Overview
Microsoft Internet Explorer maintains a Daily record of visited pages.
This INDEX.DAT file has an unusual HOST record entry which helps the investigator analyse the visits to a particular web site.
The HOST record entry is used by Internet Explorer to display the hierarchical history structure when showing the user which web sites have been visited.
Each record contains a number of timestamps with the important data being stored in a FILETIME structure.
This timestamp structure contains a 64-bit value representing the number of 100-nanosecond intervals since 1st January 1601 (UTC).
On the first daily visit to a particular web site, Internet Explorer creates a HOST entry in the INDEX.DAT record.
In effect, this entry represents the first visit to a particular HOST on specific day.
With further visits to the same web site, the HOST entry remains unchanged.
Examining the entries for the Daily INDEX.DAT will show when a web site was first and last visited during the period.
Figure 1 below shows an example of this when using the HOST filter view for visits to the Digital Detective web site:
Figure 1
Daily INDEX.DAT Timestamps
The Last Visited timestamp information is stored as two 64-bit FILETIMES located at offset 0x08 and 0x10 (Decimal 8 and 16).
They are stored as UTC and Local time values.
As there is no requirement to alter these timestamps, they are presented in an unaltered state in the NetAnalysis “Last Visited [UTC]” and “Last Visited [Local]” columns.
The tables below summarise these timestamp values:
Microsoft Internet Explorer Daily INDEX.DAT FILETIME Timestamp | |
0x08 | Last Visited Timestamp in LOCAL time |
0x10 | Last Visited Timestamp in UTC |
NetAnalysis Representation for Daily INDEX.DAT | |
Last Visited [UTC] | Unaltered UTC Timestamp from record offset 0x10 |
Last Visited [Local] | Unaltered Local Timestamp from record offset 0x08 |