SANS Digital Forensics and Incident Response Blog

Is Your index.dat File LEAKing?

One of the projects that I've been working on, has required me to become intimately familiar with index.dat files. These files (index.dat) are usually associated with Internet Explorer's browser history. If you've ever worked with index.dat files before, you've probably encountered the mysterious "LEAK" record. After some analysis, I think I've finally figured out what LEAK records are used for.

Essentially, a LEAK record is created when a cached URL entry is deleted (by calling DeleteUrlCacheEntry) and the cached file associated with the entry (a.k.a. "temporary internet file" or TIF) can not be deleted.

You can easily test this on your own system:

  1. Open Internet Explorer and surf to a web page. Ideally a page with a unique and easily identifiable name (e.g. thisisnotthefileyouarelookingfor.txt).
  2. At a command prompt, navigate to your internet cache directory. On Windows XP/2003 systems this will be under Documents and Settings\<username>\Local Settings\Temporary Internet Files\Content.IE5. There are four subdirectories (with random looking names). These directories contain the locally cached copies of various web pages.
  3. Find the locally cached copy of the page you visited in step 1. The cached page will be under one of the four subdirectories, and is usually named <page name>[number].<ext>. (This is why a unique and easily identifiable page name is useful)
  4. Using notepad open the cached copy of the page.
  5. With notepad still open, go back to Internet Explorer and clear your browsing history.
  6. You should now see a LEAK record in the index.dat file under the Content.IE5 directory. (It helps to use a hex editor).

It's that simple. A detailed explanation and sample code to create LEAK records can be found here.

Mike Murr is a forensics analyst with Code-X Technologies, a SANS Instructor, author of and LibForensics, an open source framework for digital forensics written in Python.