Last week or so I got some free time and decided to start playing around with extracting browsing history from the the index.dat files. I know there are a million and one tools out there to do this, I just wanted to figure it out myself without using Windows API's. I eventually want to incorporate it into Metasploit Post module that grabs all kind of good info from IE, so I kind of had an alternate motive for trying to parse out the file. Anyways I came up with a ruby script that parses out the url, date accessed, and date modified. It will work on the Index.dat's from the Cookies, History, and Temporary Internet Files folders. It's not a post module yet, but probably soon. i just need to invest some time into using this history list to hash and compare to the encrypted urls for the auto-complete passwords stored in the registry. Another script for another day.
I thought I'd share the parsing script, so here it is: iehist.rb
I had a hard time finding good information on how to parse this data, so I also wrote a short blog post that talks about the structure of the index.dat file and how I parsed out the data in case anyone's interested. Here's the blog post: Parsing IE's Index.dat