Manual Reference Pages - LOG2T::INPUT::IEHISTORY (3)
iehistory - A module that parses an index.dat file that Internet Explorer creates.
This script reads the index.dat file that contain Internet Explorer history files
Based partly on the information found in the document: Forensic Analysis of Internet Explorer
Activity Files written by Keith J Jones (3/19/03 revised 5/6/03)
Another great source of information was the:
MSIE Cache File (index.dat) format specification: Analysis of the index.dat file format
written By Joachim Metz.
A simple constructor for the input module.
The constructor simply calls the super class and changes one value.
The value that gets changed is the multi_line attribute, indicating to the
main engine that this module parses binary files (as opposed to line-by-line
A simple subroutine that returns a string containing a description of the funcionality of the format file. This string is used when a list of all available format files is printed out
A string containing a description of the format files functionality
This subroutine starts by reading the parameters passed to the function
then it opens the index.dat file and starts reading the header information
found inside the file.
The function prints out minimum information about the index file to STDERR
for informational value.
It then parses all the HASH tables found inside the index.dat file and constructs
an hash containing pointers to URL activities
An integer is returned to indicate whether the file preparation was successful or not.
A method that returns a reference to a hash that contains all the timestamp objects in the index.dat file.
This method is called once by the main engine and it sets up all the parsing of the module. Its mostly used
to call other methods that take care of the actual parsing.
It starts by parsing the header information of the index.dat file. The header contains information such as
the offset to the first hash table.
That offset is used to call the method _read_hash_table to read the first hash table in the index.dat file.
Each hash table has a reference to the location/offset to the next hash table inside the history file.
After reading the first hash table, we enter a loop that continues until there are no more next entries
for a hash table.
Within the loop the next hash table is read and parsed, all the time filling the container, or the hash
table that contains all the timestamp objects.
When all the hash tables have been parsed we return the container to the main engine for further processing.
A container, or a reference to a hash variable that contains all the timestamp objects.
A method that returns the version number.
A simple subroutine that returns the version number of the format file
There shouldnt be any need to change this routine, it serves its purpose
just the way it is defined right now.
A string that contains the version number of the module.
A method that parses a URL record from an index.dat file.
This method parses the URL record from the history file.
The format of an URL record is the following:
Offset Size Value Description
COPYRIGHT AND LICENSE
Copyright 2009-2011 Kristinn Gudjonsson (kristinn ( a t ) log2timeline (d o t) net)
This file is part of log2timeline.
log2timeline is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
log2timeline is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with log2timeline. If not, see <http://www.gnu.org/licenses/>.
|perl v5.20.3 ||LOG2T::INPUT::IEHISTORY (3) ||2012-05-22 |
Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.