Preferred Index.dat Reader (Portable?)

[Xander]

I've got a FBI Ransomware on the bench right now. It's a business computer for a home-based business. He says he lets his guys download movies and so on but wouldn't mind it if I could tell him where/when it picked up the virus. I isolate the virus file and see it has today's date and a timestamp of 6:24pm.

However, it looks like the user had cleared his browser history as the only history IEHV was finding was from a different profile from 2011. Well, that and the pages that AVG removal initiates and so on.
Now, I know that the Index.DAT will still retain some information and I can find several install-able ones online but I'd rather find one that's portable for my D7 toolkit.
(Until Nick implements a "Found your source" function to things )

I'm having trouble finding a portable Index.dat viewer. Suggestions?


Or, for that matter, is there any way to confirm that the history has been flushed?

 

[tf76]

Give this a go

http://www.sudokuwiki.org/indexdat.htm

Once you have downloaded the viewer extract to folder run and scan.

To get more info after scan double click entry in window.
It will open up notepad with more info like dates.



Regards,

 

[Xander]

Not bad. Went to look at the author's site and MBAM blocked it; it's now just a crappy portal page. MG's mirror was good, though.

It does come up with a lot of sites that weren't in the history. No chronology, though. Still, it's better than I had. Thanks.

(submitted to the D7 Cloud list)

 

[tf76]

Xander I've posted a new link for another program. Edited 1st post.


Regards,

 

[Xander]

Even better and, based on how many files it referenced, a lot more thorough. Shame there's nothing that you can't give a time and click to have it search all those points for which sites were accessed within _X_ mins before that.

(Already posted that to the D7 forums)

 

[citizensmith]

Theres a good colection of browser cache, cookie & history, viewers on the NirSoft site http://www.nirsoft.net/computer_forensic_software.html They just run from usb so I guess thats prtable enough.

 

[Altster]

I've been seeing a lot of this "ransome-ware" as I'm sure many of you have. On the unit that is currently on my bench, I used Linux Mint 13 (live) to boot the computer so I could back off my clients data (music, documents, pictures) that he wanted to save. You can also use this type of "Live Boot Disk" to view just about any file which resides on a Windows drive - I know I have in the past.

I reckon that most of us know where the FBI ransom-ware is coming from - at least in my part of the woods I'm seeing it (mostly) associated with Porn websites and freeware game(s) websites. Malware Bytes Anti-Malware ran in Safe Mode w/Networking will usually do the trick if the drive is bootable. I am able to install, update and do a full drive(s) scan and usually find the problems. Then I reboot the computer into normal mode and run another scan.

I was (really) afraid at first that this new (now old) form of malware was going to be the worst I'd ever seen. But so far, so good with removal - and of course informing the client where it is usually coming from.

Happy Turkey Day

 

[Xander]

Well, thanks for the completely tangential reply on a malware that I'd never said I'd had any trouble removing. (And, if all you're scanning with is MBAM then expect some returns because I've had a few with rootkits. You shouldn't even need to scan to spot most malware as they are easily found in irregular locations. MSconfig and a trained eye will catch those.)

The topic here is trying to identify the malware's source more accurately.