are index.dat files dangerous?

Discussion in 'privacy general' started by wutsup, Feb 26, 2010.

Thread Status:
Not open for further replies.
  1. wutsup

    wutsup Registered Member

    Joined:
    Sep 20, 2009
    Posts:
    630
    Location:
    United States
    as we all know these are hidden in content.ie5 in the temporary hidden files folder even with show hidden files enabled. you can open it up with notepad and it shows waht websites u visited etc etc even after using ccleaner. of course these only show up if you use Internet explorer but also there are index.dat for other things besides just the internet. i dont use IE8 on my main computer so its not that big of a deal but on my secondary comp i use it.

    so do you guys think these are dangerous files?

    p.s. i found out a way to delete them. you have to boot into safe mode as administrator and go to the the command prompt, and type in del index.dat /s

    post your thoughts
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Not dangerous and clearing browser history via IE options in IE7 & IE8 will wipe it all. No need for safe mode
     
  3. wutsup

    wutsup Registered Member

    Joined:
    Sep 20, 2009
    Posts:
    630
    Location:
    United States
    yea i know that, but the index.dat cannont be deleted unless in safe mode. when you open it up with notebad it shows you the websties you visited even after deleting temporray files etc etc
     
  4. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    from
    http://blogs.msdn.com/wndp/archive/2006/08/04/WinInet_Index_dat.aspx
    "..
    The way we use to delete entries in the index.dat file was pretty similar, the old URL data was marked free, but was still there, at least until it was overwritten by a new entry. In IE7 we now zero out the entry.
    .."
    &
    http://tech.yahoo.com/blogs/null/23144
    "..
    The good news is that with IE7, index.dat files were discarded, so you can now clear your private information and comfortably know that it has indeed been deleted. In Firefox, click Tools > Clear Private Data to do this. In IE7, click Tools > Delete Browsing History.
    "

    same is for IE8
     
  5. wutsup

    wutsup Registered Member

    Joined:
    Sep 20, 2009
    Posts:
    630
    Location:
    United States
    oh wow lol it worked for my 64 bit computer, i dont use IE8 anymore but clearing the borwsing histroy from IE8 isntead of ccleaner gets rid of the data in the super hidden index.dat file in content.ie5 but doesnt get rid of index.dat itself which is not a big deal.

    and for my secondary computer i found out i had to run IE8 without isolating the browser with geswall to get rid of the the data in index.dat

    well thats good to know. thx man
     
  6. SafetyFirst

    SafetyFirst Registered Member

    Joined:
    Jan 26, 2007
    Posts:
    462
    Isn't it just a simple delete operation (Windows' RMDIR) and not a secure wiping (overwriting) procedure?
     
  7. true north

    true north Registered Member

    Joined:
    Dec 14, 2006
    Posts:
    159
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    As far as i'm aware, Index DAT files are only erased during the boot process. I've been told, have read, for years, that they are marked for such when you use a cleaner/eraser, but ONLY actually get erased at boot. Then fresh blank Index DAT files are recreated by the system. If you don't reboot then data can still be extracted from them.

    If this is incorrect in any way/s i'd like to hear about it, as i'm sure so would others.
     
  9. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Read carefully...

    As of IE7, there is no need to delete index.dat files.
     
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @Seer

    So it's just IE7 & IE8 that now do this. Any other browser/s still needs the previous FULL methods applied ?
     
  11. wutsup

    wutsup Registered Member

    Joined:
    Sep 20, 2009
    Posts:
    630
    Location:
    United States
    ok thx for the replies guys, i use firefox as my main browser so index.dat files are not a problem. but once you clear youre browsing history within IE8(not ccleaner or other cleaners) it deletes the jibberish in the index.dat file but not index.dat itself which is perfectly fine.
     
  12. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    its not just index.dat files which can be dangerous there are many other hidden files and registry keys which logs and stores activities you will never find them all.

    The only solution is to either have full disk encryption or use something like Deep Freeze.
     
  13. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    In my own testing with Internet Explorer 8 on Windows Vista Business, I am unable to confirm that history entries in the Index.dat file are overwritten with zeros when deleted. The procedure I employed is as follows.

    1. Visit several websites
    2. Verify that IE displays these websites in its history (Favorites | History | Today)
    3. Delete the browsing history in IE (Tools | Internet Options | Browsing history | Delete)
    4. Verify that IE no longer displays these websites in its history (Favorites | History | Today)
    5. Open and inspect C:\Users\<user>\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist...\index.dat in WinHex.
    Contrary to expectations based upon the prior quote, I am in fact able to easily see the website history within the Index.dat file.

    • Can other forum members conduct similar tests to check these findings?
    • Is this testing procedure flawed in some way?
    • There are several Index.dat files within C:\Users\<user>\AppData\Local\Microsoft\Windows\History\History.IE5\*. Is the proper one being used in step 5?
     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello, Pleonasm,

    I have IE8 on my WinXP Laptop, IE8 version 8.0.6001, and I just ran your test:

    In the popup box I select to Delete:

    • Temporary Internet Files
    • Cookies
    • History (list of visited web sites)

    and can confirm that all browsing History is deleted from History|Today, the Temporary Internet Files, and also in the Index.dat files in History.IE5. That is the same Index.dat that is in Content.IE5.

    To verify, I opened a copy of those files in Wordpad before and after deleting.

    ----
    rich
     
  15. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    In my case, there's only one.

    I did and index.dat file under my user folder is zeroed. On Win7 and IE8, also on XP and IE8. I don't have Vista anymore.
     
  16. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Rmus and Seer, I see the following Index.dat files on my PC (Windows Vista Business):

    • C:\Users\<user>\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    • C:\Users\<user>\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist...\index.dat
    • C:\Users\<user>\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat
    • C:\Users\<user>\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist...\index.dat
    Specifically, which one did you examine in your test?

    Thank you.
     
  17. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I don't have the paths that you show.

    Mine are in c:\documents and settings\rich\local settings\History
    and ...\Temporary Internet Files

    I examined History.IE5\index.dat and Content.IE5\index.dat

    I have to do it from a DOS prompt since they don't display in Windows Explorer.

    The MSHist....... is the "Today" sub-Folder under the History Folder. That index.dat has no entries.

    ----
    rich
     
  18. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  19. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    784
    Location:
    UK
    This 'old' free software called 'Spider' can reveal what url's you have lurking in your index.dat files and delete them too, after a reboot.
     
  20. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  21. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Yes, I have seen that article. In fact, my selection of which Index.dat file to examine in my test was guided by its content:

     
  22. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Rmus, I wonder: is Wordpad able to display the entire contents (32KB in my case) of the Index.dat file -- or, could a non-printable ASCII code in the file be preventing the full viewing of the file’s contents after the delete operation?

    Might a disk/hex editor be the better tool in this situation, to ensure that you have visibility to the entire contents of the Index.dat file?

    Just a hypothesis that might explain our different test results....
     
  23. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    That is possible. If you want, send me a PM and I'll send you my index.dat file for you to look at.

    Many years ago, a group of us looked at the index.dat issue. It's really complicated, because there are many such files integrated between IE and the Operating System. A number of them do not show up in a search using Explorer, even if selecting Hidden Files and Folders.

    I was not so concerned from a privacy issue, rather, I just despise clutter and growing files/folders, including all of the temporary stuff that is created both in Windows Explorer and the Registry. Some of the so-called Cleaner programs did not actually get everything.

    Then, the reboot-to-restore programs, such as Deep Freeze already mentioned here, came along. Starting with a fresh system and freezing the system partition, a built-in maintenance tool is at hand. Anything written to that partition is discarded on reboot. No more worries about missing something. Especially in the Registry.

    That's an easy, very effective way to deal with these things.

    ----
    rich
     
  24. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    I feel sure that after APPEARING to wipe IndexDAT files with cleaners, unless a reboot occurrs they can still be copied and read. Otherwise how would forensics be able to do it ? I can't see MS allowing all that info to vanish, so i wouldn't be surprised if it's written elsewhere too.

    @Rmus

    What about your other comp, thought you had 2000 and Opera ?
     
Loading...
Thread Status:
Not open for further replies.