Hi everyone!
First of all, thank you so much for visiting my site, your e-mails, and spreading the word about my work.  The overwhelming support has been amazing; for some reason, I did not expect it – but thank you!

A couple of you have been kind enough to point out some minor errors.  Paul A. of Digital Detective e-mailed me that he has also been doing some research on Windows 8, but during the course of his research, he did not encounter any index.dat files:
“I’ve been examining Windows 8 myself (developer and consumer previews).  In my research, I haven’t found any index.dat files at all – rather the Internet history gets saved in various other files, including some in the ESE DB format.  I was just wondering what you did to get index.dat files generated, as I’m having no luck so far…?”

I double-checked my image and there was not a single instance of “index.dat”.  The lack of index.dat files is not due to lack of luck, but rather an error on my part of typing on auto-pilot.  I can only assume I saw the “dat” extension, even though I read “container.dat”, and typed “index.dat”.  So, there ended up being 3 or 4 instances of “index.dat” being mentioned, and if you see “index.dat”, either download the Windows 8 Forensic Guide that has been updated or cross it off if you’ve printed it out (it saves trees)!

The other great thing about Paul (and others!) contacting me is that it’s a great way to verify my research.  The e-mail traffic between Paul and I went on for a few days and he also found that his research revealed that the container.dat files in MSHISTdate-date are also 0 byte files.  One more thing he also shared was

“Where you see Internet Explorer folders that include the word ‘immersive’, then as you know that indicates you’ve launched IE from that hideous front end! ;-)   Try running IE from the more standard Windows desktop using the Quick Launch icon – you’ll find that the Travel log files are created in different folders, that don’t have immersive in their names!”

I hope this helps clear up some confusion (if there was any), and again, thanks again!

Amanda

Posted by on May 9, 2012 in Windows 8 Forensic Guide and tagged , , , , , .

1 Comment

About propellerhead23

I have been in the computer forensics field for about five years. I got my start while serving in the Army on active duty and used what I learned while deployed to Iraq. I currently hold the EnCE and ACE certifications and I am also a member of a couple of forensic professional organizations. I am working in the field and also pursuing a graduate degree in computer forensics. I enjoy what I do - mostly because there's always something to learn and would be thrilled if what I've learned could be of use to someone within the community.

One Response »

  1. Ethan Fleisher says:
    May 17, 2012 at 14:49

    Great work so far, i’m really loving reading the other work that people have put into Windows 8 research! I’ve been doing a bit myself, here’s a post I made about some artifacts I came across relating to index.dat files that I haven’t seen popping up on any other websites yet. It relates to a file named WebCachev24.dat.

    http://computerforensics.champlain.edu/blog/windows-8-forensics-part-2

    Reply

Do you haves something to say?

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s