ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Internet Explorer History File Format" and "File:1-BB9780-VendorPlateRemoval.jpg"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
{{Expand}}
 
[[Internet Explorer]] stores the web browsing history in a file called <tt>index.dat</tt>. The file contains multiple records.
 
  
== File Locations ==
 
 
On Windows 9x, index.dat files can be found in <tt>%SystemRoot%\History</tt>. On Windows XP and above these files can be found in <tt>%SystemDrive%\Documents and Settings\[Username]\Local Settings\History\History.IE6\</tt>.
 
 
== Record Formats ==
 
 
=== URL Records ===
 
 
These records indicate web pages that were actually viewed. They contain the requested URL and the web server's response. They begin with the header, in hexadecimal:
 
 
<pre>55 52 4C 20</pre>
 
 
The definition for the structure in C99 format:
 
 
<pre>typedef struct _URL_RECORD {
 
  /* 000 */ char        Signature[4];
 
  /* 004 */ uint32_t    Length;
 
  /* 008 */ uint64_t    LastModified;
 
  /* 010 */ uint64_t    LastAccessed;
 
  /* 018 */ uint32_t    Expires;
 
  /* 01c */
 
  // Not finished yet
 
} URL_RECORD;</pre>
 
 
This corresponds to the string <tt>URL</tt> followed by a space.
 
 
=== REDR Records ===
 
 
=== HASH Records ===
 
 
=== LEAK Records ===
 
 
== External Links ==
 
 
* [http://www.cqure.net/wp/?page_id=18 IEHist program for reading index.dat files]
 
* [http://www.milincorporated.com/a3_index.dat.html What is in Index.dat files]
 
 
[[Category:File Formats]]
 

Latest revision as of 06:30, 8 August 2013