Windows 'index.dat' Parser (id)

id is a command line version of a Windows index.dat parser. The forensic value of index.dat metadata is well known, since it acts like a database in a file that can provide useful information such as: (a) website URLs that were visited with a browser, (b) cookies, (c) search queries and (d) recently opened files. Below is the menu of options:

id's menu/options

id was developed to run on a live system, with the ability run in batch (automated) mode, and be operating system agnostic when run in an offline mode. (eg on Linux or Mac OS-X, if desired).

id can not only parse individual files, but it can do it across raw volumes while scanning sector by sector, pulling deleted or normally inaccessible index.dat metadata. The output options are flexible to present the final data as unstructured text or comma separated value format for easy inclusion into other post processing software that can compare cross forensic artifacts.

The user's guide can be viewed here

32-bit Version64-bit Version
Mac OS X:id.v.0.77.osx.tar.gzid.v.0.77.osx.tar.gzmd5/sha1
*32bit apps can run in a 64bit linux distribution if "ia32-libs" (and dependencies) are present.