Understanding index.dat Files The meaning of the two 64-bit Windows timestamps in the various index

The "index.dat" file is a database file used to manage, among other things, MSIE browser functions.  There is an "index.dat" in the cookie folder, one in the "history" folder, one in each daily history folder, one in each weekly history folder, and one sitting at the root of the Content.IE5 folder under Temporary Internet Files (Cache Folder).

The times stored in the various index dot dat files have different meanings depending on where they are found.  At URL record offsets 9 and 17 are two 64-bit Windows time stamps.  There meanings are described in the below table: 

Location of Index.dat	1st Date Located at Record offset 9	2nd Date Located at Record offset 17	Comments
Cookie folder	Cookie modified GMT	Cookie file last accessed GMT
Main History	Last visited time GMT	Last Visited time GMT
Daily History	Last visited time (LOCAL TIME!)	Last visited time GMT
Weekly History	Last visited time (LOCAL TIME!)	File created time (GMT)	This means the file creation time of the containing index dot dat file!
Cache	Last modified by web server time(GMT)	Last checked by local host time GMT

Some scripts / tools apply the local offset to all dates as most are stored in GMT.  Note that if the local time offset is applied to the first date for daily and weekly history, this timestamp will be incorrect as the offset will have been applied twice, once by MSIE and once again by your tool or script. 

If you are going to be testifying about a timestamp, understand thoroughly its meaning, based on its location, and verify that your tool is reporting the timestamp correctly by going to the raw data.  It is better yet recreate some data on a test box so that you can work through it, understanding both MSIE and your tools.

For information about identifying URL fragments as to their source file, see: 

http://www.stevebunting.org/udpd4n6/forensics/index_dat1.htm

For an example of the meanings of the dates in weekly history index.dat , including the location of the raw data for these timestamps, see the following EnCase mini-report.