp representation in NetAnalysis is shown in Figure 5 and 6 below.