Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
Log2t::input::iehistorUser Contributed Perl DocumentLog2t::input::iehistory(3)

       iehistory - A module that parses	an index.dat file that Internet
       Explorer	creates.

       This script reads the index.dat file that contain Internet Explorer
       history files

       Based partly on the information found in	the document: "Forensic
       Analysis	of Internet Explorer Activity Files" written by	Keith J	Jones
       (3/19/03	revised	5/6/03)

       Another great source of information was the: "MSIE Cache	File
       (index.dat) format specification: Analysis of the index.dat file
       format" written By Joachim Metz.

       A simple	constructor for	the input module.

       The constructor simply calls the	super class and	changes	one value.
       The value that get's changed is the multi_line attribute, indicating to
       the main	engine that this module	parses binary files (as	opposed	to
       line-by-line log	file).

       A simple	subroutine that	returns	a string containing a description of
       the funcionality	of the format file. This string	is used	when a list of
       all available format files is printed out


       A string	containing a description of the	format file's functionality

       This subroutine starts by reading the parameters	passed to the function
       then it opens the index.dat file	and starts reading the header
       information found inside	the file.

       The function prints out minimum information about the index file	to
       STDERR for informational	value.

       It then parses all the HASH tables found	inside the index.dat file and
       constructs an hash containing pointers to URL activities


       An integer is returned to indicate whether the file preparation was
       successful or not.

       A method	that returns a reference to a hash that	contains all the
       timestamp objects in the	index.dat file.

       This method is called once by the main engine and it set's up all the
       parsing of the module. It's mostly used to call other methods that take
       care of the actual parsing.

       It starts by parsing the	header information of the index.dat file. The
       header contains information such	as the offset to the first hash	table.

       That offset is used to call the method _read_hash_table to read the
       first hash table	in the index.dat file.

       Each hash table has a reference to the location/offset to the next hash
       table inside the	history	file.  After reading the first hash table, we
       enter a loop that continues until there are no more next	entries	for a
       hash table.

       Within the loop the next	hash table is read and parsed, all the time
       filling the container, or the hash table	that contains all the
       timestamp objects.

       When all	the hash tables	have been parsed we return the container to
       the main	engine for further processing.


       A container, or a reference to a	hash variable that contains all	the
       timestamp objects.

       A method	that returns the version number.

       A simple	subroutine that	returns	the version number of the format file
       There shouldn't be any need to change this routine, it serves its
       purpose just the	way it is defined right	now.


       A string	that contains the version number of the	module.

       A method	that parses a URL record from an index.dat file.

       This method parses the URL record from the history file.

       The format of an	URL record is the following: Offset  Size  Value
       Description 0  4	4  4 8	8 16  8	24  4 28  4 32	4 36  4	40  4 44  4 48
       4 52  4 56  4

       Copyright 2009-2011 Kristinn Gudjonsson (kristinn ( a t ) log2timeline
       (d o t) net)

	 This file is part of log2timeline.

	   log2timeline	is free	software: you can redistribute it and/or modify
	   it under the	terms of the GNU General Public	License	as published by
	   the Free Software Foundation, either	version	3 of the License, or
	   (at your option) any	later version.

	   log2timeline	is distributed in the hope that	it will	be useful,
	   but WITHOUT ANY WARRANTY; without even the implied warranty of
	   GNU General Public License for more details.

	   You should have received a copy of the GNU General Public License
	   along with log2timeline.  If	not, see <>.

perl v5.24.1			  2012-05-22	    Log2t::input::iehistory(3)


Want to link to this manual page? Use this URL:

home | help