Is this true - windows and URL logging?

Discussion in 'Computer Security' started by Jigsaw, Feb 9, 2005.

  1. Jigsaw

    Jigsaw Guest

    I just saw this in a thread from a legal newsgroup. I have never heard
    of this before. Can it be correct? I assumed that using Steganos or
    Eraser would wipe all IE History files from c:\windows\history directory.

    Or are such files located somewhere else?



    >> f you use Windows and IE, search for a free program called "spider"
    >> (not sure what OS's it covers). It enables you to list the hidden
    >> history logs that IE creates and never clears, which detail the URL of
    >> every page of every site you have visited since the OS was installed,
    >> however you came to access the page and even if you went through a
    >> proxy. Also every search term that you have ever plugged into a
    >> search engine. Such hidden logs are a huge boon for computer
    >> forensics! Windows helpfully keeps them constantly open even when you
    >> are not using IE so that they are marked in use and cannot be
    >> accidentally deleted. It also does not display all the directories &
    >> files in "Explorer" even if you have turned on the display of hidden
    >> files. Nor is there any utility supplied by Windows or IE that allows
    >> you to clear them. If you have a FAT32 file system you can get to
    >> them through a DOS boot. On an NTFS system you can make a directory
    >> listing of them via Windows command prompt, but as they are locked you
    >> cannot delete them unless you have accessed the drive from a different
    >> NTFS capable OS.
    >>

    >
    > But isn't space/size a factor? If a pc is in use for months

    /years, can
    > it continue to collect this info, without overwriting previously

    collected
    > info?


    It just keeps on growing, and adding URLs, even if you clear your browsing
    history. If I was a forensic investigator it would be the first place I
    would look.

    (You can delete it on an NTFS system if you log in as another user)
     
    Jigsaw, Feb 9, 2005
    #1
    1. Advertising

  2. Jigsaw

    Ken Ward Guest

    On Wed, 09 Feb 2005 17:58:25 +0000, Jigsaw <>
    wrote:

    >I just saw this in a thread from a legal newsgroup. I have never heard
    >of this before. Can it be correct? I assumed that using Steganos or
    >Eraser would wipe all IE History files from c:\windows\history directory.
    >
    >Or are such files located somewhere else?
    >
    >
    >
    > >> f you use Windows and IE, search for a free program called "spider"
    > >> (not sure what OS's it covers). It enables you to list the hidden
    > >> history logs that IE creates and never clears, which detail the URL of
    > >> every page of every site you have visited since the OS was installed,
    > >> however you came to access the page and even if you went through a
    > >> proxy. Also every search term that you have ever plugged into a
    > >> search engine. Such hidden logs are a huge boon for computer
    > >> forensics! Windows helpfully keeps them constantly open even when you
    > >> are not using IE so that they are marked in use and cannot be
    > >> accidentally deleted. It also does not display all the directories &
    > >> files in "Explorer" even if you have turned on the display of hidden
    > >> files. Nor is there any utility supplied by Windows or IE that allows
    > >> you to clear them. If you have a FAT32 file system you can get to
    > >> them through a DOS boot. On an NTFS system you can make a directory
    > >> listing of them via Windows command prompt, but as they are locked you
    > >> cannot delete them unless you have accessed the drive from a different
    > >> NTFS capable OS.
    > >>

    > >
    > > But isn't space/size a factor? If a pc is in use for months

    >/years, can
    > > it continue to collect this info, without overwriting previously

    >collected
    > > info?

    >
    >It just keeps on growing, and adding URLs, even if you clear your browsing
    >history. If I was a forensic investigator it would be the first place I
    >would look.
    >
    >(You can delete it on an NTFS system if you log in as another user)


    C:\Documents and Settings\<user>\Local Settings\Temporary Internet
    Files\Content.IE5\index.dat

    You will not see Content.IE5 as a directory here even with hidden
    files on. However, if you use file explorer to get to the Temporary
    Internet Files directory, you can type it in the address bar & it will
    appear.

    Index.dat is used by explorer.exe so it is open all the time as, among
    other things, explorer.exe is your desktop. If you open it in
    Notepad, you will find lots of garbage but occasionally you will see
    an url in clear. I presume there are forensic tools which can read
    all the data.

    To get rid of it, close all applications, open a DOS prompt box. In
    the DOS prompt box change directory until you reach Content.IE5.
    Now open Task Manager (CNTL-ALT-DEL) and kill the explorer.exe
    process. Your desktop will disappear.
    Go back to the DOS box & delete Index.dat. While you are at it, it's
    useful to delete all other files/directories here as well. There are
    some cookies which hide here with no expiry date.
    Go back to Task Manager and start explorer.exe from the run command.
    Your desktop will reappear & a clean copy of Index.dat will be
    created.

    As for size issues, it grows very slowly. You are probably going to
    upgrade/reinstall your OS before it threatens your space usage. It
    starts at 16K initially/32K when you delete it. The biggest I've seen
    it was about 3Mb after over a year of fairly intense usage. Mine is
    currently 96K after about four months.
     
    Ken Ward, Feb 10, 2005
    #2
    1. Advertising

  3. Jigsaw

    Jigsaw Guest

    Ken Ward wrote:
    > On Wed, 09 Feb 2005 17:58:25 +0000, Jigsaw <>
    > wrote:
    >
    >
    >>I just saw this in a thread from a legal newsgroup. I have never heard
    >>of this before. Can it be correct? I assumed that using Steganos or
    >>Eraser would wipe all IE History files from c:\windows\history directory.
    >>
    >>Or are such files located somewhere else?
    >>
    >>
    >>
    >>
    >>>>f you use Windows and IE, search for a free program called "spider"
    >>>>(not sure what OS's it covers). It enables you to list the hidden
    >>>>history logs that IE creates and never clears, which detail the URL of
    >>>>every page of every site you have visited since the OS was installed,
    >>>>however you came to access the page and even if you went through a
    >>>>proxy. Also every search term that you have ever plugged into a
    >>>>search engine. Such hidden logs are a huge boon for computer
    >>>>forensics! Windows helpfully keeps them constantly open even when you
    >>>>are not using IE so that they are marked in use and cannot be
    >>>>accidentally deleted. It also does not display all the directories &
    >>>>files in "Explorer" even if you have turned on the display of hidden
    >>>>files. Nor is there any utility supplied by Windows or IE that allows
    >>>>you to clear them. If you have a FAT32 file system you can get to
    >>>>them through a DOS boot. On an NTFS system you can make a directory
    >>>>listing of them via Windows command prompt, but as they are locked you
    >>>>cannot delete them unless you have accessed the drive from a different
    >>>>NTFS capable OS.
    >>>>
    >>>
    >>> But isn't space/size a factor? If a pc is in use for months

    >>
    >>/years, can
    >>
    >>>it continue to collect this info, without overwriting previously

    >>
    >>collected
    >>
    >>>info?

    >>
    >>It just keeps on growing, and adding URLs, even if you clear your browsing
    >>history. If I was a forensic investigator it would be the first place I
    >>would look.
    >>
    >>(You can delete it on an NTFS system if you log in as another user)

    >
    >
    > C:\Documents and Settings\<user>\Local Settings\Temporary Internet
    > Files\Content.IE5\index.dat


    Point understood. I am not using XP. This makes sense now.
    >
    > You will not see Content.IE5 as a directory here even with hidden
    > files on. However, if you use file explorer to get to the Temporary
    > Internet Files directory, you can type it in the address bar & it will
    > appear.
    >
    > Index.dat is used by explorer.exe so it is open all the time as, among
    > other things, explorer.exe is your desktop. If you open it in
    > Notepad, you will find lots of garbage but occasionally you will see
    > an url in clear. I presume there are forensic tools which can read
    > all the data.
    >
    > To get rid of it, close all applications, open a DOS prompt box. In
    > the DOS prompt box change directory until you reach Content.IE5.
    > Now open Task Manager (CNTL-ALT-DEL) and kill the explorer.exe
    > process. Your desktop will disappear.


    This works on ME.

    > Go back to the DOS box & delete Index.dat. While you are at it, it's
    > useful to delete all other files/directories here as well. There are
    > some cookies which hide here with no expiry date.


    Still says "Access Denied" for both cookies and history index.dat

    > Go back to Task Manager and start explorer.exe from the run command.
    > Your desktop will reappear & a clean copy of Index.dat will be
    > created.


    Won't allow access to run anymore.

    > As for size issues, it grows very slowly. You are probably going to
    > upgrade/reinstall your OS before it threatens your space usage. It
    > starts at 16K initially/32K when you delete it. The biggest I've seen
    > it was about 3Mb after over a year of fairly intense usage. Mine is
    > currently 96K after about four months.


    Thanks; very useful. Obviously the 98 SE model is different from the
    2000 mode of Windows.
     
    Jigsaw, Feb 10, 2005
    #3
  4. Jigsaw

    Ant Guest

    "Jigsaw" wrote:

    [IE History & cache]

    With regard to deleting index.dat, as the other poster has suggested,
    it can be done if you boot to safe mode (command prompt only).

    > It just keeps on growing, and adding URLs, even if you clear your browsing
    > history. If I was a forensic investigator it would be the first place I
    > would look.


    There are other places useful for forensics; in particular, the
    registry. I was amazed to find that the sub-keys under this key:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\
    contained a record of every program and document I had ever opened
    with the Explorer user interface (this includes IE) since I installed
    the OS (Win2k). It also contained titles, but not URLs, of web pages
    visited. Talk about creating registry bloat! After deleting all the
    entries, I decided to disable the logging, but this prevents the
    automatic hiding of rarely used links on the "Start" menu.

    More info on userassist here:
    http://personal-computer-tutor.com/abc3/v29/vic29.htm
    http://www.utdallas.edu/~jbs024000/articles/explorer_spy.html

    Analysis of this, and other registry entries which track usage can
    apparently be done with Windows Registry Analyzer (I've not tried it)
    http://www.mitec.cz/wra.htm

    If anyone has more information on how to control what happens in
    userassist, in addition to the settings NoEncrypt, NoLog and
    Instrument I would be interested to hear. The names of other entries
    that can be set in Win2k are NoPurge, Backup, SessionTime, IdleTime
    and CleanupTime. I found this out by monitoring registry access using
    RegMon from Sysinternals.
     
    Ant, Feb 10, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Code Developer

    No wireless connection before logging into Windows

    Code Developer, Jun 19, 2005, in forum: Wireless Networking
    Replies:
    0
    Views:
    613
    Code Developer
    Jun 19, 2005
  2. Steve Woolley

    PIX Firewall and URL Logging

    Steve Woolley, Jul 25, 2003, in forum: Cisco
    Replies:
    4
    Views:
    1,022
    Walter Roberson
    Jul 25, 2003
  3. Christian Roos

    logging buffered vs. logging history

    Christian Roos, Feb 5, 2006, in forum: Cisco
    Replies:
    4
    Views:
    15,333
  4. Slamadatan

    Logging on and off Windows XP

    Slamadatan, Aug 4, 2003, in forum: Computer Support
    Replies:
    4
    Views:
    2,686
    Chris C.
    Aug 4, 2003
  5. Mike
    Replies:
    5
    Views:
    934
Loading...

Share This Page