WHAT HAVE YOU BEEN DOING ON-LINE???

ACRONYMS USED IN THIS TEXT:

DOCUMENT SUMMARY

UPDATES & HISTORY:

This is second version of `Your Internet Browsing History -- Demystified'  (named v.2). It contains my further comments, tips and experiences. The new text inserted is highlighted and deleted text is strike through.

DESCRIPTION:

Windows keeps a complete track of user's browsing history, mails sent / received through Outlook Express (OE), mails at Hotmail, typed URLs, and an index of visited URLs. This information is not deleted from hard disk even if the user clears history, permanently deletes mails sent / received in OE. Using this information quit a complete profile of user's Internet & computer use can be created. These files appears to be intentionally hidden so that no unwanted system components can have access to these.


REASON:

Windows secret file locations, that are COMPLETELY invisible, cannot be seen or accessed. MSOF keep tracking & indexing all files on user's hard drives containing text.


SOFTWARE:

MSIE, MSOE & MSOF


CRITICALITY:

Moderate

HIDDEN / SECRET LOCATIONS (at a glance):

                File Based: (Default Locations)

	c:\windows\history\history.ie5\index.dat [hided file]
	c:\windows\history
	c:\windows\tempor~1\
	c:\windows\tempor~1\content.ie5\index.dat [hided file]
	c:\windows\application data\...
	c:\windows\profiles\%user%\...
	c:\windows\local settings\...
	c:\windows\temp\...
	c:\temp\... (rarely)

                Registry Based:

                        HKEY_USERS\Default\Software\Microsoft\Internet Explorer\TypedURLs\
                        HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs\
 

                MSN Messenger Related: (excluding MSN Messenger 6.0)

                        HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger
                        HKEY_LOCAL_MACHINE\Software\Microsoft\MessengerService

P-A:

    1. Browsing History: Manually deleting files from hidden locations
    2. OE:Compressing mail folders frequently and exporting & deleting them from time to time [see Details]
    3. Cleaning registry
    4. Uninstalling FF and deleting all its indexed information
    5. Shredding or Wiping of Slack Files [see Details]

RECOMMENDATIONS:

Software     [see Software Recommendations]
Reading        [see Recommended Reading]
References     [see References]

SIDE NOTE:

The hidden folder can be seen only by using "Disk Cleanup Utility" [ START > PROGRAM > ACCESSORIES > SYSTEM TOOLS > DISK CLEANUP.

Run it on drive "c" and select "Temporary Internet Files" and then click on "View Files".  This shows all the files. But if you try to delete these files using the same utility then all files are, still, NOT deleted.

WARNING:

" deltree " (MS-DOS command) has been used in this text. The usage of this command at the specified path is safe. But execution, usually, takes a long time. Therefore, it is recommended that the users should first delete the maximum number of hided files using Windows Explorer (or use Disk Cleanup) and then use the " detree " to delete remainder of the files.

END OF DOCUMENT SUMMARY

DETAILS

-- Internet Explorer

The files found in TIF are just simple cache of the web pages, stored and used to enhance the performance of Internet. Every major Internet browser uses and stores cache. But the problem is that when the user has deleted (either manually or otherwise) all his cache then why this junk is left behind and why these folders (for example content.ie5 in TIF folder) are specifically designed to be hidden as they cannot be accessed or their contents be seen by users. Worst part is that the exact path (and names) is required to see these files.

Let's get to work and dig things out...

    1. Open Windows Explorer (short cut WinKey + E)
    2. In address bar, add following and see (assuming you are using Windows default paths)

c:\windows\tempor~1\content.ie5

    3. You should see some alpha-numeric folders in it, like QRE234FD. Open them and you will see the web     pages that you have visited & users' mails at Hotmail (they begin with 'get', 'g' or 'H'). You will also see many files named _1_~1, _10_~1, etc.

    4. If the contents (as in 3) are not shown then you will have do these steps:

            a. Using Windows Explorer open content.ie5 and jot down the alpha-numeric folder names on a piece of paper
            b. Restart the computer in MS-Dos mode
            c. Using " CD " command go to: tempor~1 directory, then to content.ie5
            d. Run " DIR " command (yes, you will see nothing)
            e. Now type " CD " command with a alpha-numeric folder, for example:

c:\windows\tempor~1\content.ie5\CD %QRE234FD%

            f. Run " DIR " command again and you will get a long list of your visited page sites.
            g. Copy these files to another location (if you want to see them) using this command:

c:\windows\tempor~1\content.ie5\CD %QRE234FD%\copy *.* c:\%TEMP%



Another problem is *.dat files. In Content.IE5 folder you will also find a file named ' index.dat '. These DAT files contain reference to History, Cache & Cookies. You can see the contents issuing this command:

    1. Open " MS-Dos Command " prompt from Start menu.

    2. Type this:

            EDIT /75 c:\windows\tempor~1\content.ie5\index.dat
   
    3. Scroll down (using Page Down) key until you see the URLs you have visited.


Note: In addition to the index.dat file mentioned above, you will find many *.dat (or database) files on your computer, just do little a " FIND "


Now, we come to HISTORY folder. Normally, you open it and select all the history data and delete it considering that all your history has been cleared or deleted. Now, you will see that there is a complete history of the URLs you have visited. Just do this:

    1. Open " MS-Dos Command " prompt from Start menu.

    2. Type this:

            Edit /75 c:\WINDOWS\History\History.ie5\index.dat

    3. Scroll down and you will see a long list of URLs.

Just this not over yet. There is another hidden folder probably named " mshist~x " and it also have is own INDEX.DAT file. Try this:


    1. Open " MS-Dos Command " prompt from Start menu.

    2. Type this:

            Edit /75 c:\WINDOWS\History\History.ie5\mshist~X\index.dat ---> replace X with 1, 2, 3 and so on

    3. Scroll down and you will see some more URLs.

Please note: In most cases you will have to use MS-DOS commands. If they don't work then try with Windows Explorer or otherwise make sure that you are using default locations of Windows Setup.


After exploring this, we will find out that:

            a. How these folders have been hidden?
            b. Determine our line of action.
   
a. How these folders have been hidden?

There is a file in every folder named " DESKTOP.INI " (<Goto Folder Options > View > Show All Files). This " DESKTOP.INI " keeps the visual settings pertaining to a particular folder (remember my ' FOLDER.HTT & REDLOF ' spam). However, DESKTOP.INI contains following files in normal cases:

-----Typical Desktop.ini file-----
[.ShellClassInfo]
CLSID2={450d8fba-ad25-11d0-98a8-0800361b1103}
InfoTip=Stores your documents, graphics, and other files.

-----Hidden Folder's Desktop.ini file------
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}


Here the UICLSID hides folder from Windows Explorer and CLSID tricks / disables the little " FIND " utility. The prove it, you can do this:

    1. Open up the command prompt from Start menu.

    2. type or copy and paste this:

            C:\>edit c:\windows\history\desktop.ini

    3. Delete the UICLSID line, save it and exit.

    4. Repeat this for C:\>edit c:\windows\history\history.ie5\desktop.ini

    5. Now fire up your Windows Explorer and go to History folder. You should see all the hidden folders.


After doing this you can break this brick wall on hidden and other folders if you want to play with. A better trick would be to just delete UICLSID and CLSID line and saving the file instead of completely deleteing ' desktop.ini '. Because these files are re-created whenever you restart your computer. Got the idea!!!



b. Determine our line of action.

You would probably say that " what the heck would MS do after getting info like this on me? ". Its not just this simple, the problem is that WHEN YOU HAVE ASKED IE TO CLEAR THE HISTORY THEN WHY THIS CRAP (INTENTIONALLY) LEFT BEHIND, WHY OE DOES NOT DELETE YOUR SENT / RECEIVED MAILS (REMEMBER EVEN THE ATTACHMENTS ARE NOT DELETED).

Well, it depends on you... I won't recommend anything. The choice is yours. But if you want to delete this information then you can use "DELTREE" command from MS DOS prompt. But before proceeding to "DELTREE" use "Disk Cleanup" to most of the files.

-- WARNING --

If you do not know how to use " DELTREE ", then better not bother with this. Simply unhide the hidden folders (by modifying DESKTOP.INI as above) and then delete them using your mouse.


Deleting with DELTREE:

At command prompt, type these commands:

            CD\WINDOWS
            DELTREE/Y TEMP
            DELTREE/Y COOKIES
            DELTREE/Y HISTORY
            DELTREE/Y TEMPOR~1

Also do this for the data contained at

            C:\WINDOWS\Application Data\Microsoft\Internet Explorer\UserData


Please do this at your own risk... do not held me responsible for accidental DELTREEING of SYSTEM folder




-- Clearing the Windows Registry

Windows Registry is the central database that contains operating systems configuration information and other settings. But on the contrary it contains some other information that is a threat to privacy.

There is an auto complete feature in MSIE which shows the matching URL when you type an URL. It is an obvious privacy risk. For example, you start typing an URL stating with "D***" but the auto complete gives you a hand and adds "De**b**a"

Keeping this section short, your typed URLs are stored in Registry at:

            HKEY_USERS\Defaults\Software\Microsoft\Internet Explorer\TypedURLs\
            HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs\

For your further information, URLs are also stored in USER.DAT file. (But please don't mess with this file)

Deleting the URLs in Registry is simple and safe. Just select and press delete.




-- MSN Messenger

MSN Messenger's previous versions (i.e. older than 6.x) used to store every contact of the .NET Passport user in the Registry at this location:

            HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger
            HKEY_LOCAL_MACHINE\Software\Microsoft\MessengerService

The contacts are stored under a key called 'Allow x' , where ' x ' is any number. This means that if any one who has used a PC at cyber cafes, friends home, etc. completely gives away all his contacts (with e-mail IDs) to any one to opens up Registry and checks the above keys. This is not as much critical but just a simple privacy issue.

However, MSN Messenger 6 (to the best of my knowledge) does not store any contacts information in registry. Instead, it uses ' Application Data ' folder in C:\Windows. Check this location out (if you are using MSN Messenger 6.0)

            C:\WINDOWS\Application Data\Microsoft\MSN Messenger

By the way, I have not been able to extract any useful information from the above mentioned path.



-- Outlook Express

You use OE as mail client, regularly check your mail and *permanently* delete the mail you don't want from your ' Inbox ' folder. What do you think is it really deleted...?

No, your mails once captured by OE are not deleted by simple ' select and delete '. Here is my personal experience, read and try it for yourself if you want to:
   
    1. I permanently deleted a mail containing text " land straight away or I am authorized to shot you down... "

    2. Then I opened up a little " FIND " window, in Containing text: field, I typed ' I am authorized to shot you ', and set the ' FIND ' criteria to ' *.dbx ' (if you are using OE 6 -- older versions used *.mbx extension)

    3. Finally, I ended up the ' FIND ' with 2 files containing this text, namely:

            inbox.dbx
            deleted items.dbx

    4. I opened these two *.dbx files in NOTEPAD and searched for this ' I am authorized to shot you ' string. Believe me, I could read the whole mail there.


So, what's the P-A here. Simple. Just develop a habit of ' COMPACTING ' your all mail folders in OE. You can compact folders from FILE > FOLDERS > COMPACT ALL. To check whether compacting works or not, you can re-try the above exercise.

In addition to this, you should also regularly find & delete following *.dbx files.

delete*.dbx
hotmail?-?del*.dbx
sent items*.dbx (if you do not want to keep a copy of sent mails)



-- Find Fast (FF)

Approaching the end of this text, there is another and most important MS data miner. Here is a ' Copy -- Paste ' from MS-Office Help about Find Fast

" Find Fast builds indexes to speed up finding documents from the Open dialog box in any Microsoft Office program and from Microsoft Outlook. Find Fast indexes located on Microsoft Windows NT Server can also be used by Office Web Search. When Find Fast is installed with Office, it automatically creates an index on each local drive of your computer to cover all of your Office documents. Find Fast indexes are not created on removable drives or read-only media, such as CD-ROM drives. Once created, an index is automatically updated, so you don't need to do anything to take advantage of faster searching."

The third line says ' creates an index on ... ... all of your Office documents. ' The last five words are not true. In Office 95 there was an option in FF to exclude the files from being indexed. But in later versions this options was not included. Here is another ' Copy -- Paste ' from Microsoft.com (unnecessary details omitted)

" When you specify the type of documents to index in the Create Index dialog box, Find Fast includes the document types that are listed in the following table.

 

Doc Type	File Name Extension
MS Excel	*.xl* files
MS PowerPoint	*.pot, *.pot, *.pips files
MS Project	*.mop, *.mow, *.met, *.mix, *.mad files
MS Word	*.doc, *.dot, *.ht*, *.txt, *.rtf files
All files	*.* files

"


The last row is very important "ALL FILES"? which means every single file on your computer is indexed. However, files containing *mostly* binary are not included. But still, files containing text is going to be included in the FF database. Remember that "TEXT" means all your previously visited WebPages from your cache. Check this out yourself:

    1. Open up MS-DOS
    2. Dir FF*.* /ah (to find all FF databases on your HDD)
    3. EDIT /75 %ff%


If you still want to keep FF, okay, if not you can delete it as follows:

    1. Reboot your computer in MS-DOS mode
    2. Delete the FindFast.CPL from C:\windows\system\
    3. Delete the shortcut (*.lnk) under c:\windows\start menu\programs\startup\
    4. Delete the FindFast.EXE from C:\progra~1\micros~1\office

Another important step is to delete all FF databases. Find using ' ff*.* ' and delete them. You can also safely delete FFNT.exe, FFSetup.dll, FFService.dll and FFast_bb.dll if you manage to find them.

You can also check the FF log, named, ffastlog.txt which is a hidden file under C:\windows\system



-- Little about Slack Files

When you delete a file, the whole file is not deleted from the hard disk, only the reference to it (in FAT) is deleted by changing the first letter of the file name to ' ? ' and your HD still contains the file (and that's why files can be recovered or undeleted). So, further information about the files you run can be digged out.

There are many tools that PERMANENTLY delete these files, Norton Utilities also contain a tool to perform this job.



-- Software Recommendations

To do all the discussed jobs following tools can be used: (I'm sorry I cannot provide the links to download them... it would further have taken more time. This text is already very much delayed). or Alternatively you can automate the ' DELTREE /Y ' (it will increase your system booting time) commands (mentioned above) by adding these lines in your AUTOEXEC.BAT. Here goes the list, but there are, of course, other software also that do the same job.

Internet Explorer:
            PurgeIE
            Cache and Cookie Cleaner for IE
            Anonymizer Window Washer
            McAfee QuickClean

Slack Files:
            BC Wipe
            File Wiper
            Freespace Wipe
            Norton Utilities
            Evidence Eliminator

Spyware:
            Ad-Aware [ http://www.lavasoftusa.com/ ]
            Kazaa Cydoor Remover


-- Recommended Reading

www.theregister.co.uk/content/4/18002.html
www.findarticles.com/m0CGN/3741/55695355/p1/article.jhtml
www.mobtown.org/news/archive/msg00492.html
http://194.159.40.109/05069801.htm
www.yarbles.demon.co.uk/mssniff.html
www.macintouch.com/o09security.html
www.theregister.co.uk/content/archive/3079.html
www.fsm.nl/ward/
http://slashdot.org
www.peacefire.org
http://stopcarnivore.org
http://nomorefakenews.com
http://grc.com/steve.htm#project-x


-- References 
 
http://support.microsoft.com/support/kb/articles/Q137/1/13.asp
http://support.microsoft.com/support/kb/articles/Q136/3/86.asp
http://support.microsoft.com/support/kb/articles/Q169/5/31.asp
http://support.microsoft.com/support/kb/articles/Q141/0/12.asp
http://support.microsoft.com/support/kb/articles/Q205/2/89.asp
http://support.microsoft.com/support/kb/articles/Q166/3/02.asp
www.insecure.org/sploits/Internet.explorer.web.usage.logs.html  
http://www.parascope.com/cgi-bin/psforum.pl/topic=matrix&disc=514&mmark=all
http://www.hackers.com/bulletin/
http://slashdot.org/articles/00/05/11/173257.shtml
http://peacefire.org/


-- End of file

Remember that whenever you delete files mentioned in this text (including *.dat) they are recreated every time you restart your computer. So you will have to delete them after regular intervals so at least they do not contain any information about you.

Finally, around 19 days work and 2 days composing & proofing this text I have tried every step to keep this text clear and concise.

Queries or comments, may, please be forwarded to me (needed for future work).

I dedicate this to my parents. And again an apology to my friends for taking all the spam from me.

AH

This text is written by Sheikh M. Taimur
and first revised (v.2) on Sept. 20, 2003

May be forwarded without any restrictions
Designed at 800 x 600 resolution