Overview
Microsoft Internet Explorer maintains a Daily record of visited pages. This INDEX.DAT file has an unusual HOST record entry which helps the investigator analyse the visits to a particular web site. The HOST record entry is used by Internet Explorer to display the hierarchical history structure when showing the user which web sites have been visited. Each record contains a number of timestamps with the important data being stored in a FILETIME structure. This timestamp structure contains a 64-bit value representing the number of 100-nanosecond intervals since 1st January 1601 ( UTC). On the first daily visit to a particular web site, Internet Explorer creates a HOST entry in the INDEX.DAT record.
With further visits to the same web site, the HOST entry remains unchanged. Examining the entries for the Daily INDEX.DAT will show when a web site was first and last visited during the period. Figure 1 below shows an example of this when using the HOST filter view for visits to the Digital Detective web site:
Figure 1
Daily INDEX.DAT Timestamps
The Last Visited timestamp information is stored as two 64-bit FILETIMES located at offset 0x08 and 0x10 (Decimal 8 and 16). They are stored as UTC and Local time values. As there is no requirement to alter these timestamps, they are presented in an unaltered state in the NetAnalysis “Last Visited [UTC]” and “Last Visited [Local]” columns. The tables below summarise these timestamp values:
Microsoft Internet Explorer Daily INDEX.DAT FILETIME Timestamp | |
0x08 | Last Visited Timestamp in LOCAL time |
0x10 | Last Visited Timestamp in UTC |
NetAnalysis Representation for Daily INDEX.DAT | |
Last Visited [UTC] | Unaltered UTC Timestamp from record offset 0x10 |
Last Visited [Local] | Unaltered Local Timestamp from record offset 0x08 |
Establishing the Time Zone ActiveBias
As the URL record contains a UTC and Local timestamp, it is possible to establish the Time Zone ActiveBias by calculating the time difference between both timestamps. The following article discusses how to manually establish the Time Zone settings on the suspect computer:
The calculated ActiveBias information is represented in NetAnalysis by the ActiveBias column as shown in figure 2:
Figure 2
NetAnalysis further uses this information to confirm the selected Time Zone is correct. If the Time Zone ActiveBias is in conflict with the Time Zone setting in NetAnalysis, the resulting timestamps may not be represented accurately. The calculated ActiveBias is logged to the Audit Log as shown in Figure 3:
Figure 3
If NetAnalysis detects that the Time Zone settings for the forensic investigation are not correct, a warning dialogue will be shown immediately after the data has been imported. Figure 4 shows the warning dialogue:
Figure 4
Examination of the ActiveBias column will show which entries are in conflict with the Time Zone Settings.