Index.dat files ? a privacy threat

Related Articles

What are Index.dat files?

Index.dat files are used by Internet Explorer and Windows to store history, Internet cache, cookies, UserData records and other information about what you have done in Internet or in your PC. Although some of their functions are useful they are dangerous privacy threat - any person with even little knowledge about index.dat files locations and structure can see history of almost all of your computer activities. Index.dat files are not the only privacy threat but they are most obscure and dangerous because they are hard to find and even harder to delete. In fact, in most cases it is impossible to delete Index.dat files manually because Internet Explorer and Windows use them all the time.

Index.dat files are used for the first time in Internet Explorer 4 and since then they are part of Internet Explorer. Before version 4 of Internet Explorer there were mm256.dat and mm2048.dat files, which are similar to Index.dat files.

Where are located Index.dat files?

Location of index.dat files depends on the version of Windows and whether or not you are using user profiles. Regardless of Windows version in many cases you can't see or find index.dat file using Windows Explorer. There is a little file called desktop.ini in each directory where index.dat file is located. This desktop.ini file forces Windows Explorer to hide index.dat files and to show the contents of Internet cache or history instead. However you can use some other file utility and binary (hex) editor to find the files and read their content. If you have Windows Me, Windows 98, Windows NT or Windows 95 then index.dat files are in these locations:

C:WindowsCookiesindex.dat
C:WindowsHistoryindex.dat
C:WindowsHistoryMSHistXXXXXXXXX
XXXXXXXXXindex.dat (XXXX are some digits)
C:WindowsHistoryHistory.IE5index.dat
C:WindowsHistoryHistory.IE5MSHistXXXXXXXXX
XXXXXXXXXindex.dat
C:WindowsTemporary Internet Filesindex.dat (only in Internet Explorer 4.x)
C:WindowsTemporary Internet FilesContent.IE5index.dat
C:WindowsUserDataindex.dat
C:WindowsProfiles<username>Cookiesindex.dat
C:WindowsProfiles<username>Historyindex.dat
C:WindowsProfiles<username>HistoryMSHistXXXXXXXX
XXXXXXXXXXindex.dat
C:WindowsProfiles<username>HistoryHistory.IE5index.dat
C:WindowsProfiles<username>HistoryHistory.IE5
MSHistXXXXXXXXXXXXXXXXXXindex.dat
C:WindowsProfiles<username>Temporary Internet Filesindex.dat (only in IE 4.x)
C:WindowsProfiles<username>Temporary Internet FilesContent.IE5index.dat
C:WindowsProfiles<username>UserDataindex.dat

Note that on your computer the Windows directory may not be C:Windows but some other directory. If you don't have Profiles directory in you Windows directory don't worry - this just means that you are not using user profiles. It is also possible that you don't have UserData subdirectories.
What are UserData records?

UserData records are very similar to cookies. Just like the cookies they are used by some Web sites to store information about you on your computer and are privacy threat because they can contain sensitive information like your name and password for web mailboxes, password-protected sites, etc.

The primary difference between cookies and UserData records is that the stored information in UserData records can be much larger (up to 128 KB per record). UserData records are stored in yet another Index.dat file in a hidden Windows directory. Only Internet Explorer 5 and later support UserData records.

If you have Windows XP or Windows 2000 then index.dat files are in these locations (note that on your PC they can be on other drive instead of drive C):

C:Documents and Settings<username>Cookiesindex.dat
C:Documents and Settings<username>Local SettingsHistoryHistory.IE5index.dat
C:Documents and Settings<username>Local SettingsHistoryHistory.IE5
MSHistXXXXXXXXXXXindex.dat
C:Documents and Settings<username>Local SettingsTemporary Internet FilesContent.IE5
index.dat
C:Documents and Settings<username>UserDataindex.dat

If you have only one user account on Windows XP or Windows 2000 then replace <username> with Administrator to get the paths of all index.dat files.

What is in Index.dat files?

As already mentioned, index.dat files are binary files. Their content can be seen only with binary (hex) editor. We will examine an index.dat file from the Internet cache (Temporary Internet Files).

Actually the index.dat header is much larger but this is the most important part of it. The first thing is the version of the index.dat file (Client UrlCache MMF Ver 4.7) - this particular file is from Internet Explorer version 4 but the index.dat file format is very similar in Internet Explorer 5.x and 6.

The next important thing in the header are the names of the four subfolders in which are located the cached files from the Internet (they are not in the header when the index.dat file is for cookies and history but UserData index.dat files also have such subfolders). These subfolders are located in the same folder as the index.dat file and in this case their names are 49EDE5UVC, GHIZ8LMVB, EBWNUZWLB and G48NSH4S. On your PC these folders can be more than four (depending on the size of the index.dat file) and their names will be different.

The real content of the index.dat files usually starts at byte offset 4000h or 5000h from the beginning of the file. Index.dat file is composed of many records of four different types: HASH, URL, LEAK and REDR.

HASH records are the largest but they don't contain any privacy sensitive information. The are just hash indexes of the contents of the index.dat file. If the file is larger there can be many such records.

The vast majority of the index.dat records are of types URL, LEAK and REDR. They have fairly similar layout.

As you can see there is a lot of information here. First, there is encoded date and time of the loading of this picture (icon_hardware.gif) from the Internet. The date and time are encoded in binary format in the second row of the dump. Next, there is the full URL of the loaded file: http://www.aceshardware.com/site/images/icon_hardware.gif. The name of the local copy of the file (which is in one of the four subfolders of the index.dat folder) is icon_hardware.gif. The next thing is the full HTTP header of the response of the Web server:

HTTP/1.0 200 OK
ETag: "AAAAOl01l7Q"
Content-Type: image/gif
Content-Length: 1234
X-Cache: MISS from proxy.office.devolti.com

The last but not least bit of information in the record is the name of the user account: Administrator. Obviously all this information can be potentially dangerous because it tells us who and when accessed given Internet page and what was the response of the Web server. If you clean the Internet cache (Temporary Internet Files) then the cached files are deleted but most of the index.dat file records are left almost untouched. The same is true for the history and cookies.

The empty space of index.dat files is filled with junk (most often zeros but it can also be various meaningless sequences) or in some areas - with "magic" sequence 0BADF00Dh (BAD FOOD). Obviously Microsoft developers are not without a sense of humor. BAD FOOD parts of the file are deleted records of other kinds and they aren't privacy threat.

How to erase or clean Index.dat files?

Erasing or cleaning of the index.dat files is not an easy task because they are opened by Internet Explorer and Windows all the time. If you are using Windows Me, Windows 98 or Windows 95 you can restart in DOS mode and then you can delete index.dat files one by one (look in the folders that are mentioned above). However if you are using Windows XP, Windows 2000 or Windows NT this won't work.


Publication Date: Tuesday 19th October, 2004
Author: Mariyana Vasileva View profile

Related Articles