|
|
05/29/07
Posted by Dave
5 Star Support Security Specialist
I am writing this paper for those of you who may be concerned with both data
security and computer privacy. This can be especially important if you store
sensitive data and files on your computer. In my case, I do a lot of
security research an am not particularly fond of the idea of anyone else
being able to know what is in my files. I also have to be concerned with
records of the websites I have to visit during my research, the digital
signatures I recover and other such details.
To that end, we will discuss the Windows Indexing Service whose sole purpose
is cataloging the contents of your hard drive(s), as well as the contents of
files, in order to make local file searching faster. This service creates a
number of small databases containing data regarding your disk(s) contents
including the actual contents of files and folders. This can undermine your
attempts at security and privacy. The indexing procedure creates a scattered
secondary volume of your data and much of it can easily be left behind after
you delete a file, even if you use a wipe utility. Just for the record, I
never simply delete any files. I always erase them using a utility designed
to overwrite the file. This erasure includes all data, file names, cluster
tips, and alternate data streams.
Although the Indexing Service can represent a significant convenience with
regards to speed, and enables you to search for strings within files, it is
not essential for searching. If your primary concern is for privacy and
security, read on. Otherwise, this paper is not for you. If you are always
using the service and searching for your files or strings of text within
them, complete privacy and advanced security benefits that this paper
represent are just about impossible to achieve. In my case, I've never had a
problem remembering where I store my files and I both name and locate them
for easy recovery later, so I never need to use the file search utility in
Windows. If you get into these same habits, you won’t need to use it either.
There are two ways to go here and you can choose either way. One method
involves turning off indexing altogether, after which you can wipe all the
index files and that will be the end of it. The second choice is to shut off
indexing temporarily, wipe the index files, re-enable the indexing service,
but with only selected directories to be indexed. With the second method,
the Indexing Service can still be used, but you can prevent indexing of
directories containing sensitive information. It is, however, a lot to
remember.
If you choose the first method, which is what I use, you get the added bonus
of freeing up both processor and RAM system resources that would normally be
used running a service you may hardly ever use, or may not even want.
I’m sure we have all heard stories about how a computer ‘forensics expert’
was able to retrieve data from a computer to help incriminate a bad guy, and
that computers keep records of all our files, and everything we do on the
Internet, including all the Websites and Web pages we visit. Well, if you
accept all default Windows settings, this is absolutely true, and all this
information can be easily recovered if you know what you are doing. In most
cases (drive encryption excepted), highly specialized ‘guru’ software is not
needed either – don’t believe everything you see on TV or in the movies.
We’ll spend more time on this later.
I can tell you from the start that what we are going to do is not something
I recommend for a beginner. You will need patience as well because this
whole thing can become quite tedious at times, and requires use of the safe
mode as well as a number of system reboots. If you have multiple drives (or
a Raid array), the procedure may have to be repeated for each additional
hard drive in your system. You will also need a good knowledge of all your
applications. For the scope of this paper, we will assume you use the
average computer with one internal hard drive (C: drive). If you feel alert
and rested, we can now begin.
Windows Indexing Service -
Regardless of which of the two options above you choose, we will have to
begin by disabling the Indexing Service and wiping the old index files.
First, we need to log on to the system as an administrator and turn off the
service:
1. Go to the Start menu and choose Run.
2. Type in services.msc and click OK. This will launch the Services dialogue
box.
3. Right-click on the Indexing Service to bring up Properties, and click
Stop if the service is running. Then, left-click on Disabled. Next,
left-click Apply and close the dialogue.
4. Go to My Computer. Select Local Disk (C:) from your drives.
5. Right-click the Local Disk (C:) icon and choose Properties from the
drop-down menu selection. The Local Disk Properties dialogue box will open.
Near the bottom, you will see a tick in the box beside the option: “Allow
Indexing Service to index this file for fast file searching”.
6. Clear (uncheck) the tick box, left-click Apply, and in the next dialog,
select the option “Apply changes to C:\, subfolders and files.” Clock on OK
and reboot the computer.
At this point, the Indexing Service has been disabled, and we can
concentrate on wiping index files (*.idx, *.idq, *.ida, and *.htx) that
exist. In order to find these files in Windows Explorer, you will have to
set the options to display hidden files and system files. To do this, go to
Control Panel | Folder Options | Click on the View tab, and tick the circle
to ‘Show hidden files and folders’. Then, remove the tick in the box to
‘Hide protected operating system files [Recommended]’.
Next, we need to configure the search companion for the hard drive (C:)
because it will not search for everything we need by default. Follow this
procedure:
1. Go to My Computer and double left click on your C: drive.
2. Left click the Search icon near the top of the window to open the Search
Companion. Be sure Look In: is set to ‘Local Disk [C:]’.
3. Left click the ‘Search Options’ or ‘More advanced options’, depending on
your system. From the drop down menu, select all the following if visible:
‘Search all files and folders’, ‘’Search system folders’, ‘Search hidden
files and folders’, and ‘Search subfolders’.
Now, we can search for the following file types by typing them into the
‘Search for files and folders named:’ box in the left pane of the window.
Type in the following: .idx, .idq, .ida, .htx, and begin your search. Using
your wipe utility, wipe any files of these types that do not belong to any
of your applications (remember I said you need a good working knowledge of
your applications?). You may not find many of these file types on a home
system, but it is important to look for them. Any unnecessary files found
that do not belong to any of your applications can be wiped with your
utility program. You simply right-click on the file you want to eliminate to
select it, and then wipe it with your utility program. This may be a tedious
job, but you only have to do it once so long as the indexing service remains
turned off.
If you intend to leave the Indexing Service turned off, you are now done
with this task. If you want to turn it back on, you need to follow this
procedure:
1. Go to the Start menu and choose Run.
2. Type in services.msc and click OK. This will launch the Services dialogue
box.
3. Right-click on the Indexing Service to bring up the Properties dialogue
box, select ‘Automatic’, and click ‘Apply’. Then click ‘Start’ and exit the
dialogue.
4. Go to My Computer, select Local Disk (C:), and left click.
5.Browse through your files and right-click on any directory you want to
index. Choose ‘Properties’, and then click ‘Advanced’ toward the bottom of
the Properties dialogue box.
6. In the Advanced Attributes dialogue box, select the tick-box beside the
option ‘For fast searching, allow Indexing Service to index this folder’.
Click OK, and you are given the option to include that directory’s
subfolders and their files if you want them. Repeat this procedure for each
directory you want to have indexed.
By doing this, you can still use the Indexing Service if you like, but you
prevent it from making duplicate data traces of the directories that contain
your sensitive information files.
If you are a paranoid type, there is a Windows quirk I probably should tell
you about here. If you use the Search Companion, with or without the
Indexing Service turned on, your search queries are stored in the Windows
Registry under HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru.
You can delete this information if you like by using the Windows Registry
Editor, but there is no option to write protect it, so the files will return
and be stored there whenever you search for files whether you like it or
not. The files can be manually deleted with the Registry Editor, but I feel
the best way to approach it is to simply be aware if it and take appropriate
care when searching your computer for files with sensitive or controversial
information. As I said earlier, I name and locate them for easy retrieval
and take good notes so I don’t need to use a search.
Index.dat files -
Related to all this is another group of important files named ‘index.dat’
that are scattered on your hard drive in numerous locations. Remember
earlier we talked briefly about a computer forensics expert being able to
retrieve data regarding everywhere a computer has been on the Internet? The
key to this is the index.dat files. These files are mini-databases
cataloging the contents of directories relating to your Internet behavior.
Your search queries, cookies, web history and other peculiar items are
recorded in these files. You can easily delete the contents of Internet
Explorer directories (history, cookies, temporary files), but you cannot
easily delete the index.dat files that record their contents. Interestingly
enough, it seems that Microsoft does not want you to play with these index
files, so if you attempt to access or display them, access will be denied,
even to an Administrator. This is because these files are ‘open’, or in use,
even when Internet Explorer is not running.
In order to remove the index.dat files, we will need to restart the computer
in Safe Mode as follows:
1. Reboot the computer.
2. As the computer boots, but before Windows starts, press the F8 key.
3. After the startup screen appears, use the arrow keys to highlight the
Safe Mode option, and press Enter.
4. After Windows starts in Safe Mode, you will be able to do a file search
for the .dat files on your computer. After the file search finds and
displays the .dat files on the hard drive, select them all and wipe them.
Some file wipe utilities will work in the Safe Mode, while others will not.
I cannot predict this for you because I do not know what utility you are
using. If your utility does not work in Safe Mode, you can delete the files,
restart Windows normally, and then wipe the free space and file slack space
on the hard disk.
We’re not quite done yet, and I have more news for you. Even after you wipe
all these files, Windows will re-create them as soon as you reboot, and
start storing data in them again. The key here is to wipe all the .dat
files, reboot, and then write protect them. It is also important to do a
search for .dat files occasionally because Windows may create additional .dat
files during normal computer use.
There are numerous utility programs available that claim to remove these
files while Windows is running normally. If you wish to check into them,
just do a Web search using ‘index.dat’ as a search term and you will find
links to many such tools. I have another method along with several other
recommendations for you toward the end of this paper. Before we get to that,
we need to first discuss System Restore for users of Windows versions newer
than Windows 2000, as well as temporary files.
System Restore -
System Restore is a useful Windows feature, but it is not without both
privacy and security implications. System Restore creates snapshots of the
system state at periodic intervals that are referred to as restore points.
If your system becomes damaged by, for instance, a bad software install or
some form of malware, a user can roll back their system to a prior point
when everything was known to be working normally. Although this is a real
convenience, it is no replacement for properly backed up data to removable
media, or to an external hard drive, methods that I much prefer, and it does
not work as well as a good specialized go back utility. In fact, I never
store any data on my internal C: drive at all. My C: drive contains my
operating system, applications and utilities only. All data and files are
stored on other drives. I suggest you might consider doing the same.
In an ideal world, system contents backed up to the C:\Restore directory
would not contain any personal data, but this assumes that the user did not
unknowingly store sensitive files in directories that will be backed up. It
is also possible that viruses or other malware might remain in the
C:\Restore directory when infected files are backed up. These infected files
will be backed up and defy removal by many anti-virus and anti-malware
products because it is located in a protected directory. When you use System
Restore, you will restore the malware or viruses as well.
As you can see, System Restore is great for convenience, but bad for privacy
and security. You have to decide if it is worth the risk of using it. If you
decide not to use System Restore, here is how to turn it off:
1. Go to | Start | Settings |Control Panel | System and launch the System
Properties dialog (or you can right-click on My Computer and choose
Properties).
2. Choose the System Restore tab at the top of the System Properties dialog
box and place a tick in the box on the line reading “Turn off System
Restore’. Click on OK.
3. Go to the Start menu, choose Run, and type in services.msc to launch the
Services dialog. Find the System Restore Service, stop it if it is running,
set it to Disabled, click Apply, and close the dialog box.
Temporary Files –
Depending on how old your computer is and how much work you do with it,
there can be hundreds or even thousands of temporary files on your machine.
Most of them are automatically deleted on shutdown, but in the event of a
power outage or system crash, they are all left behind on the hard drive.
They are located in many different places and are created for a lot of
different reasons, and it is impossible to predict what these files contain.
One example is when you are working with a word processor file like I am
when I wrote this paper. A word processor periodically creates a temporary
version of the document so that if your system goes down, the document will
be very easy to recover and very little work will be lost.
Now, what if that document you were working on was one that contained
sensitive information that you intended to encrypt before storing it on your
hard drive. If the power went out or the system went down, a temporary
version of the document would be still stored on the hard drive in the
documents directory in clear text form. Memory swapping can also cause a
copy to be saved in the swap file with the contents stored by the Indexing
Service.
In a Windows based machine, these files are stored in a directory named
~\Temp or ~\temp and have the file extension .tmp. You may want to wipe
these files from your drive occasionally. Using the Search Companion for
your C: drive, enter .tmp and do a file search (making sure the search is
not case sensitive). Check out the files and wipe any you find. Wipe any
Temporary Internet files while you are at it.
Final Thoughts –
Before leaving, I have a few thoughts and recommendations for you. You can
take them or leave them-the choice is yours.
On a Windows based machine, we all need to have Internet Explorer installed
for use with Windows Update, Microsoft Update, Office Update and other
programs that might specifically require it. You need it because it supports
the Active X controls needed to download the files. You have seen from this
paper the results of using Internet Explorer exclusively, and all the files
it creates, especially index.dat files. I recommend you use Internet
Explorer for these purposes only and nothing else. You don’t really need it
for anything else.
For all your other Internet needs, consider using Mozilla Suite or Firefox
as a browser. Once installed and configured, use the above procedure to find
and wipe the index.dat files created, write protect them after a reboot, and
you are done with it. No future worries. A special tip for Firefox users:
Under Tools | Options, go to the privacy tab, select the cookies and
passwords you want to save as exceptions, and tick the box to ‘accept
cookies from sites, and select to keep them only until you close Firefox,
and tick the box to always clear my private date when I close Firefox. By
doing this, all your cookies and personal data are dumped every time you
close Firefox instead of being saved.
If you are searching for a good wipe utility, you might want to consider
Eraser v 5.3 available (free) from Source Forge here:
http://sourceforge.net/projects/eraser/
As a final assist to your efforts, the procedure below is what you can do to
automatically wipe out index.dat files on a Windows 2000 Professional or a
Windows XP Professional machine during each shutdown. This automatic method
does not work on Windows XP Home edition computers. If you are at all
squeamish about scripts or don’t know how to work with system files, you may
want to leave this alone until you gain more knowledge.
Instructions for Windows 2000/XP Professional users (assumes use of IE 6,
older systems may have IE5 in which case replace IE6 with IE5:
In this example the username is Administrator. Replace Administrator with
your username. You will need to add any additional users on your computer to
the script as well. Do not confuse All Users, Default User, LocalService or
NetworkService as being users. Repeat the entire script for each separate
user.
Open Notepad and type in the following:
Del “C:\Documents and Settings\Administrator\Application
Data\Microsoft\Internet Explorer\UserData\index.dat”
Del “C:\Documents and Settings\Administrator\Cookies\index.dat”
Del “C:\Documents and Settings\Administrator\Local Settings\ Temporary
Internet Files\Content.IE6\index.dat”
Del “C:\Documents and Settings\Administrator\UserData\index.dat”
Del “C:\Documents and Settings\Default User\Cookies\index.dat”
Del “C:\Documents and Settings\Default User\Local Settings\Temporary
Internet Files\Content\IE6\index.dat”
Del “C:\Documents and Settings\Local Service\Cookies\index.dat”
In Notepad, save the file with the name “IndexDat.cmd” (with the quotes).
Your file should now be named IndexDat.cmd and not IndexDat.cmd.txt.
Copy the IndexDat.cmd file you just created to the following folder
(depending on where your operating system resides):
C:\Winnt\System32\GroupPolicy\Machine\Scripts\Shutdown
or
C:\Windows\System32\GroupPolicy\Machine\Scripts\Shutdown
IndexDat.cmd should now be in the Shutdown folder.
Go to Start | Run and type in gpedit.msc and click OK.
Open Computer Configuration | Windows Settings | Scripts (Startup/Shutdown)
and double click Shutdown.
Click the Add button and browse to the IndexDat.cmd file in the Shutdown
folder.
Highlight this file, click Open, and then OK twice.
From now on, when you shut down your computer, it should wipe out the
index.dat files.
Until next time here on 5 Star Support, Happy Computing!
Dave
Appendix –
If you have Windows Vista then index.dat files are in these locations (note
that on your PC they can be on other drive instead of drive C):
C:\Users\<username>\Roaming\Microsoft\Windows\Cookies\index.dat
C:\Users\<username>\Roaming\Microsoft\Windows\Cookies\Low\index.dat
C:\Users\<username>\Local\Microsoft\Windows\History\History.IE5\index.dat
C:\Users\<username>\Local\Microsoft\Windows\History\History.IE5\Low\index.dat
C:\Users\<username>\Local\Microsoft\Windows\History\History.IE5\index.dat
\MSHistXXXXXXXXXXX\index.dat
C:\Users\<username>\Local\Microsoft\Windows\History\History.IE5\Low\index.dat
\MSHistXXXXXXXXXXX\index.dat
C:\Users\<username>\Local\Microsoft\Windows\Temporary Internet
Files\Content.IE5
\index.dat
C:\Users\<username>\Local\Microsoft\Windows\Temporary Internet
Files\Low\Content.IE5
\index.dat
C:\Users\<username>\Roaming\Microsoft\Internet Explorer\UserData\index.dat
C:\Users\<username>\Roaming\Microsoft\Internet Explorer\UserData\Low\index.dat
If you have Windows XP or Windows 2000 then index.dat files are in these
locations (note that on your PC they can be on other drive instead of drive
C):
C:\Documents and Settings\<username>\Cookies\index.dat
C:\Documents and Settings\<username>\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\<username>\Local Settings\History\History.IE5
\MSHistXXXXXXXXXXX\index.dat
C:\Documents and Settings\<username>\Local Settings\Temporary Internet
Files\Content.IE5
\index.dat
C:\Documents and Settings\<username>\UserData\index.dat
If you have only one user account on Windows XP or Windows 2000 then replace
<username> with Administrator to get the paths of all index.dat files.
If you have Windows Me, Windows 98, Windows NT or Windows 95 then index.dat
files are in these locations:
C:\Windows\Cookies\index.dat
C:\Windows\History\index.dat
C:\Windows\History\MSHistXXXXXXXXXXXXXXXXXX\index.dat (XXXX are some digits)
C:\Windows\History\History.IE5\index.dat
C:\Windows\History\History.IE5\MSHistXXXXXXXXXXXXXXXXXX\index.dat
C:\Windows\Temporary Internet Files\index.dat (only in Internet Explorer
4.x)
C:\Windows\Temporary Internet Files\Content.IE5\index.dat
C:\Windows\UserData\index.dat
C:\Windows\Profiles\<username>\Cookies\index.dat
C:\Windows\Profiles\<username>\History\index.dat
C:\Windows\Profiles\<username>\History\MSHistXXXXXXXXXXXXXXXXXX\index.dat
C:\Windows\Profiles\<username>\History\History.IE5\index.dat
C:\Windows\Profiles\<username>\History\History.IE5\MSHistXXXXXXXXXXXXXXXXXX\index.dat
C:\Windows\Profiles\<username>\Temporary Internet Files\index.dat (only in
IE 4.x)
C:\Windows\Profiles\<username>\Temporary Internet Files\Content.IE5\index.dat
C:\Windows\Profiles\<username>\UserData\index.dat
Note that on your computer the Windows directory may not be C:\Windows but
some other directory. If you don't have Profiles directory in you Windows
directory don't worry - this just means that you are not using user
profiles.
[Top]
|
|
