What are Index.dat files?

What are Index.dat files?

Unread postby rajeevmahura » Thu Jun 05, 2008 2:20 pm

What are Index.dat files?
Index.dat files are used by Internet Explorer and Windows to store history, Internet cache, cookies, UserData records and other information about what you have done in Internet or in your PC. Although some of their functions are useful, they are dangerous privacy threat - any person with even little knowledge about index.dat files locations and structure can see history of almost all of your computer activities. Index.dat files are not the only privacy threat but they are the most obscure and dangerous one because they are hard to find and even harder to delete. In fact, in most cases it is impossible to delete Index.dat files manually because Internet Explorer and Windows use them all the time.

You can use Mil Shield to clean the content of index.dat files along with history, cookies, cache and many other tracks. If you want to know more about index.dat files and want to locate them and try to delete them manually read the next chapters of this article.


Index.dat files are used for the first time in Internet Explorer 4 and since then they are part of Internet Explorer. Before version 4 of Internet Explorer there were mm256.dat and mm2048.dat files, which are similar to Index.dat files.

Where are located Index.dat files?
The location of index.dat files depends on the version of Windows and whether or not you are using user profiles. Regardless of Windows version in many cases you can't see or find index.dat file using Windows Explorer. There is a little file called desktop.ini in each directory where index.dat file is located. This desktop.ini file forces Windows Explorer to hide index.dat files and to show the contents of Internet cache or history instead. However you can use some other file utility and binary (hex) editor to find the files and read their content. If you have Windows Vita then index.dat files are in these locations (note that on your PC they can be on other drive instead of drive C):

C:\Users\<username>\Roaming\Microsoft\Windows\Cookies\index.dat
C:\Users\<username>\Roaming\Microsoft\Windows\Cookies\Low\index.dat
C:\Users\<username>\Local\Microsoft\Windows\History\History.IE5\index.dat
C:\Users\<username>\Local\Microsoft\Windows\History\History.IE5\Low\index.dat
C:\Users\<username>\Local\Microsoft\Windows\History\History.IE5\index.dat
\MSHistXXXXXXXXXXX\index.dat
C:\Users\<username>\Local\Microsoft\Windows\History\History.IE5\Low\index.dat
\MSHistXXXXXXXXXXX\index.dat
C:\Users\<username>\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
\index.dat
C:\Users\<username>\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5
\index.dat
C:\Users\<username>\Roaming\Microsoft\Internet Explorer\UserData\index.dat
C:\Users\<username>\Roaming\Microsoft\Internet Explorer\UserData\Low\index.dat

Note, that you will have to change the settings of Windows Explorer to show all kinds of files (including the protected system files) in order to access these folders.

If you have Windows XP or Windows 2000 then index.dat files are in these locations (note that on your PC they can be on other drive instead of drive C):

C:\Documents and Settings\<username>\Cookies\index.dat
C:\Documents and Settings\<username>\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\<username>\Local Settings\History\History.IE5
\MSHistXXXXXXXXXXX\index.dat
C:\Documents and Settings\<username>\Local Settings\Temporary Internet Files\Content.IE5
\index.dat
C:\Documents and Settings\<username>\UserData\index.dat

If you have only one user account on Windows XP or Windows 2000 then replace <username> with Administrator to get the paths of all index.dat files.

If you have Windows Me, Windows 98, Windows NT or Windows 95 then index.dat files are in these locations:

C:\Windows\Cookies\index.dat
C:\Windows\History\index.dat
C:\Windows\History\MSHistXXXXXXXXXXXXXXXXXX\index.dat (XXXX are some digits)
C:\Windows\History\History.IE5\index.dat
C:\Windows\History\History.IE5\MSHistXXXXXXXXXXXXXXXXXX\index.dat
C:\Windows\Temporary Internet Files\index.dat (only in Internet Explorer 4.x)
C:\Windows\Temporary Internet Files\Content.IE5\index.dat
C:\Windows\UserData\index.dat
C:\Windows\Profiles\<username>\Cookies\index.dat
C:\Windows\Profiles\<username>\History\index.dat
C:\Windows\Profiles\<username>\History\MSHistXXXXXXXXXXXXXXXXXX\index.dat
C:\Windows\Profiles\<username>\History\History.IE5\index.dat
C:\Windows\Profiles\<username>\History\History.IE5\MSHistXXXXXXXXXXXXXXXXXX\index.dat
C:\Windows\Profiles\<username>\Temporary Internet Files\index.dat (only in IE 4.x)
C:\Windows\Profiles\<username>\Temporary Internet Files\Content.IE5\index.dat
C:\Windows\Profiles\<username>\UserData\index.dat

Note that on your computer the Windows directory may not be C:\Windows but some other directory. If you don't have Profiles directory in you Windows directory don't worry - this just means that you are not using user profiles. It is also possible that you don't have UserData subdirectories. To learn more about UserData records click here.

You can use Mil Shield to clean the content of index.dat files along with history, cookies, cache and many other tracks.





--------------------------------------------------------------------------------

What is in Index.dat files?
As already mentioned, index.dat files are binary files. Their content can be seen only with binary (hex) editor. We will examine an index.dat file from the Internet cache (Temporary Internet Files). First, let's take a look to the index.dat file header:




Actually the index.dat header is much larger but this is the most important part of it. The first thing is the version of the index.dat file (Client UrlCache MMF Ver 4.7) - this particular file is from Internet Explorer version 4 but the index.dat file format is very similar in Internet Explorer 5, 6 and 7.

The next important thing in the header are the names of the four subfolders in which are located the cached files from the Internet (they are not in the header when the index.dat file is for cookies and history but UserData index.dat files also have such subfolders). These subfolders are located in the same folder as the index.dat file and in this case their names are 49EDE5UVC, GHIZ8LMVB, EBWNUZWLB and G48NSH4S. On your PC these folders can be more than four (depending on the size of the index.dat file) and their names will be different.

The real content of the index.dat files usually starts at byte offset 4000h or 5000h from the beginning of the file. Index.dat file is composed of many records of four different types: HASH, URL, LEAK and REDR.

HASH records are the largest but they don't contain any privacy sensitive information. The are just hash indexes of the contents of the index.dat file. If the file is larger there can be many such records.

The vast majority of the index.dat records are of types URL, LEAK and REDR. They have fairly similar layout. Look at this sample URL record.



As you can see there is a lot of information here. First, there is encoded date and time of the loading of this picture (icon_hardware.gif) from the Internet. The date and time are encoded in binary format in the second row of the dump. Next, there is http://www.aceshardware.com/site/images ... rdware.gif, which is the full URL of the loaded file. The name of the local copy of the file (which is in one of the four subfolders of the index.dat folder) is icon_hardware.gif. The next thing is the full HTTP header of the response of the Web server:

HTTP/1.0 200 OK
ETag: "AAAAOl01l7Q"
Content-Type: image/gif
Content-Length: 1234
X-Cache: MISS from proxy.office.devolti.com
The last but not least bit of information in the record is the name of the user account: Administrator. Obviously all this information can be potentially dangerous because it tells us who and when accessed given Internet page and what was the response of the Web server. If you clean the Internet cache (Temporary Internet Files) then the cached files are deleted but most of the index.dat file records are left almost untouched. The same is true for the history and cookies.

The empty space of index.dat files is filled with junk (most often zeros but it can also be various meaningless sequences) or in some areas - with "magic" sequence 0BADF00Dh (BAD FOOD). Obviously Microsoft developers are not without a sense of humor. BAD FOOD parts of the file are deleted records of other kinds and they aren't privacy threat.

You can use Mil Shield to clean the content of index.dat files along with history, cookies, cache and many other tracks.



--------------------------------------------------------------------------------

How to erase or clean Index.dat files?
Erasing or cleaning of the index.dat files is not an easy task because they are opened by Internet Explorer and Windows all the time. If you are using Windows Me, Windows 98 or Windows 95 you can restart in DOS mode and then you can delete index.dat files one by one (look in the folders that are mentioned above). However if you are using Windows Vista, Windows XP, Windows 2000 or Windows NT this won't work.



Mil Shield is a powerful privacy protection program that was designed specifically to clean and shred the index.dat files content. Unlike the other methods of dealing with index.dat file content, shredding is the best because it doesn't destroy the entire structure of the index.dat file which can cause Internet Explorer or Windows to crash but instead cleans and shreds only the privacy threatening URL, LEAK and REDR records. Additional benefit is the ability to preserve the tracks from some chosen by you sites (selective cleaning), which makes your browsing more comfortable and safe (it is rather suspicious to always have empty history, cookies and cache - it is better to leave some tracks from "innocent" sites). Mil Shield also cleans all other tracks as cookies, history, cache, AutoComplete records, UserData records, history of recently used folders and documents and many other.
--Regards--
Rajeev Mahura
Servers & Storage Professional
http://about.me/rajeevmahura
User avatar
rajeevmahura
 
Posts: 144
Joined: Tue May 20, 2008 5:22 pm
Location: Bangalore | New Delhi
Full Name: Rajeev Mahura
Date Of Birth: 15 Jan 1984
Address: New Delhi
Profession: DOEACC Trainer
DOEACC Center: DOEACC DELHI
Mobile No: 0

Return to Windows XP

Who is online

Users browsing this forum: No registered users and 1 guest

cron