sorry this is so long but i got it in an e-mail.



The Dark Side of the Internet On KFI-AM 640
Microsoft’s Hidden Files


Sorry for the delay but we didn’t want to send this out before trying it on our own computers and making sure it wasn’t’ dangerous. I provide the entire text of the original source for this information at the end. I can’t endorse or recommend anything beyond what I did to my own computer. There is some dispute as to the purpose of these hidden files and whether or not they are in fact hidden. That doesn’t matter to me. I just don’t want my entire history stored on my computer when I think I deleted it. One word of warning: If you delete all of your cookies you will have to reenter information for personalized websites such as your homepage or if you do online banking etc. You may want to download a cookie manager program such as “cookie jar” or “cookie crusher” both of which should be available at zdnet.com. Deleting the index.dat file in your cookie folder however should not affect your online browsing because it only contains a record of all your cookies. The first section of this document tells you how to get rid of the hidden files right away. It’s what I did and it was very easy. If you insist on going beyond the first section it’s at your own risk but since we don’t believe in censorship it’s all in the second section. So here’s what I did to my computer with no ill effects.



Tim Kelly

Kevin Mitnick (did not touch a computer at any time during the writing of this letter)
_______________________________________________________________________________.



Microsoft's Really Hidden Files v1.9
By The Riddler
4/16/01



There are folders on your computer in which you will find two (major) things: Microsoft
Internet Explorer has been logging all of the URLs you have ever visited -- even after you've cleared your cache, and Microsoft's Outlook and Outlook Express has been logging ALL of your e-mail correspondence -- even after you've erased them from your trash bin. (This also includes all incoming and outgoing e-mail attachments.)



For Internet Explorer



1) Shut your computer down, and turn it back on.



2) While your computer is booting hold down the [Ctrl] key until you are given an option screen.



3) Choose "Command Prompt Only" (This will take you to DOS.)



2) When your computer is done booting, you will have a C:\> followed by a blinking cursor. Type these command, hitting “enter” after each line.



CD\WINDOWS\TEMPOR~1\

DELTREE/Y CONTENT.IE5



(If that didn't work then type this:)

CD\WINDOWS\APPLIC~1\TEMPOR~1

DELTREE/Y CONTENT.IE5



(If that didn't work then type this:)

CD\WINDOWS\LOCALS~1\TEMPOR~1

DELTREE/Y CONTENT.IE5

3) This will take a ridiculous amount of time to process. The longer it
takes, the more records Microsoft had stored about you. When it gets done
erasing that folder, then type this:

CD\
DELTREE/Y WIN386.SWP


CD WINDOWS
DELTREE/Y COOKIES
DELTRE/Y WIN386.SWP
DELTREE/Y HISTORY



IF YOU HAVE Outlook OR OUTLOOK EXPRESS INSTALLED

1) Backup any e-mail that you wish to save. (Print them out, or forward them to another box.)

Drop back to your DOS prompt and type this:

dir *.mbx /s/p
dir *.mbx /s/p/ah

The files you are looking for are:

INBOX.MBX
OUTBOX.MBX
SENTIT~1.MBX
DELETE~1.MBX
DRAFTS.MBX

If these files come up they will be listed in either of these folders:

C:\Windows\Application Data\Microsoft\Outlook Express\Mail\
C:\Program Files\internet mail and news\%USER%\mail\

Now type either of the following (depending on the location of your .mbx files...)

CD\WINDOWS\APPLIC~1\MICROS~1\OUTLOO~1
DELTREE/Y MAIL

Or

CD\PROGRA~1\INTERN~1\%USER%
(replace "%user%" with the proper name.)
DELTREE/Y MAIL

KEEPING MICROSOFT INTERNET EXPLORER

If you want to keep using Microsoft Internet Explorer then you may want to check out some of these programs:

1) PurgeIE / www.aandrc.com/purgeie (pur401.exe)
2) Anonymizer Window Washer / www.anonymizer.com/anonwash (anonwashtrial.exe)
3) Cache and Cookie Washer for IE / www.webroot.com/washie.htm (?

________________________________________________

Okay that’s the end of the easy part. IF YOU do the previous steps periodically you can be pretty sure your every move isn’t being watched. Now here’s the entire posting from the hacker’s website. The Darkside of the Internet cannot endorse anything beyond this point.





Second Section
Topic: Microsoft's Really Hidden Files v1.9

Posted 04-16-2001 05:32 PM



Microsoft's Really Hidden Files v1.9
By The Riddler
4/16/01
(v1.0 originally written by me on 6/11/00)

---( DISCLAIMER )-------------------------------------------------------------

I will not be liable for any damage or lost information. Whether it is due to
reader's error, or any other reason. If you read and apply this information
you are doing so at your own risk.

---( SUMMARY )----------------------------------------------------------------

There are folders on your computer in which you will find two (major) things: Microsoft
Internet Explorer has been logging all of the URLs you have ever visited --
even after you've cleared your cache, and Microsoft's Outlook and Outlook
Express has been logging ALL of your e-mail correspondence -- even after
you've erased them from your trash bin. (This also includes all incoming and
outgoing e-mail attachments.)

Some of these files will only be found in DOS while some of
these folders can only be found in Windows Explorer. Additionally, there are
some folders that will be displayed by neither DOS nor Explorer -- but can
only be found using a workaround. If you didn't know these files existed then the chances of you running across them is slim
to slimmer. 99% of the information contained here I figured out on my own. So if there is a mistake somewhere, then it is MY mistake and I apologize.

A lot of people might try to justify Microsoft's actions. A lot of people
might try and disregard this tutorial as crazy paranoia. I envy your comfort. But for the sake
of learning, I urge you to keep reading.

Thanks.

---( INDEX )------------------------------------------------------------------

1.0) DEFINITIONS AND ANCRYNYMS.

2.0) WHY YOU SHOULD ERASE THESE FILES.

3.0) HOW TO ERASE THE FILES ASAP. (Recommended for the non-savvy.)
3.1) If You Own Microsoft Internet Explorer.
3.2) Clearing Your Registry.
3.3) If You Own Outlook or Outlook Express.
3.4) Slack files.
3.5) Keeping Microsoft Internet Explorer. (Not recommended.)

4.0) STEP-BY-STEP GUIDE THROUGH YOUR HIDDEN FILES. (For the savvy.)

5.0) A LOOK AT OUTLOOK.

6.0) HOW MICROSOFT DOES IT.

7.0) +S MEANS [S]ECRET NOT [S]YSTEM.

8.0) THE TRUTH ABOUT FIND FAST.
8.1) Removing Find Fast.

9.0) HOW HARD MICROSOFT TRIED TO KEEP PEOPLE FROM FINDING ABOUT IT.

10.0) FINAL NOTE AND CONTACT INFO.
10.1) Recommended reading.

11.0) REFERENCES

---( 1.0) DEFINITIONS AND ANCRONYMS )-----------------------------------------

DOS = Disk Operating System
MSIE = Microsoft Internet Explorer
TIF = Temporary Internet Files (folder)
HD = Hard Drive
OS = Operating System

---( 2.0) WHY SHOULD I ERASE THESE FILES? )-----------------------------------

1) Besides the glaring security risks.
2) Besides the fact that Microsoft is keeping these logs intentionally. (For
reasons I can only imagine.)
3) These files can take up huge amounts of disk space. I've personally
inspected a computer with almost 100 megs of this stuff, so you can imagine
how much this can slow your computer down. After following these instructions
you will probably notice a great improvement in performance.

---( 3.0) HOW TO ERASE THE FILES ASAP )---------------------------------------

Step by step information on how to erase these files as soon as possible.
This section is recommended for the non-savvy. Further explanation can be
found in Section 4.0. Please note that following these next steps will erase
all your cache files, all your cookie files, and all of your e-mail
correspondence. If you use the offline content feature with MSIE, following
these next steps will remove this so you will have to download it again.

---( 3.1) IF YOU OWN A COPY OF MICROSOFT INTERNET EXPLORER )------------------

1) Shut your computer down, and turn it back on.
2) While your computer is booting hold down the [Ctrl] key until you are
given an option screen.
3) Choose "Command Prompt Only" (This will take you to DOS.)
2) When your computer is done booting, you will have a C:\> followed by a
blinking cursor. Type these commands, hitting “enter” after each.

CD\WINDOWS\TEMPOR~1\
DELTREE/Y CONTENT.IE5

(If that didn't work then type this:)

CD\WINDOWS\APPLIC~1\TEMPOR~1
DELTREE/Y CONTENT.IE5

(If that didn't work then type this:)

CD\WINDOWS\LOCALS~1\TEMPOR~1
DELTREE/Y CONTENT.IE5

(If this still does not work, and you are sure you are using MSIE5, then
please e-mail me. Finding the location of these is a mission, and I'd
certainly like to know where else MSIE likes to hide its cache. I believe
older versions of MSIE keep them under "c:\windows\content".)

3) This will take a ridiculous amount of time to process. The longer it
takes, the more records Microsoft had stored about you. When it gets done
erasing that folder, then type this:

CD\
DELTREE/Y TEMP
DELTREE/Y WIN386.SWP
CD WINDOWS
DELTREE/Y COOKIES
DELTREE/Y TEMP
DELTRE/Y WIN386.SWP
DELTREE/Y HISTORY

---( 3.2) CLEARNING YOUR REGISTRY )-------------------------------------------

Reboot your computer and wait for Windows to load back up.

1) Drop to DOS and type this at prompt:
("Start" > "Program Files" > MS-DOS Prompt")

regedit

2) Your Registry Editor will popup. Go to "Edit" > "Find"
3) Type in "TypedURLs" and then hit [Find Next]. You will be taken to all the
places you've typed in URLs manually.
4) Erase any URLs that you find. Do not erase the folders.
(They will be called "01," "02," "03," etc...) Double click on them to make
sure they are URLs. I found mine here:

HKEY_USERS/Default/Software/Microsoft/Internet Explorer/TypedURLs/
HKEY_CURRENT_USER/Software/Microsoft/Internet Explorer/TypedURLs/

5) And while you're in here you might as well go here:

HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/Current Version/Explorer/
RemoteComputer/NameSpace/{d6277990-4c6a-11cf-8d87-00aa0060f5b5}

6) Delete the {d6277990-4c6a-11cf-8d87-00aa0060f5b5} key. This will make your
searches perform much faster.

---( 3.3) IF YOU HAVE OUTLOOK OR OUTLOOK EXPRESS INSTALLED )------------------

1) Install another e-mail program like Eudora, or Pegasus Mail. Make sure
everything is setup correctly. (www.eudora.com / www.pmail.com)
2) Backup any e-mail that you wish to save. (Print them out, or forward them
to another box.)
3) Uninstall Outlook

Warning, this conveniently does not erase any e-mail correspondence. To
double check drop back to your DOS prompt and type this:

dir *.mbx /s/p
dir *.mbx /s/p/ah

The files you are looking for are:

INBOX.MBX
OUTBOX.MBX
SENTIT~1.MBX
DELETE~1.MBX
DRAFTS.MBX

If these files come up they will be listed in either of these folders:

C:\Windows\Application Data\Microsoft\Outlook Express\Mail\
C:\Program Files\internet mail and news\%USER%\mail\

(If the mbx files are located anywhere else then you probably don't want to
delete them since they aren't from outlook. If they are from outlook,
however, then please e-mail me.)

Now type either of the following (depending on the location of your .mbx
files...)

CD\WINDOWS\APPLIC~1\MICROS~1\OUTLOO~1
DELTREE/Y MAIL

Or

CD\PROGRA~1\INTERN~1\%USER%
(replace "%user%" with the proper name.)
DELTREE/Y MAIL

---( 3.4) SLACKFILES )--------------------------------------------------------

As you may already know, deleting files only deletes the references to them.
They are in fact still sitting there on your HD and can be easily recovered by
anyone.

- BCWipe is a nice program that will clear these files. (www.bcwipe.com)
- For you DOS buffs, there's a program called FileDust that got a 5 star
rating on ZDNET, if that matters. (www.qwerks.com/product.asp?ProductID=529)
- If you are using PGP then there is a [Freespace Wipe] option under PGPtools.
- You might want to check out Evidence Eliminator's 30-day trial. This is
probably the best program as far as your privacy goes.

---( 3.5) KEEPING MICROSOFT INTERNET EXPLORER )-------------------------------

If you insist on using Microsoft Internet Explorer then I strongly recommend
that you check out some of these programs:

1) PurgeIE / www.aandrc.com/purgeie (pur401.exe)
2) Anonymizer Window Washer / www.anonymizer.com/anonwash (anonwashtrial.exe)
3) Cache and Cookie Washer for IE / www.webroot.com/washie.htm (?)

I have already tried and tested some other programs and you'd be surprised on
how many of them DON'T pass the tests. For example HistoryKiller 2001 claims
it erases all the files, but don't count on it. Future releases of this
tutorial will give full analysis and ratings of these programs.

---( 4.0) STEP-BY-STEP GUIDE THROUGH YOUR HIDDEN FILES )----------------------

This next section is for those of you who are more interested in learning the
ins and outs of your computer. This section is intended for the savvy user.

1) First thing you do is drop to DOS and type this at prompt:

c:\windows\explorer /e,c:\windows\tempor~1\content.ie5\
(in all lowercase)

You see all those alphanumeric names listed under "content.ie5?" (left-hand
side.) That's Microsoft's idea of making this project as hard as possible.
(Earlier versions of Internet Explorer simply called them "cache#.") These
are your alphanumeric folders that MSIE has created to keep your cookies and
cache. Write these names down. (They should look something like this:
6YQ2GSWF, QRMTKLWF, U7YHQKI4, 7YMZ516U, WQK6Z9UV, etc...) If you click on any
of these folders then nothing will be displayed. Not because there aren't any
files here, but because Windows Explorer has lied to you. If you want to view
the contents of these alphanumeric folders you will have to do so in DOS.
(Actually, there is a workaround that Skywalker taught me, but it's a little
bit harder to explain. I promise to cover this tip in the next version.)

2) Restart in MS-DOS mode.
(Note, you must restart because windows has "locked" down some of the files.)
3) Type this in at prompt.

CD\WINDOWS\TEMPOR~1\CONTENT.IE5
CD %alphanumeric%
(replace the "%alphanumeric%" with the first name that you just wrote down.)
DIR/P

*Note: Not only are you in a folder that DOS claims does not exist, but you
are now looking at cache/cookies that Windows Explorer claims do not exist.

Anyway, these folders are directly responsible for the mysterious erosion of
HD space you may have been noticing. Just a couple interesting things you can
find in here:

- Not the originals, but *copies* of your cookie files.
- Pictures from all those porn sites you've visited.
- Other internet cache files completely wasting your HD space.
- If you use hotmail (or any webmail) you can probably see some of your old
messages laying around here. To see them for yourself, copy them into
another directory and open them with your browser.
- Retrieving your personal information from these cookies is a snap. For
example if you've ever shopped at Amazon.com then there's access to your name
and e-mail. If you're a user on Hollywood.com then there's your city, state,
and zip. MP3.com keeps some goodies as well.

Anyway, feel free to check out all your alphanumeric folders, before going on
to the next step...

5) Type in this:

CD\WINDOWS\TEMPOR~1\CONTENT.IE5
ATTRIB -H INDEX.DAT
ATTRIB -A INDEX.DAT
EDIT /75 INDEX.DAT (or "EDIT /16 index.dat")

You will be brought to a blue screen with a bunch of binary.

6) Press and hold the [Page Down] button until you start seeing lists of URLs.

These are all the sites that you've ever visited as well as a brief
description of each. You'll notice it records everything you've searched for
in a search engine in plain text, (in addition to the URL.)

7) When you get done searching around you can go to "File" > "Exit."

8) Next you'll probably want to erase these files by typing this:

DELTREE/Y C:\WINDOWS\TEMPOR~1\
(replace "c:\windows\tempor~1\" with the location of your TIF folder if
different.)

Then go check out your History...

9) Type this:

CD\WINDOWS\HISTORY\HISTORY.IE5
ATTRIB -H INDEX.DAT
ATTRIB -A INDEX.DAT
EDIT /75 INDEX.DAT (or "EDIT /16 index.dat")

You will be brought to a blue screen with more binary.

10) Press and hold the [Page Down] button until you start seeing lists of URLS
again.

This is another recording of the sites you've visited. There also may be some
other things in here. E-mail me if you find anything interesting. I will
share with you a snippet of what I found in *my* index.dat.
-----------------
Client UrlCache
MMF Ver 5.2 @[1][1]
@ 3 yiâ
€

àOÐ ê: +0
0�
Ԧ
}*Á� 5.t
xt 
5 9

MS 6 C:\ %

[1][1] \\DAV E'S
HD .TXT
\MSIE5.
C:\
-----------------

Did you note the "C:\" and "\\DAVE'S HD\MSIE5.TXT"?

"Dave" is the fictitious name that I use on my computer. "Dave's HD" is the
name of my root folder on my LAN. "MSIE5.TXT" is the name of a text file that
I've been saving on my computer. It contains research from THIS project that
I've been working on. Mostly urls and notes.

Do you see anything wrong with this picture? It took notice on a file on my
HD, folks. MY HARD DRIVE. Not only that, but it is saving it in a folder
that cannot be seen by neither DOS nor Windows Explorer. Is it a coincidence
that this file was related to the research of this tutorial?

Obviously, my first suspicion was that Microsoft was scanning my HD and
logging any "sensitive" information. In this case, my msie5.txt probably had
something in it that Microsoft didn't like. To read more about my findings
read "THE TRUTH ABOUT FIND FAST" in section 8.0.

1) If you're still with me type this:

CD\WINDOWS\HISTORY

2) check out the mmXXX.dat files, then type:

CD\WINDOWS\HISTORY\HISTORY.IE5
CD MSHIST~1
ATTRIB -H
ATTRIB -A
EDIT /75 INDEX.DAT (or "EDIT /16 index.dat")

More URLs from your internet history. Note there are probably other mshist~x
folders here.

3) You can repeat these steps for every occurrence of the mshistxxxxxxx file.

4) By now you'll probably want to type in this:

CD WINDOWS
DELTREE/Y HISTORY

This is about it as far as I know. You may also want to take a look at your
*.mbx files if you own Outlook. (dir *.mbx) More detailed information is
covered in the next chapter.

If you plan on searching around your computer for other hidden folders, there
is a DOS-based search utility that I strongly recommend. It will display
"really hidden folders" and it is called locate.com. I don't know where to
find it so you'll have to search the net for "Charles Dye" "v1.26" or
something like that. If you're really desperate then you can e-mail the
author at raster@highfiber.com.

---( 5.0) A LOOK AT OUTLOOK )-------------------------------------------------

Would you think twice about what you said if you knew it was being recorded?
E-mail correspondence leaves a permanent record of everything you've said --
even after you've told Outlook to erase it. You are given a false sense of
security sense you've erased it twice, so surely it must be gone. The first
time Outlook simply moves it to your "Deleted Items" folder. The second time
you erase it Outlook simply "pretends" it is gone. The truth is your messages
are still being retained in a "really hidden folder."

Furthermore, as if that wasn't disturbing enough, Outlook also keeps records
of EVERY SINGLE file attachment in an ENCRYPTED database. Can you believe
this, folks?

For example, I attached a zipfile, but my outbox.mbx file recorded this:

UEsDBBQAAAAIACeFjip9jZkaEAAAAFAAAAADAAAAQUFBrcCBAAAAAIAg1vgpljizAFBLAwQUAAAA
CAArhY4qOPhNMxAAAABQAAAAAwAAAEJCQq3AgQAAAACAINf4JZY4swBQSwMEFAAAAAgALoWOKsTW
Lp0QAAAAUAAAAAMAAABDQ0OtwIEAAAAAgCDY+CGWOLMAUEsDBBQAAAAIADKFjiqyEuVgEAAAAFAA
AAADAAAARERErcCBAAAAAIAg2fgdljizAFBLAQIUABQAAAAIACeFjip9jZkaEAAAAFAAAAADAAAA
AAAAAAEAIAAAAAAAAABBQUFQSwECFAAUAAAACAArhY4qOPhNMxAAAABQAAAAAwAAAAAAAAABACAA
AAAxAAAAQkJCUEsBAhQAFAAAAAgALoWOKsTWLp0QAAAAUAAAAAMAAAAAAAAAAQAgAAAAYgAAAEND
Q1BLAQIUABQAAAAIADKFjiqyEuVgEAAAAFAAAAADAAAAAAAAAAEAIAAAAJMAAABERERQSwUGAAAA
AAQABADEAAAAxAAAAAAA


Cheers to the first person to discover the algorithm.

Anyway, by now you are probably wishing you knew where these records were
kept. Don't worry they're right here:

c:\program files\internet mail and news\%user%\mail\*.mbx
(replace %user% with the name you use.)

or if your lucky:

c:\windows\application data\microsoft\outlook\mail\*.mbx

I found it odd that the first time I installed outlook, my e-mail data was
saved automatically into "internet mail and news." After I uninstalled and
reinstalled, it changed its mind and put it into my "application data."

To erase these files simply type: (of course if you do this you will kill all
of your e-mail messages, so backup what you want to keep.)

Deltree c:\windows\intern~1\%user%\mail
or
Deltree c:\windows\applic~1\micros~1\outloo~1\mail

---( 6.0) HOW MICROSOFT DOES IT )---------------------------------------------

Ever wonder how Microsoft makes these folders invisible to both DOS and
Windows Explorer? I was completely baffled by how Microsoft was accomplishing
this since even using a DOS 6.2 boot disk wouldn't work for me. I was
honestly pretty upset that the answer escaped me for so long, but after
wondering around in the folders I finally figured it out.

The "desktop.ini" is a standard text file that can be added to any folder to
customize certain aspects of the folder's behavior. In these cases, Microsoft
utilized the desktop.ini file to make these files invisible. Invisible to
Windows Explorer, invisible to DOS, and even invisible to the "Find"
Utility (so you wouldn't be able to perform searches in these folders!)

Here are a couple examples:

Found in the c:\windows\temporary internet files\desktop.ini
and the c:\windows\temporary internet files\content.ie5\desktop.ini
contains this text:

[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}

Found in the c:\windows\history\desktop.ini
and the c:\windows\history\history.ie5\desktop.ini
contains this text:

[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}

The UICLSID line cloaks the folder in both DOS and Explorer. The CLSID line
disables the "FIND" utility from searching through the folder. Additionally,
it gives a folder the appearance of the "History" folder. (You'll know what I
mean if you fiddle with them enough.)

Erasing these desktop.ini files will give DOS and Windows Explorer proper
viewing functionality once again. The problem with erasing them is windows
will reconstruct them on your next bootup. The workaround is to edit the
desktop.ini files and remove everything except for the [.ShellClassInfo].
This will trick windows into thinking they have still covered their tracks, so
they won't think to reconstruct them again.

By the way, if you erase these keys from your Registry it will not un-hide
these folders. Still, I'm sure somebody could play with this enough to figure
out a way to completely disable Microsoft from ever hiding files on your
computer again.

---( 7.0) +S MEANS [S]ECRET NOT [S]YSTEM )------------------------------------

On the Hackers.com BBS, Dr. Eldarian recently attacked me and my research by
calling me a paranoid wannabe-hacker who didn't take the time to learn my own
OS. (You can see how this would probably upset me.) Anyway, during his
gracious attacks he informed me that using the "dir/ad" command would in fact
display my so-called "really hidden files." And indeed, he was correct.
Additionally, it turned out that executing the "dir/as" command would display
them as well. This kind of caught me off guard, since the main basis of my
argument was that Microsoft was hiding these files intentionally. So what if
these files weren't hidden intentionally at all?

Well, Dr. Eldarian, don't get your hopes up. If you think that little tidbit
of knowledge put a damper on my research then think again, baby. The truth is
that it only helped my research -- a lot.

Now I have irrefutable proof that Microsoft tried to keep these files
hidden. Here's why:

If you look up the attributes for the "Content.ie5" folder, the "History.ie5"
Folder, the "T.I.F." folder, the "Internet Mail and News," and the "UserData"
folder then you will notice they are all set to "+s" (system file). However
executing the "dir/as/s" command in root will ONLY display the "UserData"
folder. (If you are not familiar with the "/s" switch, it tells DOS to search all the
subdirectories.) So why is the "UserData" folder displayed while the other's
are not?

Not only does this mean the /as/ad switches are completely useless, but it
also means that Microsoft has taken extra precautions to keep people from
finding these folders!

In case you didn't understand here it is step-by-step:

1) CD\
2) DIR *.IE5 /s/as

No files found.

3) CD\
4) DIR USERDAT*.* /s/as

Directory of C:\WINDOWS\Application Data\Microsoft\Internet Explorer\
USERDATA <DIR>
1 dir(s) [found]

We've just proved that the content.ie5 and history.ie5 folders ARE NOT
displayed, while the UserData folder IS displayed. Since they are ALL
+[s]ystem folders, wouldn't you figure they would ALL be displayed the same?
(You'll even get the same results with the /s/ad switches.)

5) CD\WINDOWS\TEMPOR~1
6) DIR *.IE5 /s/as

We've just proved that the content.ie5 folder will be displayed using this
command in case you had any doubts. (But only after you knew the exact
location of it, so what "real" good is it?)

---( 8.0) THE TRUTH ABOUT FIND FAST )-----------------------------------------

Have you ever wondered what that "Find Fast" program was under your control
panel? I've spent about an hour on microsoft.com reading help files and I
STILL have no clue of what it's good for. Here's the most informative snippet
I found on microsoft.com.

"The Find Fast Indexer is a utility that builds indexes to speed finding
documents using the Open and Open Office Documents commands in Microsoft
Office programs, including Microsoft Outlook."

So what does that mean? Well, if you read it carefully you'll see that
Microsoft never mentions that it will speed up your searches. In fact it has
nothing to do with the "Find: Files or Programs" utility. I think what
Microsoft is really trying to say is that when you go to "File" > "Open"
under Microsoft Word, then your list of documents will be displayed quicker.

If that is what they are saying then it is a lie. I hope you don't think I am
taking Microsoft's quote out of context here. I'm only trying to show you all
the methods that Microsoft went through to make it appear that the Find Fast
utility speeds up searches.

For example if you go to "Edit" (under Microsoft Word), you will notice there
is a "Fast Find" icon next to it. (Binoculars icon.) This is usally a clear
indication that it is related to the Find Fast program. However, if you
re-read that quote, it doesn't mention anything about finding words "within" a
document, but only the document itself. Here are some more quotes from
Microsoft:

"The Find Fast Indexer tool tracks the location on the hard disk of all
Microsoft Word for Windows documents by default. When one of these files is
moved, the Find Faster Indexer tool updates its index."

"Indexes are used to make file searches faster in Office programs."

"The Find Fast Indexer is installed on your computer when you install
Microsoft Office 97. Find Fast builds an index to speed up finding documents
from the Open dialog box in Microsoft Office programs."

I wasn't able to find one single shred of evidence that it helped you "search"
faster. Yet, Microsoft insisted on calling the program "Find Fast." THEN
they decided to add the Find Fast icon next to the [Search Document], as if
Find Fast had anything to do with searching the document.

So now do you think you know the truth?

What would you say if I told you that Find Fast was scanning and indexing
every single file on your hard drive? Did you know that in Office 95, the
Find Fast Indexer had an "exclusion" list comprised of .exe, .swp, .dll and
other extensions, but the feature was eliminated? If you were a programmer,
would you program Find Fast to index every single file, or just the ones with
Office extensions?

Here are some other interesting facts:

- Find Fast automatically loads on every boot (because it added to your
Startup folder.)
- If you remove it from your Startup folder then it will still load.
- If you have ever had problems with scandisk (restarting due to "disk
writes."), it is because Find Fast was indexing your hard drive in the
background.

Do you want to read something humorous? Here's an example of the lengths
Microsoft goes through to keep people from finding out Find Fast indexes their
hard drive. (Always good to have an alibi.)

code:



"When you specify the type of documents to index in the Create Index dialog
box, Find Fast includes the document types that are listed in the following
table.
Document Type File Name Extension
--------------------------------------------------------------------------

Microsoft Office files All the Microsoft Excel, Microsoft
Web documents PowerPoint, Microsoft
Project, and Microsoft Word document types
listed in this table. Microsoft Binder
(.odb, .obt) and Microsoft Access (.mdb)
files. Note that in .mdb files, only
document properties are indexed.

Microsoft Excel workbooks .xl* files

Microsoft PowerPoint files .ppt (presentation), .pot (template), .pps
(auto-running presentation) files

Microsoft Project files .mpp, .mpw, .mpt, .mpx, .mpd files

Microsoft Word documents .doc (document),
.dot (template), .ht* (Hypertext Markup
Language document), .txt (text file), .rtf
(Rich Text Format) files

All files *.* files"
--------------------------------------------------------------------------



Did you get that last part? If you were a wealthy man and you decided to buy
every single car in the car lot, would you

a) Say, "I'll take the red ones, the blue ones, the silver ones, the white
ones, the champagne ones, and all of them."

or

b) I'll take them all sir.

As you can see, they don't want people to realize that Find Fast is keeping
an index of your entire hard drive. They walk around the car lot saying "I'll
take the red ones, the blue ones..." and then finally mention they *.*.

I personally witnessed the Find Fast Indexer "creep" its way back into my
Startup folder after I removed it. There's no possible way I could have done
this on purpose. In fact the only way I could have done it is if I created
a shortcut to Find Fast and then moved the shortcut into Startup manually.
There's no option on the Find Fast program to add it to Startup.

Am I making this up? Did I imagine it? Well, even if I am, then that doesn't
change the overwhelming amount of inconsistencies. For example:

1) Drop to DOS
2) CD\
3) DIR FF*.* /AH
5) edit /75 %ff%
(insert %ff% with any of the names that were listed.)

Notice the incredible amount of disk accesses to your "really hidden"
"Temporary Internet Files" folder? You would think Find Fast would show more
interest in other files on your HD.

---( 8.1) REMOVING THE FIND FAST PROGRAM )------------------------------------

1) Reboot your computer in MS-DOS Mode.
2) Delete the FindFast.CPL file from c:\windows\system\
3) Delete the shortcut under c:\windows\start menu\programs\startup\
4) Delete the FindFast.EXE file from c:\progra~1\micros~1\office\

Other related files that are safe to erase:

5) FFNT.exe, FFSetup.dll, FFService.dll, FFast_bb.dll

---( 9.0) HOW HARD MICROSOFT TRIED TO KEEP PEOPLE FROM FINDING ABOUT IT )-----

I realize how incredibly lengthy this tutorial is getting. I originally
posted this thread on the Hackers.com BBS system so I will give you a link
there instead.
http://www.hackers.com/bulletin/showthread.php?threadid=2029

---( 10.0) FINAL NOTE AND CONTACT INFO )--------------------------------------

This tutorial is being updated ALL THE TIME. If you have any input then please
e-mail me so I can compile it into future versions. You may have noticed many
requests to contact me throughout this tutorial. This is because I am VERY
eager to find out everything there is to know about this. But just so I am
not swamped with old updates, please make sure you are reading the most
current version of this tutorial. (Find it on www.hackers.com.) My e-mail
address is ther1ddler@email.com. (note the number 1.) Forgive me if I don't
get around to replying to your e-mail right away. I might be on vacation.
By the way, contacting me via PGP will not work in less you are using at least
v7.0. (Block located at the end of this text.)

Thanks for reading,

The Riddler

---( 10.1) RECOMMENDED READING )----------------------------------------------

And if you aren't already paranoid enough here's some sites/articles that I
definately recommend:
http://www.theregister.co.uk/content/4/18002.html http://www.findarticles.com/m0CGN/3741/55695355/p1/article.jhtml http://www.mobtown.org/news/archive/msg00492.html http://194.159.40.109/05069801.htm http://www.yarbles.demon.co.uk/mssniff.html http://www.macintouch.com/o98security.html http://www.theregister.co.uk/content/archive/3079.html http://www.fsm.nl/ward/ http://slashdot.org http://www.peacefire.org http://stopcarnivore.org http://nomorefakenews.com http://grc.com http://grc.com/steve.htm#project-x

---( 10.1) SPECIAL THANKS) ---------------------------------------------------

Thank you Skywalker, for being in the right place at the right time. You were
the only one who seemed interested in helping me further my research.

Thank you to everybody who has e-mailed me specifically just to thank me.
The kind words mean a lot to me and played a big motivator to get this text
finished.

And thank you to Hackers.com, for developing a fantatsic site with a great
community feel, without which, this tutorial would never have existed.

---( 10.1) REFERENCES )-------------------------------------------------------
http://support.microsoft.com/support/kb/articles/Q137/1/13.asp http://support.microsoft.com/support/kb/articles/Q136/3/86.asp http://support.microsoft.com/support/kb/articles/Q169/5/31.ASP http://support.microsoft.com/support/kb/articles/Q141/0/12.asp http://support.microsoft.com/support/kb/articles/Q205/2/89.ASP http://support.microsoft.com/support/kb/articles/Q166/3/02.ASP http://www.insecure.org/sploits/Internet.explorer.web.usage.logs.html http://www.parascope.com/cgi-bin/psforum.pl/topic=matrix&disc=514&mmark=all http://www.hackers.com/bulletin/ http://slashdot.org/articles/00/05/11/173257.shtml

Old news dude.

Do a search here at this board using index.dat as the keyword

No need to get frightened or overly cautious about these .day files. This is how IE utilizes the cache to load pages faster and to read cookies. There is an index.dat in the History, Cookies and Temp Internet Files folders.

The only bad thing about these files is that they are "always in use" because IE is integrated with the OS and cannot be deleted while in windows. They can grow to be large files. They can be deleted in DOS (not MSDOSPrompt) along with the folders & all content. Windows will recreate the .dat files and folders upon reboot.

Also, email that writer of the article back and tell him that every single one of the IE Content folders can be read while in Windows including all of their content. He just doesn't know how to use Windows Explorer or the Find Files utility. The oly files that are not visible in Windows are the index.dat files in History & TIF folders. But their visibility depends upon the version of IE5 on the system and how it was installed, ie an upgrade from IE4 or stock in Win98SE or upgrades to IE5.01 & 5.5. Visibility depends on the OS and other factors.

The IEContent folders changed in IE5 because IE5 saw the release of the offline browsing pack (optional add-on) and the web folders package (default forced add-on).

That cat is way too paranoid. Just cause MS has created an OS with an integrated browser and 99% of computer users have no clue how the OS actually works, some are quik to blame MS for security holes etc etc and sneaky secret stuff.

So what. Some inner workings of the OS have a right to be kept secret. After all, the inner guts are patented secrets. The source code is NOT public domain. There is NO profit in open sourceware.
Open sourcing is great for small developers as a means of rapidly evolving a product but the concept that all software should be open source is communistic! This is America where we have the right to make money on our skills and inventions. MS just happens to make more money than anybody else and jealous not- as -smart -as -Bill folks get pissed!

Well, considering that I just deleted my Content.ie5 folder while logged in, I think the original poster has no idea what the hell he's talking about. And I love the "encrypted" data that Outlook saved his attachment as. I don't think that base64 encoding is hard encryption scheme to crack. :rolleyes:

Spider/SpiderBite will do the same job without going into parts that are (for a lot of users) totally foreign.

BCWipe will clean files from the H/D and clean freespace.

Thanks for the effort you put into posting this. You were probably unaware that this info had already been seen here. Besides, reposting info doesn't hurt. It reminds us all.

So... you got to Hackers.com as well?

(TheRIDDLER)

Damn, thats long

Old news indeed. This was covered some time ago on this forum.
Been There, Done That, Worn Out the T-Shirt.:rotfl:
However, it is a nice reminder...some not accurate, but ????
I am not going to get paranoid about it (I keep looking behind me and all I can see is my shadow):D

Originally posted by Paft
So... you got to Hackers.com as well?

(TheRIDDLER)

<the best german "SHULTZ " voice i can muster>.......i know nothing!!......NOTHING!:D


naw, i came across it from that radio show with kevin mitnick.........and i realy do know nothing! no joke:)

Well, considering that I just deleted my Content.ie5 folder while logged in, I think the original poster has no idea what the hell he's talking about. And I love the "encrypted" data that Outlook saved his attachment as. I don't think that base64 encoding is hard encryption scheme to crack. :rolleyes:
try running it in winzip...haven't tested that theory..should work, can always use Outlook to "decrypt" it.

as for the other part...++