Index.Dat recovery there...of

1) Discussion
2) Question

1) Discussion

If I am correct, no secure file eraser program (including Eraser) can actually never securely erase in infamous Index.Dat files, which retain records of all websites visited, and associated cookies and cache files.

It is my understanding that programs like Eraser only ensure previous windows session Index.dat files are deleted, during reboot, only. IE: Not securely erased.

Therefore I can only conclude that it is quite easy to UNdelete, recover, extract these deleted Index.dat files and read the content, exactly as it existed prior to reboot/deletion. If this is the case then I do not think many users of Eraser and alike program know this.

Also I have noticed that the general term erase and delete are used interchangeably, whereas I asummed that to use the term 'erase' means a file has been securely deleted/erased, but it also seems to also be used when only a file has been deleted, in the normal insecure recoverable sense.

2) Question

In essence can anyone advise whether or not Eraser actually securely deletes Index.dat files or are they just "deleted" and therefore data contained therein can be UNdeleted and thence fully recovered?
 
On no, if this is true, can anyone advise how to guarantee I can erase these index.dat files, so they can't be undeleted?

How can I check to see if the content of the deleted index.dat files can be seen again?

Any advice greatly appreciated
 
How do I fully erase index.dat files?

Can anyone advise how I can fully erase the index.dat files so they cannot be recovered in any way whatsoever? Especially in light of the forum post:
././viewtopic.php?f=2&t=5421

Because index.dat files are locked they can only be deleted, help to fully erase would be appreciated, as I can't figure out how to securely erase them with Eraser.

"The only way to ensure that deleted files..., are safe from recovery is to use a secure delete application."
http://technet.microsoft.com/en-us/sysi ... 97443.aspx
 
Please do not cross post in future.

Definitions: erase means securely deleted, delete is just file entry removal (insecure). They aren't interchangeable.

Index.dat can't be deleted nor erased. People have been at it for a long time already. The only sure way to get rid of it is to put your system drive on an encrypted partition and ensure that no one takes the keys from you. Later versions of Eraser may include the ability to force file handles to be closed for an erasure which may mitigate the problem, but for as long as you are on Windows you won't be able to completely solve the problem.

If Eraser reports that Index.dat is successfully erased, it's gone. Eraser will not delete files insecurely if it cannot erase the file.

Joel
 
Thanks for the clarification, appreciated.

One possible way to somewhat address this scenario could be to use an Internet
Browser through a 'Sandbox', such as Sandboxie.

Sandboxie can create a folder that will capture and virtualize all internet activities,
including Index.Dat files, Temp files etc. Then Eraser can be set up to completely
and securely erase the content of the Sandbox folder.

Eraser securely wipes the Sandbox folder (container), the container can also be
placed on a separate drive/usb disk etc. Following on from what Joel said the
container could also be encrypted, but that depends on the threat

"Sandboxie runs your programs in an isolated space which prevents
them from making permanent changes to other programs and data
in your computer. "
http://www.sandboxie.com/
 
As a matter of fact people do use Sandboxie together with Eraser.

Joel
 
I thought I'd mention some programs that I use to view and delete index.dat files.

The first is Index Dat Spy found at :

http://www.stevengould.org/index.php?op ... &Itemid=88

The second is PSPad found at:

http://www.pspad.com/en

The third is Super Winspy found at:

http://www.acesoft.net/download.htm

I set up Eraser to erase Microsoft Office's Recent Folder, and my Cookies, History, Temp, Temporary Internet Files, and Recent folders.

Some of these folders contain index.dat files, and if you set Eraser up correctly, under the General Preferences, it will display messages stating that it cannot delete them, but will delete upon next re-boot, or as I've found just logging off and back on will do the trick.

You can then use the programs that I mentioned above to verify the deletion of the index.dat files.

Two other programs for covering your tracks are:

One, a program for cleaning up XP's Search History, named Clear XP's Search History, found at :

http://www.dougknox.com

under Win XP Fixes.

Every time you go to Start\Search\For File or Folders the name of the file you are searching for gets added to a list in the registry. Very bad, if you don't want somebody to know what you've been searching for.

Two a program for cleaning up Most Recently Used (MRU) lists found at:

http://www.javacoolsoftware.com/mrublaster.html

The XP Search History that I mentioned above is an example of an MRU, so is Microsoft's Office Recent Folder. There are hundreds of them all over your computer. Everything that you look at, open, save, or search for, is all kept track of in the registry. This program will eliminate most, if not all of them.

Another way to access index.dat files is to start your computer, hit F8, and log into Safe Mode, then log on as the Administrator, not the Owner account, I mean the "REAL" Administrator account. Many people believe that the Owner account is the Administrator account, because they have administrator privileges, WRONG!!! If you have not set a password for the Administrator account, I strongly suggest you do so. It is a huge hole in the security of XP. Anybody can get on your computer without a password.

Once you're logged in as Administrator, set up security permissions to access the Owner account, DO NOT delete the existing permissions, just override them by creating new ones. Then it's just a matter of navigating to the index.dat files you want to erase. Because you are logged on as the Administrator account, the Owner's index.dat files are not in use, and therfore, not locked, and can be shredded using Eraser, or simply deleted the normal right-click\delete way.

If you ever encounter a file that can't be delt with because it is locked there is a program named Unlocker found at:

http://ccollomb.free.fr/unlocker

It allows you to Delete, Rename, or Move locked files, very handy, but be careful, you don't want to delete files that are locked in order to protect them.

I created a batch file to delete the Prefetch folder, since that keeps track of programs too. Just open Notepad and type

del C:\WINDOWS\Prefetch\*.* /Q

Save it with the name "Delete Prefetch Folder".

Change the name from Delete Prefetch Folder.txt to Delete Prefetch Folder.bat.

Now you can create a shortcut of that batch file and place it anywhere on the computer you want. Iadded the icon of a toilet to it just for kicks, lol.

Sorry this turned into such a long tutorial, but that's pretty much everything that I do to keep my computer clean, and free from prying eyes. Hope it helps everybody.
 
If I were you I wouldn't clean up the Prefetch folder. Sure, it tracks programs you use, but it's main role is to speed your computer up when starting programs. People debate this, but IMO if Microsoft is doing what they say Prefetch is doing, I'm sure it won't hurt.

Unless you don't want people to know your programs, of which then I guess the performance penalty is unavoidable.

Thanks for the other links though!
Joel
 
Yeah Joel, you are correct.

The Prefetch Folder is supposed to house pre-loaded files that help commonly used programs to to load and run faster. What I meant to recommend, was emptying that folder, if you have recently used a program that you don't want anybody else to know about. Otherwise, it's unnessesary to empty it. Although, I have heard that it is good to empty it like once a month or so, just to purge if from anything that may not really need to be there.

As for the links, no problem, glad to help.

Hey Joel, since I've got your attention, I know this isn't the right place to mention this, but The forum for doing so, seems to be locked.

Who would I talk to about adding a right-click, context menu option, that will allow us to erase any file or folder, with the erasing default options that we set up within Eraser, such as 3-Pass? I realize that such an option is extremely dangerous to be active all of the time, so I suggest that there be a way to activate and deactivate it, from within the Eraser program, to be used only when nessesary.

For example, I would like to be able to Erase just one file here and there from within the Temporary Internet Files Folder. It would be nice to be able to right-click on the file that I want to Erase, and just be able to select Erase. Deleting files from the Temporary Internet Files Folder does not send them to the Recycle Bin, and therefore, they can not be Erased from there, and since I don't want to run Eraser and Erase the whole folder, you can see my dilemma.

I, of course, do not want to just delete the files, because as we all know, Microsoft's idea of "delete", does not mean "gone", and they will probably remain on the pc, and totally recoverable.

Let me know what you think.
 
That's what's been done in v6, actually. The context menu gives you an Erase item which queues it up for use with Eraser and erases it with the default erasure method selected. v5 won't get this feature though, it'll basically amount to rewriting the v5 code form scratch (which is what v6 should be doing.)

Joel
 
Back
Top