INDEX.DAT tool helps admins see what users browsed in IE

A utility allows admins to inspect a user's INDEX.DAT files and figure out what the user browsed through Internet Explorer.

Windows uses a file named INDEX.DAT primarily as a way to store metadata about files that Internet Explorer has

downloaded and cached. I've usually discussed this file in terms of its occasionally getting corrupted and needing to be deleted (usually with a third-party utility) in order for IE to work properly.

Now let's discuss what details the file contains and how to examine them.

Programmer Steven Gould has written a handy utility called Index Dat Spy, which allows users to explore their system for INDEX.DAT files and examine the contents. This can be useful for administrators, since they'd be able to perform some limited forensics by inspecting the INDEX.DAT files for details about what the user has browsed through IE. It can also help programmers determine whether or not IE is behaving correctly when it encounters certain material (such as a site they've put together).

Once installed, the program can either open an INDEX.DAT file of the user's choosing, or scan the whole system for existing INDEX.DAT files. Note: The scan does not discriminate between INDEX.DAT files that are in the current user's profile or any others that it finds; it just looks for anything that fits the bill. The most common location for the currently logged-in user's IE INDEX.DAT file is either in %userprofile%\Cookies or %userprofile%\Local Settings\History\History.IE5\, which are typically hidden directories.

When you open a valid INDEX.DAT file, you'll get a list of the type of record entries in the file, the data in each entry, its size (typically 128 or 256 bytes), the modified/access dates and the cache directory or filename (if applicable). Every now and then you might come across a record marked "BAD FOOD" (it's actually a hex value, 0BADF00Dh—get it?). This is a record that was previously deleted, and has been overwritten with those values in a repeating sequence.

You can't edit the records in an INDEX.DAT file; that's something that should only typically be done by IE itself. But you can save a .CSV or plaintext file that contains a report of the data harvested, which can be useful for further analysis.

About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter, which is devoted to hints, tips, tricks, news and goodies for Windows NT, Windows 2000 and Windows XP users and administrators. He has more than 10 years of Windows experience under his belt, and contributes regularly to SearchWinComputing.com and SearchSQLServer.com.

More information on this topic:


This was first published in October 2006

Dig deeper on Windows Server Monitoring and Administration

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close