Computer Forensics
Purpose: To introduce the difference between IE Cache and cookies.
Download location for application: indexdat.zip on blackboard [optional]
*** Index.dat Analyzer is already installed on VCL. Look for its icon on the Desktop or type in the Windows search bar: index.dat analyzer. ***
Evidence file: nps–2008–jean.E01 (located in \\144.175.196.12\Forensic Data\nps–2008–jean.E01)
Steps/Questions to answer:
1. Download and install the indexdat–setup application. Note: If you are using the VCL option, this step is already complete. You can find the installed application on the VCL Desktop or by typing in the Windows search bar: index.dat analyzer.
2. Load image in FTK Imager and go to the History.IE5 folder for user Jean. Locate the 128kb index.dat file with the date of 7/20/2008. Extract this file to your desktop.
3. Open the index.dat file with notepad. What do you see overall?
4. Now open the index.dat file with the Index.dat Analyzer program. Make sure you add the exported file from the image and select the correct index.dat file. What do you see in comparison to what you saw in question 3?
5. By reviewing her cache in the Index.dat Analyzer, list the most popular pants size she shopped for?
6. Look at Jean’s cookies. Compare the cache and cookie entries. What informational differences do you see?
7. How can the IE Cache information be more beneficial than just looking at the user’s cookies?
8. Based on what you learned, what can you conclude about how Windows configures the IE Cache file? (i.e., based on what you saw in notepad and in the Index.dat Analyzer program)