Internet Explorer privacy mode browsing vulnerability

Internet Explorer 8 and above comes with a feature called InPrivate browsing, this privacy setting instructs the browser not to save the browsing history, temporary Internet files, form data, cookies, and usernames and passwords and stops that personal data from being retained by the browser leaving no evidence of your browsing or search history, once you close the browser everything is meant to be gone, not quite.

Internet Explorer index.dat files storing browsed sites

Index.dat is a little known Windows file that Internet Explorer uses, this file does not exist in Firefox, Chrome, Safari and Opera browser.

The index.dat file is extremely hard to find, not only it is marked as hidden but also designated as a system file and as such a Windows search will not find it. System files and folders are are effectively cloaked from casual searches even if you instruct Windows to show hidden files, in addition the index.dat file is locked and Windows prevents it from being deleted.

Note: There are other Windows components using a file named index.dat this is not exclusive of Internet Explorer, do not confuse them.

Internet Explorer InPrivate mode browsing

Internet Explorer InPrivate mode browsing

The index.dat file is a database file containing information such as visited websites, search queries and recently opened files. Its purpose, according to Microsoft, is to enable quick access to data used by Internet Explorer, no other browser uses it, this little file will be very helpful for a computer forensics investigator hell-bent on recoving your internet browsing activities.

Items such as the cached filename and page header information will be written to index.dat file while you use Internet Explorer privacy mode (aka porn mode).

The index.dat file can not be erased manually like your Internet cache and history can, you will need some specialist privacy software to erase the contents of Internet Explorer index.dat.

More Internet Explorer privacy mode vulnerabilities

Internet Explorer InPrivate browsing mode will not run completely in volatile RAM memory, while using InPrivate browsing mode in Internet explorer temporary internet files will be stored on disk so pages work correctly, but deleted when you close the browser.

This clearing of the cache is another privacy risk as it is simply marked as free space but not actually overwritten, and like with all the data that is not securely erased, it can be retrived until it is overwritten.

A computer forensics expert can recover the deleted internet cache of your Internet Explorer InPrivate mode without too much effort, in a matter of minutes.

Internet Explorer plugins like Silverlight are also able to set a cookie that will not be removed after the session.

Index.dat file computer forensics

Index.dat file computer forensics

Privacy mode browsing vulnerabilities in Chrome, Safari & Firefox

Although Internet Explorer is the only browser to use index.dat you should still be wary of other browsers privacy mode because they will also leave some tracks on your hard disk.

A team of researchers from Stanford and Carnegie Mellon University found that local attackers can access the DNS resolution history in a cache on a machine and enable him to reconstruct if and when a user visited a website, according to the researchers. This scenario assumes you are using the privacy mode for internet surfing in a public computer.

At home when using privacy browsing mode with Chrome, Safari and Firefox, you will need to watch out for plugins, according to these researchers “Browser addons (extensions and plug-ins) pose a privacy risk to private browsing because they can persist state to disk about a user’s behavior in private mode.

Stanford University researchers paper: Analysis of Private Browsing Modes in Modern Browsers

How to delete Internet Explorer index.dat file?

Internet Explorer index.dat is a binary file and you can not use Notepad to look at its content. You will need to use a free hexadecimal editor like HxD freeware Hex editor but it requires some skill, it is much easier to download something like the free Index.dat Analyzer from Systenance this tool can view and erase your index.dat files content.

To delete index.dat you can open it with the hex editor and overwrite everything with zeroes, then save it, make sure the file is not opened as Read-Only. The quickest and easier way to delete your index.dat file is by using specialist privacy software to clean it.