Windows 'index.dat' Parser (id)

id is a command line version of a Windows index.dat parser. The forensic value of index.dat metadata is well known, since it acts like a database in a file that can provide useful information such as: (a) website URLs that were visited with a browser, (b) cookies, (c) search queries and (d) recently opened files. Below is the menu of options:

id's menu/options

id was developed to run on a live system, with the ability run in batch (automated) mode, and be operating system agnostic when run in an offline mode. (eg on Linux or Mac OS-X, if desired).

id can not only parse individual files, but it can do it across raw volumes while scanning sector by sector, pulling deleted or normally inaccessible index.dat metadata. The output options are flexible to present the final data as unstructured text or comma separated value format for easy inclusion into other post processing software that can compare cross forensic artifacts.


For more information

The user's guide can be viewed here

If you have any questions about id, contact us via email.

Downloads

32-bit Version64-bit Version
Windows:id32.v.0.78.win.zipid64.v.0.78.win.zipmd5/sha1
Linux:id32.v.0.78.lin.tar.gzid64.v.0.78.lin.tar.gzmd5/sha1
Mac OS X:id.v.0.78.osx.tar.gzid.v.0.78.osx.tar.gzmd5/sha1
*32bit apps can run in a 64bit linux distribution if "ia32-libs" (and dependencies) are present.