Windows 'index.dat' Parser (id)
id is a command line version of a Windows index.dat parser. The forensic value of index.dat metadata is well known, since it acts like a database in a file that can provide useful information such as: (a) website URLs that were visited with a browser, (b) cookies, (c) search queries and (d) recently opened files. Below is the menu of options:
id was developed to run on a live system, with the ability run in batch (automated) mode, and be operating system agnostic when run in an offline mode. (eg on Linux or Mac OS-X, if desired).
id can not only parse individual files, but it can do it across raw volumes while scanning sector by sector, pulling deleted or normally inaccessible index.dat metadata. The output options are flexible to present the final data as unstructured text or comma separated value format for easy inclusion into other post processing software that can compare cross forensic artifacts.
For more information
The user's guide can be viewed here
If you have any questions about id, contact us via email.
Downloads
| Intel 32-bit Version | Intel 64-bit Version | ARM 64-bit Version | ||||
| Windows: | id32.v.0.92.win.zip | id64.v.0.92.win.zip | id64a.v.0.92.win.zip | md5/sha1 | ||
| Linux: | id32.v.0.92.lin.tar.gz | id64.v.0.92.lin.tar.gz | id64a.v.0.92.lin.tar.gz | md5/sha1 | ||
| Mac OS X: | Not Available | id.v.0.92.dmg | id.v.0.92.dmg | md5/sha1 | ||
| *32bit apps can run in a 64bit linux distribution if "ia32-libs" (and dependencies) are present. | ||||||