TZWorks LLC
System Analysis and Programming
www.tzworks.com
(Version 0.92)
TZWorks LLC software and related documentation ("Software") is governed by separate licenses issued from TZWorks LLC. The User Agreement, Disclaimer, and/or Software may change from time to time. By continuing to use the Software after those changes become effective, you agree to be bound by all such changes. Permission to use the Software is granted provided that (1) use of such Software is in accordance with the license issued to you and (2) the Software is not resold, transferred or distributed to any other person or entity. Refer to your specific EULA issued to for your specific the terms and conditions. There are 3 types of licenses available: (i) for educational purposes, (ii) for demonstration and testing purposes and (iii) business and/or commercial purposes. Contact TZWorks LLC (info@tzworks.com) for more information regarding licensing and/or to obtain a license. To redistribute the Software, prior approval in writing is required from TZWorks LLC. The terms in your specific EULA do not give the user any rights in intellectual property or technology, but only a limited right to use the Software in accordance with the license issued to you. TZWorks LLC retains all rights to ownership of this Software.
The Software is subject to U.S. export control laws, including the U.S. Export Administration Act and its associated regulations. The Export Control Classification Number (ECCN) for the Software is 5D002, subparagraph C.1. The user shall not, directly or indirectly, export, re-export or release the Software to, or make the Software accessible from, any jurisdiction or country to which export, re-export or release is prohibited by law, rule or regulation. The user shall comply with all applicable U.S. federal laws, regulations and rules, and complete all required undertakings (including obtaining any necessary export license or other governmental approval), prior to exporting, re-exporting, releasing, or otherwise making the Software available outside the U.S.
The user agrees that this Software made available by TZWorks LLC is experimental in nature and use of the Software is at user's sole risk. The Software could include technical inaccuracies or errors. Changes are periodically added to the information herein, and TZWorks LLC may make improvements and/or changes to Software and related documentation at any time. TZWorks LLC makes no representations about the accuracy or usability of the Software for any purpose.
ALL SOFTWARE ARE PROVIDED "AS IS" AND "WHERE IS" WITHOUT WARRANTY OF ANY KIND INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT SHALL TZWORKS LLC BE LIABLE FOR ANY KIND OF DAMAGE RESULTING FROM ANY CAUSE OR REASON, ARISING OUT OF IT IN CONNECTION WITH THE USE OR PERFORMANCE OF INFORMATION AVAILABLE FROM THIS SOFTWARE, INCLUDING BUT NOT LIMITED TO ANY DAMAGES FROM ANY INACCURACIES, ERRORS, OR VIRUSES, FROM OR DURING THE USE OF THE SOFTWARE.
The Software are the original works of TZWorks LLC. However, to be in compliance with the Digital Millennium Copyright Act of 1998 ("DMCA") we agree to investigate and disable any material for infringement of copyright. Contact TZWorks LLC at email address: info@tzworks.com, regarding any DMCA concerns.
id is a cmdline version of a index.dat parser. While there are other index.dat parsers freely available, we wanted a tool that was fast, cross-platform and flexible in architecture for additional enhancements.
From Wikipedia, "the index.dat file functions as an active database, which runs as long as a user is logged on... It functions as a repository of redundant information, such as web URLs, search queries and recently opened files. Its role is similar to that of an index file in the field of databases, where a technique called 'indexing' stores the contents of a database in a different order to help speed up query responses".
Since the Windows operating system uses these files as databases, they are locked. This makes it is difficult to remove them. This, coupled with the fact they (a) record user history, (b) store URLs that are visited and (c) store cookies, makes these files useful in computer forensics.
To use this tool, an authentication file is required to be in the same directory as the binary in order for the tool to run.
[... Pre Vista ...] History files %userprofile%\Local Settings\History\History.IE5\ %userprofile%\Local Settings\History\History.IE5\MSHist*\ Cache %userprofile%\Local Settings\Temporary Internet Files\Content.IE5\ %userprofile%\Local Settings\Application Data\Microsoft\Feeds Cache\ %userprofile%\Local Settings\Application Data\Microsoft\Internet Explorer\UserData\ %userprofile%\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\ %userprofile%\IECompatCache\ %userprofile%\IETldCache\ %userprofile%\PrivacIE\ %userprofile%\UserData\ Cookies %userprofile%\Cookies [... Vista and Windows 7 ...] History files %userprofile%\AppData\Local\Microsoft\Windows\History\History.IE5 %userprofile%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist*\ %userprofile%\AppData\Local\Microsoft\Windows\History\Low\History.IE5 (unprivileged) Cache %userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 %userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 %userprofile%\AppData\Local\Microsoft\Windows\Feeds Cache\ %userprofile%\AppData\Roaming\Microsoft\Windows\IECompatCache\ %userprofile%\AppData\Roaming\Microsoft\Windows\IECompatCache\Low\ %userprofile%\AppData\Roaming\Microsoft\Windows\IETldCache\ %userprofile%\AppData\Roaming\Microsoft\Windows\IETldCache\Low\ %userprofile%\AppData\Roaming\Microsoft\Windows\IETldCache\Low\ Cookies %userprofile%\AppData\Roaming\Microsoft\Windows\Cookies\ %userprofile%\AppData\Roaming\Microsoft\Windows\Cookies\Low\ %userprofile%\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\ %userprofile%\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\
One can display the menu options by typing in the executable's name without parameters. Below is the menu with the various options. Details of each option can be found here.
Usage: id64 -f <file> id64 -partition <drive letter> = Partition scan id64 -vmdk "<file1> | <file2> | ..." = VMWare disk scan dir "%userprofile%\*index.dat" /b /s [/a:h] | id64 -pipe id64 -enumdir <folder> -num_subdirs <#> [options] Basic options -pipe = pipe files into app for processing -dateformat mm/dd/yyyy = "yyyy-mm-dd" is the default -timeformat hh:mm:ss = "hh:mm:ss.xxx" is the default -csv_separator "|" = use a pipe char for separator -locale = use user acct locale info for date formatting -filter <*partial*|*.ext> = filters stdin data from -pipe option
id -f <path\index.dat> [-locale] -locale = uses the user acct locale info for date formatting 1. to pipe a directory listing into this tool, use the [-pipe] syntax: -for index.dat files that have the hidden attribute set dir "%userprofile%\*index.dat" /a:h /b /s | id -pipe -otherwise use the following: dir "%userprofile%\*index.dat" /b /s | id -pipe 2. experimental partition scan option id -partition <drive letter> [-locale] 3. experimental vmware disk scan option id -vmdk "<file1> | <file2> | ..." [-locale]
For starters, to access Volume Shadow copies, one needs to be running with administrator privileges. Also, it is important to note that, Volume Shadow copies as is discussed here, only applies to Windows Vista, Win7, Win8, and beyond. It does not apply to Windows XP.
To make it easier with the syntax, we've built in a shortcut syntax in order to more easily access a specific file in a specified Volume Shadow copy, via the %vss% keyword. This internally gets expanded into \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy. Thus, to access index 1 of the volume shadow copy, one would combine the keyword and index, (eg. %vss%1) in front of the normal path of the file. For example, to access a file located in the testuser account from the HarddiskVolumeShadowCopy1, the following syntax can be used:
id -hive %vss%1\Users\testuser\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat > results.txt
To determine which indexes are available from the various Volume Shadows, one can use the Windows built-in utility vssadmin, as follows:
vssadmin list shadows -- or to filter out extraneous detail -- vssadmin list shadows | find /i "volume"
While the amount of data can be voluminous from that above command, the keywords one needs to look for are names that look like this:
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
...
From the example above, notice the number after the word HarddiskvolumeShadowCopy. This would be the number that is appended to the %vss% keyword.
When trying to pipe the contents of a directory listing using the Windows 'dir' command, ensure the correct switches are used with the dir command to enumerate the index.dat files. Depending on the Windows explorer viewing settings, you may need to use the attribute to display hidden files.
Windows Example 1: (for pre Vista index.dat files): Piping all occurrences of index.dat within the 'Documents and Settings' directory if the index.dat has the hidden attribute set, then use:
dir "c:\Documents and Settings\*index.dat" /a:h /b /s | id.exe -pipe
If the index.dat files don't have the hidden attribute set, then use:
dir "c:\Documents and Settings\*index.dat" /b /s | id.exe -pipe
Windows Example 2 (for Vista and Windows 7 index.dat files): Piping all occurrences of index.dat within the 'Users' directory. The case shown assumes the index.dat files have the hidden attribute set.
dir "c:\Users\*index.dat" /a:h /b /s | id.exe -pipe
dir "c:\Users\*index.dat" /b /s | id.exe -pipe
To redirect output from stdout to a file
dir "c:\Users\*index.dat" /a:h /b /s | id.exe -pipe > c:\dump\parsed.txt
dir "c:\Users\*index.dat" /b /s | id.exe -pipe > c:\dump\parsed.txt
When trying to pipe a set of index.dat files in various directories, one can use the 'find' command and pipe the output into id and redirect the final output to the results file, like this:
find /home/<some dir> -name *.dat -type f | ./id -pipe > results
Option | Description |
---|---|
-f | Specifies the file to parse. Syntax is -f <filename> |
-locale | Use the system local of the user account to perform date formatting. [this option is very experimental]. Invoking this option for a en-US system would be MM/DD/YYYY. For a fr-FR system, the format should be DD/MM/YYYY. Time remains at HH:MM:SS.MSEC, independent of the system locale. |
-pipe | Used to pipe files into the tool via STDIN (standard input). Each file passed in is parsed in sequence. |
-enumdir | Experimental. Used to process files within a folder and/or subfolders. Each file is parsed in sequence. The syntax is -enumdir <"folder"> -num_subdirs <#>. |
-filter | Filters data passed in via stdin via the -pipe option. The syntax is -filter <"*.ext | *partialname* | ...">. The wildcard character '*' is restricted to either before the name or after the name. |
-partition | Windows only option. Extract artifacts from a mounted Windows volume. The syntax is -partition <drive letter>. |
-vmdk | Extract artifacts from a VMWare monolithic NTFS formatted volume. The syntax is -vmdk "disk". For a collection of VMWare disks that include snapshots, one can use the following syntax: -vmdk "disk1 | disk2 | ..." |
-csv_separator | Used in conjunction with the -csv option to change the CSV separator from the default comma to something else. Syntax is -csv_separator "|" to change the CSV separator to the pipe character. To use the tab as a separator, one can use the -csv_separator "tab" OR -csv_separator "\t" options. |
-dateformat | Output the date using the specified format. Default behavior is -dateformat "yyyy-mm-dd". Using this option allows one to adjust the format to mm/dd/yy, dd/mm/yy, etc. The restriction with this option is the forward slash (/) or dash (-) symbol needs to separate month, day and year and the month is in digit (1-12) form versus abbreviated name form. |
-timeformat | Output the time using the specified format. Default behavior is -timeformat "hh:mm:ss.xxx" One can adjust the format to microseconds, via "hh:mm:ss.xxxxxx" or nanoseconds, via "hh:mm:ss.xxxxxxxxx", or no fractional seconds, via "hh:mm:ss". The restrictions with this option is that a colon (:) symbol needs to separate hours, minutes and seconds, a period (.) symbol needs to separate the seconds and fractional seconds, and the repeating symbol 'x' is used to represent number of fractional seconds. (Note: the fractional seconds applies only to those time formats that have the appropriate precision available. The Windows internal filetime has, for example, 100 nsec unit precision available. The DOS time format and the UNIX 'time_t' format, however, have no fractional seconds). Some of the times represented by this tool may use a time format without fractional seconds and therefore will not show a greater precision beyond seconds when using this option. |
-utf8_bom | All output is in Unicode UTF-8 format. If desired, one can prefix an UTF-8 byte order mark to the output using this option. |
This tool has authentication built into the binary. The primary authentication mechanism is the digital X509 code signing certificate embedded into the binary (Windows and macOS).
The other mechanism is the runtime authentication, which applies to all the versions of the tools (Windows, Linux and macOS). The runtime authentication ensures that the tool has a valid license. The license needs to be in the same directory of the tool for it to authenticate. Furthermore, any modification to the license, either to its name or contents, will invalidate the license.
The tools from TZWorks will output header information about the tool's version and whether it is running in limited, demo or full mode. This is directly related to what version of a license the tool authenticates with. The limited and demo keywords indicates some functionality of the tool is not available, and the full keyword indicates all the functionality is available. The lacking functionality in the limited or demo versions may mean one or all of the following: (a) certain options may not be available, (b) certain data may not be outputted in the parsed results, and (c) the license has a finite lifetime before expiring.