Free Monthly Newsletter...and much more!

5 Star Support - Free Computer Help and Technical Support

 

 
Google

Windows Data Privacy & Security

05/29/07

Posted by Dave
5 Star Support Security Specialist

I am writing this paper for those of you who may be concerned with both data security and computer privacy. This can be especially important if you store sensitive data and files on your computer. In my case, I do a lot of security research an am not particularly fond of the idea of anyone else being able to know what is in my files. I also have to be concerned with records of the websites I have to visit during my research, the digital signatures I recover and other such details.

To that end, we will discuss the Windows Indexing Service whose sole purpose is cataloging the contents of your hard drive(s), as well as the contents of files, in order to make local file searching faster. This service creates a number of small databases containing data regarding your disk(s) contents including the actual contents of files and folders. This can undermine your attempts at security and privacy. The indexing procedure creates a scattered secondary volume of your data and much of it can easily be left behind after you delete a file, even if you use a wipe utility. Just for the record, I never simply delete any files. I always erase them using a utility designed to overwrite the file. This erasure includes all data, file names, cluster tips, and alternate data streams.

Although the Indexing Service can represent a significant convenience with regards to speed, and enables you to search for strings within files, it is not essential for searching. If your primary concern is for privacy and security, read on. Otherwise, this paper is not for you. If you are always using the service and searching for your files or strings of text within them, complete privacy and advanced security benefits that this paper represent are just about impossible to achieve. In my case, I've never had a problem remembering where I store my files and I both name and locate them for easy recovery later, so I never need to use the file search utility in Windows. If you get into these same habits, you won’t need to use it either.

There are two ways to go here and you can choose either way. One method involves turning off indexing altogether, after which you can wipe all the index files and that will be the end of it. The second choice is to shut off indexing temporarily, wipe the index files, re-enable the indexing service, but with only selected directories to be indexed. With the second method, the Indexing Service can still be used, but you can prevent indexing of directories containing sensitive information. It is, however, a lot to remember.

If you choose the first method, which is what I use, you get the added bonus of freeing up both processor and RAM system resources that would normally be used running a service you may hardly ever use, or may not even want.

I’m sure we have all heard stories about how a computer ‘forensics expert’ was able to retrieve data from a computer to help incriminate a bad guy, and that computers keep records of all our files, and everything we do on the Internet, including all the Websites and Web pages we visit. Well, if you accept all default Windows settings, this is absolutely true, and all this information can be easily recovered if you know what you are doing. In most cases (drive encryption excepted), highly specialized ‘guru’ software is not needed either – don’t believe everything you see on TV or in the movies. We’ll spend more time on this later.

I can tell you from the start that what we are going to do is not something I recommend for a beginner. You will need patience as well because this whole thing can become quite tedious at times, and requires use of the safe mode as well as a number of system reboots. If you have multiple drives (or a Raid array), the procedure may have to be repeated for each additional hard drive in your system. You will also need a good knowledge of all your applications. For the scope of this paper, we will assume you use the average computer with one internal hard drive (C: drive). If you feel alert and rested, we can now begin.

Windows Indexing Service -

Regardless of which of the two options above you choose, we will have to begin by disabling the Indexing Service and wiping the old index files. First, we need to log on to the system as an administrator and turn off the service:

1. Go to the Start menu and choose Run.

2. Type in services.msc and click OK. This will launch the Services dialogue box.

3. Right-click on the Indexing Service to bring up Properties, and click Stop if the service is running. Then, left-click on Disabled. Next, left-click Apply and close the dialogue.

4. Go to My Computer. Select Local Disk (C:) from your drives.

5. Right-click the Local Disk (C:) icon and choose Properties from the drop-down menu selection. The Local Disk Properties dialogue box will open. Near the bottom, you will see a tick in the box beside the option: “Allow Indexing Service to index this file for fast file searching”.

6. Clear (uncheck) the tick box, left-click Apply, and in the next dialog, select the option “Apply changes to C:\, subfolders and files.” Clock on OK and reboot the computer.

At this point, the Indexing Service has been disabled, and we can concentrate on wiping index files (*.idx, *.idq, *.ida, and *.htx) that exist. In order to find these files in Windows Explorer, you will have to set the options to display hidden files and system files. To do this, go to Control Panel | Folder Options | Click on the View tab, and tick the circle to ‘Show hidden files and folders’. Then, remove the tick in the box to ‘Hide protected operating system files [Recommended]’.

Next, we need to configure the search companion for the hard drive (C:) because it will not search for everything we need by default. Follow this procedure:

1. Go to My Computer and double left click on your C: drive.

2. Left click the Search icon near the top of the window to open the Search Companion. Be sure Look In: is set to ‘Local Disk [C:]’.

3. Left click the ‘Search Options’ or ‘More advanced options’, depending on your system. From the drop down menu, select all the following if visible: ‘Search all files and folders’, ‘’Search system folders’, ‘Search hidden files and folders’, and ‘Search subfolders’.

Now, we can search for the following file types by typing them into the ‘Search for files and folders named:’ box in the left pane of the window. Type in the following: .idx, .idq, .ida, .htx, and begin your search. Using your wipe utility, wipe any files of these types that do not belong to any of your applications (remember I said you need a good working knowledge of your applications?). You may not find many of these file types on a home system, but it is important to look for them. Any unnecessary files found that do not belong to any of your applications can be wiped with your utility program. You simply right-click on the file you want to eliminate to select it, and then wipe it with your utility program. This may be a tedious job, but you only have to do it once so long as the indexing service remains turned off.

If you intend to leave the Indexing Service turned off, you are now done with this task. If you want to turn it back on, you need to follow this procedure:

1. Go to the Start menu and choose Run.

2. Type in services.msc and click OK. This will launch the Services dialogue box.

3. Right-click on the Indexing Service to bring up the Properties dialogue box, select ‘Automatic’, and click ‘Apply’. Then click ‘Start’ and exit the dialogue.

4. Go to My Computer, select Local Disk (C:), and left click.

5.Browse through your files and right-click on any directory you want to index. Choose ‘Properties’, and then click ‘Advanced’ toward the bottom of the Properties dialogue box.

6. In the Advanced Attributes dialogue box, select the tick-box beside the option ‘For fast searching, allow Indexing Service to index this folder’. Click OK, and you are given the option to include that directory’s subfolders and their files if you want them. Repeat this procedure for each directory you want to have indexed.

By doing this, you can still use the Indexing Service if you like, but you prevent it from making duplicate data traces of the directories that contain your sensitive information files.

If you are a paranoid type, there is a Windows quirk I probably should tell you about here. If you use the Search Companion, with or without the Indexing Service turned on, your search queries are stored in the Windows Registry under HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru. You can delete this information if you like by using the Windows Registry Editor, but there is no option to write protect it, so the files will return and be stored there whenever you search for files whether you like it or not. The files can be manually deleted with the Registry Editor, but I feel the best way to approach it is to simply be aware if it and take appropriate care when searching your computer for files with sensitive or controversial information. As I said earlier, I name and locate them for easy retrieval and take good notes so I don’t need to use a search.

Index.dat files -

Related to all this is another group of important files named ‘index.dat’ that are scattered on your hard drive in numerous locations. Remember earlier we talked briefly about a computer forensics expert being able to retrieve data regarding everywhere a computer has been on the Internet? The key to this is the index.dat files. These files are mini-databases cataloging the contents of directories relating to your Internet behavior. Your search queries, cookies, web history and other peculiar items are recorded in these files. You can easily delete the contents of Internet Explorer directories (history, cookies, temporary files), but you cannot easily delete the index.dat files that record their contents. Interestingly enough, it seems that Microsoft does not want you to play with these index files, so if you attempt to access or display them, access will be denied, even to an Administrator. This is because these files are ‘open’, or in use, even when Internet Explorer is not running.

In order to remove the index.dat files, we will need to restart the computer in Safe Mode as follows:

1. Reboot the computer.

2. As the computer boots, but before Windows starts, press the F8 key.

3. After the startup screen appears, use the arrow keys to highlight the Safe Mode option, and press Enter.

4. After Windows starts in Safe Mode, you will be able to do a file search for the .dat files on your computer. After the file search finds and displays the .dat files on the hard drive, select them all and wipe them.

Some file wipe utilities will work in the Safe Mode, while others will not. I cannot predict this for you because I do not know what utility you are using. If your utility does not work in Safe Mode, you can delete the files, restart Windows normally, and then wipe the free space and file slack space on the hard disk.

We’re not quite done yet, and I have more news for you. Even after you wipe all these files, Windows will re-create them as soon as you reboot, and start storing data in them again. The key here is to wipe all the .dat files, reboot, and then write protect them. It is also important to do a search for .dat files occasionally because Windows may create additional .dat files during normal computer use.

There are numerous utility programs available that claim to remove these files while Windows is running normally. If you wish to check into them, just do a Web search using ‘index.dat’ as a search term and you will find links to many such tools. I have another method along with several other recommendations for you toward the end of this paper. Before we get to that, we need to first discuss System Restore for users of Windows versions newer than Windows 2000, as well as temporary files.

System Restore -

System Restore is a useful Windows feature, but it is not without both privacy and security implications. System Restore creates snapshots of the system state at periodic intervals that are referred to as restore points. If your system becomes damaged by, for instance, a bad software install or some form of malware, a user can roll back their system to a prior point when everything was known to be working normally. Although this is a real convenience, it is no replacement for properly backed up data to removable media, or to an external hard drive, methods that I much prefer, and it does not work as well as a good specialized go back utility. In fact, I never store any data on my internal C: drive at all. My C: drive contains my operating system, applications and utilities only. All data and files are stored on other drives. I suggest you might consider doing the same.

In an ideal world, system contents backed up to the C:\Restore directory would not contain any personal data, but this assumes that the user did not unknowingly store sensitive files in directories that will be backed up. It is also possible that viruses or other malware might remain in the C:\Restore directory when infected files are backed up. These infected files will be backed up and defy removal by many anti-virus and anti-malware products because it is located in a protected directory. When you use System Restore, you will restore the malware or viruses as well.

As you can see, System Restore is great for convenience, but bad for privacy and security. You have to decide if it is worth the risk of using it. If you decide not to use System Restore, here is how to turn it off:

1. Go to | Start | Settings |Control Panel | System and launch the System Properties dialog (or you can right-click on My Computer and choose Properties).

2. Choose the System Restore tab at the top of the System Properties dialog box and place a tick in the box on the line reading “Turn off System Restore’. Click on OK.

3. Go to the Start menu, choose Run, and type in services.msc to launch the Services dialog. Find the System Restore Service, stop it if it is running, set it to Disabled, click Apply, and close the dialog box.

Temporary Files –

Depending on how old your computer is and how much work you do with it, there can be hundreds or even thousands of temporary files on your machine. Most of them are automatically deleted on shutdown, but in the event of a power outage or system crash, they are all left behind on the hard drive. They are located in many different places and are created for a lot of different reasons, and it is impossible to predict what these files contain. One example is when you are working with a word processor file like I am when I wrote this paper. A word processor periodically creates a temporary version of the document so that if your system goes down, the document will be very easy to recover and very little work will be lost.

Now, what if that document you were working on was one that contained sensitive information that you intended to encrypt before storing it on your hard drive. If the power went out or the system went down, a temporary version of the document would be still stored on the hard drive in the documents directory in clear text form. Memory swapping can also cause a copy to be saved in the swap file with the contents stored by the Indexing Service.

In a Windows based machine, these files are stored in a directory named ~\Temp or ~\temp and have the file extension .tmp. You may want to wipe these files from your drive occasionally. Using the Search Companion for your C: drive, enter .tmp and do a file search (making sure the search is not case sensitive). Check out the files and wipe any you find. Wipe any Temporary Internet files while you are at it.

Final Thoughts –

Before leaving, I have a few thoughts and recommendations for you. You can take them or leave them-the choice is yours.

On a Windows based machine, we all need to have Internet Explorer installed for use with Windows Update, Microsoft Update, Office Update and other programs that might specifically require it. You need it because it supports the Active X controls needed to download the files. You have seen from this paper the results of using Internet Explorer exclusively, and all the files it creates, especially index.dat files. I recommend you use Internet Explorer for these purposes only and nothing else. You don’t really need it for anything else.

For all your other Internet needs, consider using Mozilla Suite or Firefox as a browser. Once installed and configured, use the above procedure to find and wipe the index.dat files created, write protect them after a reboot, and you are done with it. No future worries. A special tip for Firefox users: Under Tools | Options, go to the privacy tab, select the cookies and passwords you want to save as exceptions, and tick the box to ‘accept cookies from sites, and select to keep them only until you close Firefox, and tick the box to always clear my private date when I close Firefox. By doing this, all your cookies and personal data are dumped every time you close Firefox instead of being saved.

If you are searching for a good wipe utility, you might want to consider Eraser v 5.3 available (free) from Source Forge here:

http://sourceforge.net/projects/eraser/

As a final assist to your efforts, the procedure below is what you can do to automatically wipe out index.dat files on a Windows 2000 Professional or a Windows XP Professional machine during each shutdown. This automatic method does not work on Windows XP Home edition computers. If you are at all squeamish about scripts or don’t know how to work with system files, you may want to leave this alone until you gain more knowledge.

Instructions for Windows 2000/XP Professional users (assumes use of IE 6, older systems may have IE5 in which case replace IE6 with IE5:

In this example the username is Administrator. Replace Administrator with your username. You will need to add any additional users on your computer to the script as well. Do not confuse All Users, Default User, LocalService or NetworkService as being users. Repeat the entire script for each separate user.

Open Notepad and type in the following:

Del “C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\UserData\index.dat”
Del “C:\Documents and Settings\Administrator\Cookies\index.dat”
Del “C:\Documents and Settings\Administrator\Local Settings\ Temporary Internet Files\Content.IE6\index.dat”
Del “C:\Documents and Settings\Administrator\UserData\index.dat”
Del “C:\Documents and Settings\Default User\Cookies\index.dat”
Del “C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content\IE6\index.dat”
Del “C:\Documents and Settings\Local Service\Cookies\index.dat”

In Notepad, save the file with the name “IndexDat.cmd” (with the quotes).

Your file should now be named IndexDat.cmd and not IndexDat.cmd.txt.

Copy the IndexDat.cmd file you just created to the following folder (depending on where your operating system resides):

C:\Winnt\System32\GroupPolicy\Machine\Scripts\Shutdown

or

C:\Windows\System32\GroupPolicy\Machine\Scripts\Shutdown

IndexDat.cmd should now be in the Shutdown folder.

Go to Start | Run and type in gpedit.msc and click OK.
Open Computer Configuration | Windows Settings | Scripts (Startup/Shutdown) and double click Shutdown.
Click the Add button and browse to the IndexDat.cmd file in the Shutdown folder.
Highlight this file, click Open, and then OK twice.

From now on, when you shut down your computer, it should wipe out the index.dat files.

Until next time here on 5 Star Support, Happy Computing!

Dave

Appendix –

If you have Windows Vista then index.dat files are in these locations (note that on your PC they can be on other drive instead of drive C):
C:\Users\<username>\Roaming\Microsoft\Windows\Cookies\index.dat
C:\Users\<username>\Roaming\Microsoft\Windows\Cookies\Low\index.dat
C:\Users\<username>\Local\Microsoft\Windows\History\History.IE5\index.dat
C:\Users\<username>\Local\Microsoft\Windows\History\History.IE5\Low\index.dat
C:\Users\<username>\Local\Microsoft\Windows\History\History.IE5\index.dat
\MSHistXXXXXXXXXXX\index.dat
C:\Users\<username>\Local\Microsoft\Windows\History\History.IE5\Low\index.dat
\MSHistXXXXXXXXXXX\index.dat
C:\Users\<username>\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
\index.dat
C:\Users\<username>\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5
\index.dat
C:\Users\<username>\Roaming\Microsoft\Internet Explorer\UserData\index.dat
C:\Users\<username>\Roaming\Microsoft\Internet Explorer\UserData\Low\index.dat

If you have Windows XP or Windows 2000 then index.dat files are in these locations (note that on your PC they can be on other drive instead of drive C):
C:\Documents and Settings\<username>\Cookies\index.dat
C:\Documents and Settings\<username>\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\<username>\Local Settings\History\History.IE5
\MSHistXXXXXXXXXXX\index.dat
C:\Documents and Settings\<username>\Local Settings\Temporary Internet Files\Content.IE5
\index.dat
C:\Documents and Settings\<username>\UserData\index.dat
If you have only one user account on Windows XP or Windows 2000 then replace <username> with Administrator to get the paths of all index.dat files.

If you have Windows Me, Windows 98, Windows NT or Windows 95 then index.dat files are in these locations:
C:\Windows\Cookies\index.dat
C:\Windows\History\index.dat
C:\Windows\History\MSHistXXXXXXXXXXXXXXXXXX\index.dat (XXXX are some digits)
C:\Windows\History\History.IE5\index.dat
C:\Windows\History\History.IE5\MSHistXXXXXXXXXXXXXXXXXX\index.dat
C:\Windows\Temporary Internet Files\index.dat (only in Internet Explorer 4.x)
C:\Windows\Temporary Internet Files\Content.IE5\index.dat
C:\Windows\UserData\index.dat
C:\Windows\Profiles\<username>\Cookies\index.dat
C:\Windows\Profiles\<username>\History\index.dat
C:\Windows\Profiles\<username>\History\MSHistXXXXXXXXXXXXXXXXXX\index.dat
C:\Windows\Profiles\<username>\History\History.IE5\index.dat
C:\Windows\Profiles\<username>\History\History.IE5\MSHistXXXXXXXXXXXXXXXXXX\index.dat
C:\Windows\Profiles\<username>\Temporary Internet Files\index.dat (only in IE 4.x)
C:\Windows\Profiles\<username>\Temporary Internet Files\Content.IE5\index.dat
C:\Windows\Profiles\<username>\UserData\index.dat
Note that on your computer the Windows directory may not be C:\Windows but some other directory. If you don't have Profiles directory in you Windows directory don't worry - this just means that you are not using user profiles.

[Top]

 

 

Use the above information at your own risk.  See "Terms of use"

 

   Site Map  | About 5 Star Support  | Links | Comments
    Privacy Policy  | Terms of Use  | Newsletter Archive  | Awards
Usage of this site constitutes acceptance of our Terms of Use
Copyright © 2000-2014  5 Star Support All rights reserved.