ie-index-file

Parses Internet Explorer's index.dat file (MSIECF format) and queries the cache and visit history. Converts URL, file name, access time, modification time, and other information into structured fields for output.

Command properties

Syntax

Options

zippath=STR

Path to the ZIP file containing the index.dat file. Use this when querying a file directly from inside a ZIP archive.

zipcharset=STR

Character set for ZIP file entries. (Default: utf-8)

Target

FILE_PATH

Path to the Internet Explorer index.dat file to query. You can use wildcards (*) to specify multiple files. The index.dat file is the cache file format used by Internet Explorer on Windows XP and earlier, typically located at C:\Documents and Settings\<username>\Local Settings\Temporary Internet Files\Content.IE5\index.dat.

Output fields

Error codes

Parsing errors

N/A

Runtime errors

Description

The ie-index-file command parses index.dat files in MSIECF (Microsoft Internet Explorer Cache File) format used by Internet Explorer. This file was used by Internet Explorer on Windows XP and earlier to store web cache, cookies, and visit history.

URL records inside the file are parsed to output accessed URLs, cached file names, and timestamp information.

Examples

1. Query an index.dat file

   ie-index-file /opt/logpresso/evidence/index.dat
   

   Queries all records from the index.dat file at the specified path.

2. Filter visit history for a specific domain

   ie-index-file /opt/logpresso/evidence/index.dat
   | search location == "*example.com*"
   

   Filters only cache or visit history entries matching a specific domain.

3. Query an index.dat file inside a ZIP archive

   ie-index-file zippath=/opt/logpresso/evidence/artifacts.zip Content.IE5/index.dat
   

   Queries records from the index.dat file inside the ZIP archive.