download pasco.exe and put this ahk script in same folder
push first button INDEX-DAT-SEARCH then button INDEX-DAT
doubleclick on (here german):
C:\Dokumente und Einstellungen\garry\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
http://www.foundstone.com/index.htm?sub ... /pasco.htm
Forensic Analysis of Internet Explorer Activity Files by Keith J. Jones:
http://www.foundstone.com/pdf/wp_index_dat.pdf
Code:
DATEMOD=2006-10-16
/*
DATE.......................2006-10-16 garry
MODIFIED...................
NAME.......................IndexDatRead.ahk
ADD-PROG...................http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/pasco.htm
...........................
USAGE......................read index.dat with pasco.exe
...........................download pasco and put this ahk script in the same folder like pasco.exe
...........................push first button INDEX-DAT-SEARCH then button INDEX-DAT
...........................
*/
#NoTrayIcon
F1=index.txt
transform,S,chr,127
Gui, Color, 000000
Gui, Font, S10 CDefault , FixedSys
menu,S1,Add,&How to use,MH1
menu,S1,Add,&About,MH2
menu,myMenuBar,Add,Help,:S1
gui,1:menu,MyMenuBar
T1= 50 ;column1 width
T2=300 ;column2 width
T3=215 ;column3 width
T4=215 ;column4 width
T5=200 ;column5 width
T6= 90
T7=100
T1A :=T1
T2A :=T1+T2
T3A :=T1+T2+T3
T4A :=T1+T2+T3+T4
T5A :=T1+T2+T3+T4+T5
T6A :=T1+T2+T3+T4+T5+T6
T7A :=T1+T2+T3+T4+T5+T6+T7
T7AL:=T1+T2+T3+T4+T5+T6+T7+20 ;listview width
T7AG:=T7A+30 ;guishow width
T7B1:=T7A-70 ;xPosition Button1
T7B2:=T7A-160 ;xPosition Button2
Gui,1:Add,ListView,grid r19 y20 w%T7AL% +hscroll altsubmit vMyListView gMyListView, TYPE|URL|MOD-TIME|ACC-TIME|FILENAME|DIRECTORY|HTTP HEADERS
Gui,1:Add,Button,x420 y420 w50 h20 gGO,<GO
Gui,1:Add,Button,x%T7B1% y420 w90 h20 gINDEX1,INDEX-TXT
Gui,1:Add,Button,x500 y450 w90 h20 gINDEXDAT,INDEX-DAT
Gui,1:Add,Button,x620 y450 w150 h20 gINDEXDATSRCH,INDEX-DAT-SEARCH
Gui,1:Add,Edit, x70 y450 w400 h20 vSRCX
Gui,1:Add,Button,default x0 y0 w0 h0 gSEARCH ,
Gui,1:Font, S8 cwhite, Verdana
Gui,1:Add,Text, x10 y450 w60 h20 ,SEARCH
Gui,1:Add,Text,x20 y2 vTotal1 w100,%I%
Gui,1:Add, Edit, x12 y355 w%T7A% h60 ReadOnly vC,
Gui,1:add,GroupBox, w0 h0,P1
Gui,1:Add, Radio,x20 y420 vACR,ALL
Gui,1:Add, Radio,x90 y420 ,XML
Gui,1:Add, Radio,x160 y420 ,HTM
Gui,1:Add, Radio,x240 y420 ,MUSIC
Gui,1:Add, Radio,x320 y420 ,PICTURE
GuiControl,1:,ACR,1
GuiControl,1:Focus,SRCX
Gui,1:Show, x2 y0 w%T7AG% h500,INDEX-DAT
LB:
I=0
LV_Delete()
LV_ModifyCol(1,T1)
LV_ModifyCol(2,T2)
LV_ModifyCol(3,T3)
LV_ModifyCol(4,T4)
LV_ModifyCol(5,T5)
LV_ModifyCol(6,T6)
LV_ModifyCol(7,T7)
loop,read,%F1%
{
if A_LOOPREADLINE=
continue
I++
BX1=
BX2=
BX3=
BX4=
BX5=
BX6=
BX7=
stringsplit,BX,A_LoopReadLine,%S%,
LV_Add("",BX1,BX2,BX3,BX4,BX5,BX6,BX7)
}
GuiControl,1:,total1,%I%
return
;------------------------------------------------
MH2:
msgbox,IndexDatRead.ahk %DATEMOD%-- garry`r`nhttp://www.autohotkey.com
return
MH1:
msgbox,Read index.dat with pasco.exe`r`nDownload pasco and put this ahk script in the same folder like pasco.exe`r`nPush first button INDEX-DAT-SEARCH then button INDEX-DAT`r`nhttp://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/pasco.htm
return
;-----------------------------------------------------------
INDEX1:
run,index.txt
return
;------------------------------------------------
SEARCH:
Gui,1:submit,nohide
LV_Delete()
I:=0
GuiControl,1:,total1,%I%
loop,read,%F1%
{
ifinstring,A_LOOPREADLINE,%SRCX%
{
if A_LoopReadLine=
continue
BX1=
BX2=
BX3=
BX4=
BX5=
BX6=
BX7=
I++
stringsplit,BX,A_LoopReadLine,%S%,
LV_Add("",BX1,BX2,BX3,BX4,BX5,BX6,BX7)
}
}
GuiControl,1:,total1,%I%
return
;--------------------------------------------------------
INDEXDATSRCH:
Gui,1:submit,nohide
R3F=indexdatpath.txt
runwait,%comspec% /C del %R3F%,,hide
STR=%A_MyDocuments%
StringGetPos,C,STR,\,R1
stringmid,LS,STR,1,C
Splashimage,,b1 x140 y0 w500 h30 CWred zh0,SEARCH INDEX.DAT >>
mx:=0
Loop,%LS%\index.dat, 0,1
{
Fileappend,%A_LoopFileFullPath%`r`n,%R3F%
mx++
}
Splashimage,off
return
;--------------------------------------------------------
INDEXDAT:
Gui,1:submit,nohide
R3F=indexdatpath.txt
STR=%A_MyDocuments%
StringGetPos,C,STR,\,R1
stringmid,LS,STR,1,C
ifnotexist,%R3F%
{
Splashimage,,b1 x140 y0 w500 h30 CWred zh0,SEARCH INDEX.DAT >>
mx:=0
;Loop,C:\index.dat, 0,1
Loop,%LS%\index.dat, 0,1
{
Fileappend,%A_LoopFileFullPath%`r`n,%R3F%
mx++
}
Splashimage,off
}
LV_Delete()
LV_ModifyCol(1,0)
LV_ModifyCol(2,T7A)
LV_ModifyCol(3,0)
LV_ModifyCol(4,0)
LV_ModifyCol(5,0)
LV_ModifyCol(6,0)
LV_ModifyCol(7,0)
Splashimage,,b1 x140 y5 w500 h30 CWred zh0,START READ
I:=0
GuiControl,1:,total1,%I%
loop,read,%R3F%
{
if A_LoopReadLine=
continue
I++
LV_Add("",%NOTHING%,A_loopReadLine)
}
Splashimage,off
GuiControl,1:,total1,%I%
return
;-----------------------------------------------------------------------------
GO:
Gui,submit,nohide
LV_Delete()
I=0
GuiControl,1:,total1,%I%
;ALL
if ACR=1
{
loop,read,%F1%
{
if A_LoopReadLine=
continue
BX1=
BX2=
BX3=
BX4=
BX5=
BX6=
BX7=
I++
stringsplit,BX,A_LoopReadLine,%S%,
LV_Add("",BX1,BX2,BX3,BX4,BX5,BX6,BX7)
}
GuiControl,1:,total1,%I%
return
}
;XML
if ACR=2
{
loop,read,%F1%
{
if A_LoopReadLine=
continue
BX1=
BX2=
BX3=
BX4=
BX5=
BX6=
BX7=
stringsplit,BX,A_LoopReadLine,%S%,
SplitPath,BX2,name,dir,ext,name_no_ext,drive
StringRight x,BX2,4
If (x =".xml")
{
I++
LV_Add("",BX1,BX2,BX3,BX4,BX5,BX6,BX7)
}
}
GuiControl,1:,total1,%I%
return
}
;HTM
if ACR=3
{
loop,read,%F1%
{
if A_LoopReadLine=
continue
BX1=
BX2=
BX3=
BX4=
BX5=
BX6=
BX7=
stringsplit,BX,A_LoopReadLine,%S%,
SplitPath,BX2,name,dir,ext,name_no_ext,drive
StringRight x,BX2,5
StringRight y,BX2,4
If (x =".html" or y =".htm")
{
I++
LV_Add("",BX1,BX2,BX3,BX4,BX5,BX6,BX7)
}
}
GuiControl,1:,total1,%I%
return
}
;MUSIC
if ACR=4
{
loop,read,%F1%
{
if A_LoopReadLine=
continue
BX1=
BX2=
BX3=
BX4=
BX5=
BX6=
BX7=
stringsplit,BX,A_LoopReadLine,%S%,
SplitPath,BX2,name,dir,ext,name_no_ext,drive
StringRight x,BX2,4
StringRight y,BX2,3
If (x =".mp3" or x =".wav" or x =".ram" or x =".wma" or x =".mid" or y =".rm" or y =".ra")
{
I++
LV_Add("",BX1,BX2,BX3,BX4,BX5,BX6,BX7)
}
}
GuiControl,1:,total1,%I%
return
}
;PICTURE
if ACR=5
{
loop,read,%F1%
{
if A_LoopReadLine=
continue
BX1=
BX2=
BX3=
BX4=
BX5=
BX6=
BX7=
stringsplit,BX,A_LoopReadLine,%S%,
SplitPath,BX2,name,dir,ext,name_no_ext,drive
StringRight x,BX2,4
StringRight y,BX2,3
If (x =".gif" or x =".jpg")
{
I++
LV_Add("",BX1,BX2,BX3,BX4,BX5,BX6,BX7)
}
}
GuiControl,1:,total1,%I%
return
}
return
;---------------------------------------------------------------
MyListView:
Gui,submit,nohide
GuiControlGet, MyListView
if A_GuiEvent = Normal
{
MouseGetPos,x,y
{
if x<%T1A%
{
LV_GetText(C1,A_EventInfo,1)
GuiControl, ,C,%C1%
return
}
if x<%T2A%
{
LV_GetText(C2,A_EventInfo,2)
GuiControl, ,C,%C2%
return
}
if x<%T3A%
{
LV_GetText(C3,A_EventInfo,3)
GuiControl, ,C,%C3%
return
}
if x<%T4A%
{
LV_GetText(C4,A_EventInfo,4)
GuiControl, ,C,%C4%
return
}
if x<%T5A%
{
LV_GetText(C5,A_EventInfo,5)
GuiControl, ,C,%C5%
return
}
if x<%T6A%
{
LV_GetText(C6,A_EventInfo,6)
GuiControl, ,C,%C6%
return
}
if x<%T7A%
{
LV_GetText(C7,A_EventInfo,7)
GuiControl, ,C,%C7%
return
}
}
}
if A_GuiEvent = DoubleClick
{
LV_GetText(C2,A_EventInfo,2)
SplitPath,C2,name,dir,ext,name_no_ext,drive
if ext=dat
{
Splashimage,,b1 x140 y5 w500 h30 CWred zh0,READ INDEX.DAT
runwait,%comspec% /C pasco -t%S% "%C2%" >index.txt,,hide
Splashimage,off
goto,LB
}
else
{
if C2 contains @file:///
{
stringlen,L1,C2
StringGetPos,P1,C2,@file:///
L2:=(L1-P1)
P1:=(P1+10)
stringmid,CA,C2,P1,L2
StringReplace,C2,CA,/,\,All
StringReplace,C2,CA,`%20,%A_SPACE%,All
msgbox,%C2%
ifexist,%C2%
run,%C2%
return
}
if C2 contains @http://
{
stringlen,L1,C2
StringGetPos,P1,C2,@http://
L2:=(L1-P1)
P1:=(P1+2)
stringmid,CA,C2,P1,L2
msgbox,%CA%
run,%CA%
return
}
if C2 contains @
{
stringlen,L1,C2
StringGetPos,P1,C2,@
L2:=(L1-P1)
P1:=(P1+2)
stringmid,CA,C2,P1,L2
msgbox,%CA%
return
}
stringmid,CC,C2,1,8
if CC contains ://
{
run,%C2%
return
}
;run,%C2%
return
}
}
return
GuiClose:
ExitApp
Login
Register
FAQ
Search
