Your Privacy

[neta1o]

Recently I've been doing a little research into the inner workings of my Windows product (Windows XP). Because of my interest in computer forensics I decided to poke around for files that could provide evidence. This is when I discovered the index.dat files. These files seem to archive all: Temporary Internet URL's, History, and Cookies. I decided that I was going to create a batch file to delete these at my discretion. This is when I discovered that they couldn’t be deleted in normal mode. Even if you clear your temporary internet files etc... manually the index.dat still remains. (If you don't believe me download the index.dat viewer I've attached or go Here for a direct download) I went into safe mode, 'command prompt only' and was able to successfully delete the index.dat's. My question is this, Why is it that 3rd party software like Evidence Eliminator, Privacy Eraser Pro, etc... can delete the index.dat's in normal mode and the common user cannot? Is there ways to circumvent or disable the index.dat's from logging?

Disclaimer: I'm not some individual looking to remove incriminating evidence. If that was ever a concern of mine I'd just format the HD a bunch w/ re-installs or just buy a new HD and destroy the old one.

[gamernewbie]

Originally posted here by neta1o
Disclaimer: I'm not some individual looking to remove incriminating evidence. If that was ever a concern of mine I'd just format the HD a bunch w/ re-installs or just buy a new HD and destroy the old one.

Even if you were you are entitled to your privacy. Not that some things are morally correct like let's say surfing through kiddy porn. In most cases though you are right you wether trying to cover your tracks or just like to be you that knows where you have been. You are entitled to your privacy so IMO there is no Disclaimer needed. Let me also tell you that formatting a drive and even reinstalling an OS leaves most of the files on your computer untouched. It only rewrites the file table. If you ever want to get rid of the info to start new you want to use some of those programs that write 1s and 0s over and over on the drive to actually write over the data.

[nihil]

I accept your disclaimer............I may be paranoid, but I believe in keeping as little personal information as possible on your PC..................if you don't have a pot of honey, you won't attract bees? Also you get cleaner defrags etc.

I am guessing, as I haven't got my XP box set up yet (just moved house), but a lot of these cleaning systems seem to submit some sort of batch job that runs on next re-boot. In other words, they don't do it in realtime/current session. This is certainly true of the swapfile cleaners.

2K and XP don't have a DOS base, so I am not sure how it works, other than it must happen before windows loads. Your command prompt mode is how XP and 2K emulate DOS, so maybe some of the utilities use this feature?

anyone else got any ideas?

[neta1o]

I agree completely regarding the privacy issues, I disclaimed solely to help illustrate the motivation behind the question. I guess it's less a disclaimer and more a background.

Can anyone explain why certain 3rd party software can delete restricted files where the common user cannot through any conventional means?

If there is an unconventional way in the normal mode of Windows XP, i.e. Ending certain tasks that utilize those files?

Is there any way, i.e. registry, etc... to disable the index.dat's from logging?

...thanks

[Zonewalker]

index.dat has been around since at least windows 95 - it's not new to XP. It's quite common knowledge that you can only delete it via DOS mode (for win9x) or via safe mode (Win NT/2k/XP). I don't think Evidence eliminator actually deletes index.dat until you restart the computer - there's an old program called spiderbite that was around way before EE and this does a similar thing to EE.

In my opinion the easiest way to cover the tracks left by index.dat etc is to set up a RAM drive and direct windows to store the index.dat file and all temporary internet files on the ram drive... you have to mess in the registry to do this. However the upshot is that whenever the power goes off, the index.dat file is wiped out (since it's stored in RAM which doesn't keep anything stored in it) and then when you turn the power back on again... voila a new index.dat file is created and it's totally empty with no trace of where you had been before. This would be enough to stop most investigation dead in its tracks (as far as searching through your PC is concerned but don't forget there will be logs of your activites elsewhere e.g. your ISP's server) but I have a feeling there are some advanced techniques to recover information from RAM somehow - not sure.


Z

[neta1o]

nihil,
I suspect that your assumption may be correct. When I ran the index.dat viewer before running a privacy eraser program, there were many files. After running the privacy program in a 'quick erase' mode, which doesn't restart the PC it managed to eliminate most, but not all.
Yet, when I ran the safe shutdown mode where the program is actually allowed to restart the computer it eliminated all.

Zonewalker,
I've also know of the index.dat's since the Windows 98 days. Never used Windows 95 b/c I went straight from Windows 3.11 to Windows 98.
That is a good approach, I didn't really entertain the idea of redirecting the index.dat's to the RAM. Is there any page or something that you can reference that may help me get more information on what registry keys to edit or where they are located?

NOTE: I also tried a third approach a few days ago. I have a dual boot Linux machine so I booted into Linux and mounted my windows partition. My goal was to be able to delete the files of interest from inside Linux. This proved to be futile b/c my Windows XP partition is NTFS.

Final note for today then I'll check back tomorrow:

I can successfully remove the questionable files manually by booting into "Safe Mode - Command Prompt Only" and running the following batch file.

@Echo
cd\
rd \docume~1\YOUR USER HERE\cookies /s
cd\
rd \docume~1\YOUR USER HERE\locals~1\history /s
cd\
rd \docume~1\YOUR USER HERE\locals~1\temp /s
cd\
rd \docume~1\YOUR USER HERE\locals~1\tempor~1 /s

(excuse the poor *.bat coding)


Nextly, the only way I could find to delete the pagefile.sys is to follow microsofts directions, lol
How to delete pagefile.sys

[Zonewalker]

neta10... yeah no problem... this place has a RAM disk driver to d/l for XP and instructions for use

http://www.arsoft-online.de/products/product.php?id=1

and this place has guidelines for setting up a RAMdisk for your internet files etc

http://www.surasoft.com/tut/ramdisk.htm

The second website doesn't say anything about the index.dat file but the same principle described for cookies applies to index.dat (the keys for index.dat are in similar places to the cookies keys you'll just have to search for them in your registry). If you can't find the index.dat registry keys yourself let me know and I'll have a trawl through mine to tell you what you should change (don't recall of the top of my head). PM me if you get lost

Z

[Scorp666]

I found the following free tools that will "alledgedly" delete index.dat and other temp files in XP without having to fall back to safe mode or command prompt.

System Security Suite (Free)
http://www.webattack.com/get/3s.shtml

Free History Eraser (Free Trial)
http://smartprotector.com/eraser/fre...ory-eraser.htm

AbsoluteShield Internet Eraser ($34.95)
http://www.internet-track-eraser.com/ineteraser.php

[nihil]

HI, Neta1o

I wonder if you have tried booting with Caldera dos.........kind of stuff used by HDD manufacturers........try the Western Digital site for their installation toolkit? I leave any copyright implications your goodself. ....I can even remember "PC DOS"......might even have it on a 5.25 somewhere...but I doubt it wold see NTFS?

I do not think that you can circumvent the windows index file system, as it seems pretty fundamental? I doubt if a simple Registry amendment will prevent it happening. In fact, about 99.99% sure

If you have a moment, you might have a look at my "tutorials"......not very intellectual, i'm afraid...just a few software suggestions.

Also, I would suggest a browse around http://grc.com/default.htm Steve Gibson's website.....he is a pretty cool dude

cheers

[Zonewalker]

nihil.... if you have a RAM driver such as the one I've indicated previously ... I can assure you that using a registry tweak to change the location of where index.dat is stored will work. For example if you set up a RAM disk using the driver from Arsoft and call it T: then change the location of where index.dat is written to from it's normal place (C:\documents and settings\user\cookies - and where ever else it is stored) to T: you can force XP to write the index.dat file to T:. Since T: is a RAMdisk and hence does not store information when the power is turned off when the computer is turned off the index.dat file is lost. It gets recreated when you turn on the computer... essentially it is doing a similar job to EE and all the other programs that erase your index.dat file - with one important difference... the index.dat file is NEVER written to disk.. only to a portion of the computers RAM and hence is even more difficult to recover. Have a look at the two websites I gave they explain it far better than I can.

I think you're getting confused because index.dat is not the windows index file system... all it is, is an index of URL's that a computer has ever gone to. It's got nothing at all to do with the file system.

Z